What is the point of OpenSAML? Any alternative?

Question

I'm currently working on setting up a SAML IDP. At first, I thought spring-security-saml would help me, but I figured out that it only helps on setting up the SP side of the SAML protocol.

So I thought: let's go, let's use OpenSAML to make it.

And here comes the question: what does that library actually do? I understand this is a low-level library, but I don't get what is the point of it. I do not find neither good tutorial nor documentation and I feel like I just bought some IKEA furniture without the screws and without the manual.

Although, I saw a lot of interesting stuff like the decoders (HTTPPostDecoder), which get me an SAML object from an HTTP request, I don't know if a should manually check this object against the IDP metadata or if OpenSAML can check it automatically (I assume it cannot).

From there, I'm kind of lost in all these OpenSAML objects, I don't know which ones I should use and which ones I don't have to.

Just for instance, I tried to generate metadata from scratch, but I didn't find any default configuration that I could use out of the box and I end up with just one XML tag for 10 lines of code, so I don't get what is the real value of this library.

Could someone enlighten me about what OpenSAML do and does not do? Is there some good practice, helpers library that could wrap it and actually help me (or any alternative) or good tutorial that I didn't find yet? I think this definitely do something, but I can't get what and how...

Thank you by advance for your help!

Answer 1

as you can read ad https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

OpenSAML is a library to handle the low-level SAML protocol stuff. It's not an IdP. An IdP also has to provide you with means for authentication, potentially user profile management.

There are many SAMLv2 IdPs available, like Shibboleth, JBoss PicketLink, ForgeRock OpenAM, Ping Federate; some are free of charge some are commercial