3

We are planning to build our own SAML IDP. I have a few questions:

  1. Does it make sense to build one?
  2. If yes, what's the approach? I don't see any Java libraries for SAML. Can't use spring-security-saml as that has support for integrating third party IDP's, not to build one.
Praveen Kamath
  • 959
  • 2
  • 10
  • 18

2 Answers2

4

Speaking as someone who has built a SAML IdP from scratch, building one in Java mainly involves these things:

  1. Server application that listens for SAML requests, usually on port 443. You could use spring-boot for this.
  2. Server code to present authentication pages to users the IdP manages. LDAP is a much used way of authenticating a user.
  3. Server code to extract attributes for the authenticated user. This could be an LDAP lookup to find attribtes such as first name, surname, email etc.
  4. Server code to decide which attributes can be released to the requesting SP. You would use the SP's entityID for this.
  5. Server code to translate user attributes (e.g. from LDAP) to SAML attributes and send to the SP.

1 and 4 require parsing and creating SAML. You can use openSAML for those. 5 requires a SAML attribute schema the SP is likely to understand. You can use eduPerson for this.

Working with SAML and an SP requires a knowledge and implementation of various SAML profiles. Web Browser SSO is one that is used a lot. You can read about the profiles here.

Once you understand SAML and where it fits in the process you need to understand/implement XMLSignature and various encryption topics using PKI.

Once you have a working, tested IdP implementation, you then need to be able to parse SAML Metadata (PDF) to validate an SP using its public key certificate and various other urls in its metadata. You also need to keep the SP metadata up to date, as well as creating the IdP metadata to send to the SP so it can validate your SAML Response, which you will sign.

If the ROI isn't worth that amount of development, you can use the 'standard' IdP.

codebrane
  • 4,290
  • 2
  • 18
  • 27
0

There's a list of SAML IDP here.

There's a list of SAML stacks here.

And to add the @codebrane answer, are you planning to support both SP and IDP initiated?

But in general, don't. Use an off the shelf product or at the very least use a solid SAML stack library.

rbrayb
  • 46,440
  • 34
  • 114
  • 174