It would be nice to allow for a custom signer in OpenSamlAuthenticationRequestFactory. This would simplify delegating the signing to a separate service.
It's not yet clear how best to expose this functionality since signing patterns are different for HTTP-Redirect and HTTP-POST bindings.
For the redirect binding, one signs a query string composed of the serialized <saml2:AuthnRequest>, the signature algorithm, and any relay state.
For the post binding, one signs the XML payload and embeds the signature into the payload.
As use cases come in, it should become clearer what the contract should look like.