how to configure java app to act as Identity Provider

Question

I have a very simple java web app where I can manage user registration and authentication. I want to act this application as SAML identity provider. Then I'm going to create another simple web app, which would require user to be authenticated before he can use it. So basically I want my first app to be IdP and my second app to be service provider. The workflow should be like this: user goes to app2. App2 redirects user to app1 where user gets authenticated. If authentication is successful app1 redirects user to app2 where he has full access. I am relatively new to SAML. Is there any tutorial that would help me to do it painlessly?

Answer 1

Have a look at Shibboleth, which is a ready to use implementation of an SAML Identity provider. The fact, that you already have an application, which you want to act as the Identity provider offers you two options:

1. Configure Shibboleth to use you user data model as an authentication source (not sure if this is possible)
2. Use the Java Library OpenSAML-Java which is used to implement Shibboleth. This only provides Handling (Creation, Validation, Exchange) of SAML Assertions around the Web SSO profile of SAML 2.0. You have to create the process of Web Request redirection on your own in App2 and App1.

SAML isn't very painless, furthermore its a comprehensive standard which acted as an example for other simpler Standards like OpenID or OAuth (they have some principles in common, but are much simpler for sure). Its pretty much the same story than it was with CORBA vs. Java RMI

Here is a good starting point to gain some basic understanding what is done when using the SAML Web Browser SSO Profile:

• https://developers.google.com/google-apps/sso/saml_reference_implementation

Answer 2

There are two parts to your question.

You want:

• Java SAML server (STS)
• Java SAML client

Writing a STS is a non-trivial issue. You may be better off using an existing implementation. OpenAM is another possibility. It supports a number of options for identity repositories.

In terms of the client, refer SAML : SAML connectivity / toolkit.