Web SSO using Java and SAML 2.0 [closed]

Answer 1

Having recently implemented SAML authentication for an application I found the most useful information in the OASIS SAML2 technical overview document. It's very readable and contains real examples of the XML messages that are passed.

Section 5.1 describes the interaction of having YOUR application (service provider or SP) request authentication to a remote identity provider (Idp).

http://wiki.oasis-open.org/security/Saml2TechOverview

Answer 2

Providing more up to date answer since this hasn't been visited in a while:

If you're doing a spring project already I've had success with Spring Security SAML. You do not have to be securing your app with Spring Security to use the SAML extension, though it make it a bit easier.

http://projects.spring.io/spring-security-saml/

Answer 3

You could take a look at 2 products:

• JOSSO: http://www.josso.org
• OpenAM, which is a fork of Sun's OpenSSO since Oracle decided to kill it: http://forgerock.com/openam.html

Both have a rather impressive features list and offer a wide list of SSO agents.

The main benefit of the agent approach is that you don't have to care in your application about the authentication process as it is handled by the agent and the SSO infrastructure.

If you're going to develop your own SAML2 Service Provider, using OpenSAML is the way to go. The downside is that this library is not that well documented. Nevertheless you should find easily some tutorials on OpenSAML on the web.
You could implement it for example as a servlet filter, so that your application code is not tied to SAML.

Answer 4

Everything you need was at the OpenSSO site, with OpenAM as it's successor.

Answer 5

You can try the OpenSAML project; it provides a Java library for creating and validating SAML tokens.

Answer 6

http://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring/oio-saml-java