Hi,
You are almost there, the token in the Authorization header should follow this :
Authorization: SIGN token="...", nonce="137131200:dj83hs9s", bodyhash="k9kbtCIy0CkI3/FEfpS/oIDjk6k=", signature_alg="RSA-SHA256", signature="..." Where :token REQUIRED. The SAML2 token identifying the caller. The value is calculated as BASE64(GZIP(SAML2)). nonce REQUIRED. A unique string generated by the client allowing the server to identify replay attacks and reject such requests. The strings must be unique across all requests of a single client. The definition is as specified in Section 3.1 of draft-ietf-oauth-v2-http-mac with one difference - the first component should be the current time expressed in the number of seconds since January 1, 1970 00:00:00 GMT with no leading zeros. bodyhash OPTIONAL. A hash value computed as described in Section 3.2 of draft-ietf-oauth-v2-http-mac over the entire HTTP request entity body (as defined in Section 7.2 of RFC 2616). Note that the body hash may be missing only if there is no request body, i.e. empty body. Otherwise it is required. signature_alg REQUIRED. The signature algorithm used by the client to sign the request. This proposal defines "RSA-SHA256", "RSA-SHA384" and "RSA-SHA512". More algorithms could be added in future. signature REQUIRED. A message signature calculated over the normalized request as BASE64(signature-algorithm(private key, request)). The request normalization is done as defined in Section 3.3.1 of draft-ietf-oauth-v2-http-mac with two exception - (a) the body hash is included without BASE64 applied and (b) no "ext" field is appended. All text based fields in the normalized request are encoded in UTF-8.