8

I'm currently working on setting up a SAML IDP. At first, I thought spring-security-saml would help me, but I figured out that it only helps on setting up the SP side of the SAML protocol.

So I thought: let's go, let's use OpenSAML to make it.

And here comes the question: what does that library actually do? I understand this is a low-level library, but I don't get what is the point of it. I do not find neither good tutorial nor documentation and I feel like I just bought some IKEA furniture without the screws and without the manual.

Although, I saw a lot of interesting stuff like the decoders (HTTPPostDecoder), which get me an SAML object from an HTTP request, I don't know if a should manually check this object against the IDP metadata or if OpenSAML can check it automatically (I assume it cannot).

From there, I'm kind of lost in all these OpenSAML objects, I don't know which ones I should use and which ones I don't have to.

Just for instance, I tried to generate metadata from scratch, but I didn't find any default configuration that I could use out of the box and I end up with just one XML tag for 10 lines of code, so I don't get what is the real value of this library.

Could someone enlighten me about what OpenSAML do and does not do? Is there some good practice, helpers library that could wrap it and actually help me (or any alternative) or good tutorial that I didn't find yet? I think this definitely do something, but I can't get what and how...

Thank you by advance for your help!

sjahan
  • 5,720
  • 3
  • 19
  • 42
  • Good book - https://gumroad.com/l/a-guide-to-opensaml – rbrayb Feb 01 '16 at 20:57
  • What did you end up going with in the end? I find myself in a similar situation. I'm considering Shibboleth with external Authentication, but it comes with it's own can of security worms. – noob Mama Aug 24 '17 at 00:12
  • At the end of it, I read the SAML specification, and the conclusion is that it was a lot of work to make a SAML implementation from scratch, so the project has been put in standby and for now, never resumed. It would take a good team and a good amount of time to read the specification, implement the main usecases and I didn't have the resource at that time. – sjahan Jun 18 '18 at 14:15
  • 1
    OpenSAML is actually good for creating XML assertions correctly with all proper attributes, and what is more important helps with doing all the signing correctly. It would be really difficult to do it correctly yourself. I used it myself for creating an IdP. But, yeah documentation could be better. Shibboleth is easier if your usecase is covered by what it offers, but if it does not then you have to do a lot of customization, and in that situation OpenSAML could be actually easier to do the XML part. But beware - creating IdP from scratch is a lot of work. – Kirill G. Nov 09 '18 at 05:06

1 Answers1

4

as you can read ad https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

OpenSAML is a library to handle the low-level SAML protocol stuff. It's not an IdP. An IdP also has to provide you with means for authentication, potentially user profile management.

There are many SAMLv2 IdPs available, like Shibboleth, JBoss PicketLink, ForgeRock OpenAM, Ping Federate; some are free of charge some are commercial

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7
  • Thank you for your answer. I figured out that it was really low-level. It would not bother me to use it if the documentation was a little bit end-user friendly. I basically know three of the IDP you mentionned. OpenAM is excluded, I work with it and I really hate the way it is developped. Ping is commercial so it's excluded too. I tried to take a pick at Shibboleth, we'll see. Do you think i can just reuse the SAML part to integrate it to my IDP? I also started to look at the SAML part of the CAS server, which could be a good lead! – sjahan Feb 02 '16 at 08:28
  • Shibboleth can act as SAMLv2 IdP ... if you mean this by >reuse the SAML part to integrate it to my IDP – Bernhard Thalmayr Feb 02 '16 at 20:32
  • Well, what I want at the end is a single application, so i'd like to be able to embed Shibboleth IDP into my application and not to have to install it aside of my application. – sjahan Feb 03 '16 at 10:44
  • I'm sorry but I do not get the use case. IdP and SP delivered by the same app? – Bernhard Thalmayr Feb 03 '16 at 16:06
  • Nope, just the IDP. I just want it to be inside my application and not to have to install a standalone IDP. – sjahan Feb 04 '16 at 09:29