Как добавить SignatureValue и KeyInfo в ответ OpenSaml3?

В OpenSAML 2.5 я использовал следующий код для создания утверждения SAML с данными сертификата безопасности:

        Credential signingCredential = sign.getSigningCredential();

        Signature signature = null;

        try {
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        signature = (Signature) Configuration.getBuilderFactory()
                .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
                .buildObject(Signature.DEFAULT_ELEMENT_NAME);
        signature.setSigningCredential(signingCredential);

        // This is also the default if a null SecurityConfiguration is
        // specified
        SecurityConfiguration secConfig = Configuration
                .getGlobalSecurityConfiguration();

        try {
            SecurityHelper.prepareSignatureParams(signature,
                    signingCredential, secConfig, null);
        } catch (SecurityException e) {
            e.printStackTrace();
        } catch (org.opensaml.xml.security.SecurityException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }


        SsoSamlWriter samlWriter = new SsoSamlWriter(ssoData);
        Assertion assertion = samlWriter.buildSamlAssertion();

Выдержка из сообщения SAML:

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#514131e4-8ef0-469c-b8b0-a185b874320e">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>fmIxhw8sGFU/J3SWDk5BnBCKRog=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>HOHkf...pqj2w==</ds:SignatureValue>
            <KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIID...6BS9K
L/SvOZxWrA==</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>

Я пытаюсь обновить этот код до OpenSAML 3.2, и мне удалось сгенерировать сообщение SAML, но я не знаю, как прикрепить подробные данные сертификата безопасности. Есть ли у кого-нибудь пример кода для добавления деталей SignatureValue и X509Certificate в утверждение SAML?

Код OpenSAML 3.2, который у меня есть:

Credential signingCredential = sign.getSigningCredential();
SsoSamlWriter samlWriter = new SsoSamlWriter(ssoData);
Assertion assertion = samlWriter.buildSamlAssertion();

Signature signature = SAMLUtils.buildSAMLObject(Signature.class);
signature.setSigningCredential(signingCredential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

// Need to supply an org.opensaml.security.credential.Credential;
signature.setSigningCredential(signingCredential);
assertion.setSignature(signature);

try {
    XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
} catch (MarshallingException e) {
    throw new RuntimeException(e);
}

try {
    Signer.signObject(signature);
} catch (SignatureException e) {
    throw new RuntimeException(e);
}

// Wrap assertion in SAML Response
ResponseBuilder responseBuilder = new ResponseBuilder();
Response samlResponse = responseBuilder.buildObject();

// Build an Issuer object
Issuer issuer = SAMLUtils.buildSAMLObject(Issuer.class);
issuer.setValue(ssoIssuerName);
issuer.setSPProvidedID(ssoUrlSuffix);

// Add NameID element to assertion with Oasis Employee SSN
Subject subject = new SubjectBuilder().buildObject();
NameID nameID = new NameIDBuilder().buildObject();
nameID.setValue(empSsn);
nameID.setFormat(NameIDType.X509_SUBJECT);
subject.setNameID(nameID);
assertion.setSubject(subject);      

String responseIdStr = UUID.randomUUID().toString();
assertion.setID(responseIdStr);
samlResponse.setID(responseIdStr);
samlResponse.setIssueInstant(new DateTime());
samlResponse.setIssuer(issuer);
samlResponse.setVersion(SAMLVersion.VERSION_20);
samlResponse.setStatus(samlWriter.createStatus());
samlResponse.getAssertions().add(assertion);

ResponseMarshaller marshaller = new ResponseMarshaller();
Element plain = marshaller.marshall(samlResponse);
String samlResponseStr = XMLHelper.nodeToString(plain);

// Remove ds: prefix from <ds:KeyInfo> elements
// stegre => Accomodate bug on CIC side, remove this line eventually
samlResponseStr = samlResponseStr.replaceAll("ds:KeyInfo", "KeyInfo");

System.out.println("");
System.out.println("SAML Response: ");
System.out.println(samlResponseStr);
System.out.println("");

Результирующее SAML-сообщение:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="356498c8-036d-41b1-9602-89fa90e40331" IssueInstant="2016-10-12T15:15:23.987Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer SPProvidedID="OasisAdvantage" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">OasisAdvantage</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="356498c8-036d-41b1-9602-89fa90e40331" IssueInstant="2016-10-12T15:15:20.442Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer SPProvidedID="OasisAdvantage">OasisAdvantage</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#356498c8-036d-41b1-9602-89fa90e40331">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue/>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue/>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">OasisUser</saml2:NameID>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-10-12T15:15:20.442Z" NotOnOrAfter="2016-10-12T15:20:20.442Z"/>
        <saml2:AuthnStatement AuthnInstant="2016-10-12T15:15:20.566Z" SessionNotOnOrAfter="2016-10-12T15:15:20.581Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="companyid">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">OasisAdvantage</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>