After successfully implementing SAML-V2 Service Provider (SP); for supporting some specific use-case, I have to implement my own SAML-2 IdP. After going through OASIS Documentation and many others about the SAML protocol, I have started implementing it.
My Use-case is just a single profile (Web Browser SSO Profile) with SP-Initiated SSO: Redirect Bindings only.
I am looking for some lean third-party library or java based implementation which I can refer/use to speed up the implementation and customize on top of that.
Would love for any recommendation or suggestion in this direction.
To be specific I'm looking for any/all of below :
Easy to use open-source library for implementing SAML-V2 Identity Provider in Java.
Detailed documentation/specification for above profile.
Any advice from experts who have past experience in implementation such kind of IdP.
There is lots of material available for SP. However, very few and complex for IdP.
Some of the java-based implementation which I am already looking are : KeyCloak and Lite-IdP.
"Very few and complex" is true because building a real-world identity provider is a serious project. OpenSAML as the library is your best option in Java - many enterprise-grade implementations that we know about are built with it. A good, stripped-down example of how to use OpenSAML in IdP context is https://github.com/OpenConext/Mujina .
Lite IdP is written in Go. If you're open to non-Java options, SimpleSAMLphp is excellent, it's certainly better documented than many others.
I'd post it as comment, but I don't have enough reputation.
But here you have almost the same question, regarding Spring SAML:
using-spring-saml-as-an-idp-rather-than-an-sp
Take a look at Vladimir's answer, I think it's what you're looking for. Here is the link suggested by him.
Cheers
Related
I am looking to implement single sign on functionality into an existing Asp.Net MVC 5 web application using SAML 2.0. My team and I have looked into a few different NuGet packages to help us get started with this implementation. We already have the IdP and metadata file, but now just need to implement the SSO functionality into our project.
We came across the Microsoft.IdentityModel.Tokens.Saml package and were interested in using this to set up our SAML configuration but have not been able to find any documentation on how this is actually implemented. I was wondering what is this package typically used for and can it be used to handle SAML requests and responses for the implementation of SSO functionality into a web application or should we look into using a different package? Thanks!
This package is for handling SAML assertion security tokens. It's not for handling the SAML SSO protocol. The WS-Trust protocol supports a number of different security token types including SAML assertions. The Microsoft.IdentityModel.Tokens.Saml package provides this support. SAML SSO also uses SAML assertions but is a completely different protocol from WS-Trust.
You'll find there are a number of open source implementations of the SAML v2.0 specification as well as our commercial offering.
We are an ISV building an enterprise SaaS product.
We would like to enable our customers define their IDP SAML configuration.
We are a startup and would like to support SAML as lean as possible.
1. What is the minimal configuration needed to support the major IDPs?
After reading Okta's article I understand that:
Certificate
IDP Sign-in URL
Are a must.
Say that we use a single ACS endpoint (We will implement our own logic by looking at the SAML assertion)
Is there anything else mandatory?
What about bindings? Do all major IDPs support HTTP redirect?
2. What is needed to be defined on the IDP side?
We tend to use the HTTP redirect binding, should it work with most IDPs? Is a metadata endpoint important?
As for "what is required": in many cases, you will have to generate so called "metadata.xml" file to provide the information to the vendor, so they might install a testing environment for you.
I've implemented about 5 SAML integrations with different vendors so far. The truth is that not all of them require full-fledged SAML 2.0 standard, but some of them do. I think my article should be also helpful to you https://dev.to/optiklab/working-example-of-saml-single-sign-on-integration-using-c-39mb and my open sourced SAML integration project (https://github.com/optiklab/SAML-integration-utilities) contains both Metadata File generator and C# examples for forming both SAML response and assertions. They proved to be working with many vendors, like Ping Identity, etc.
Let me know if you have more specific questions.
I have searched a lot for a good documentation on how to implement SSO as I am a beginner in this field. But got confused with documentations, available online. Is there any documentation that can help me directing :
How to Create/configure IDP , SP, how to implement SSO?
My web application uses, Java 8, angular JS , JSP, Spring ( with annotations), Hibernet, Maven, JBOSS.
Appreciate your time in advance.
Your question is kind of broad which is hard to give a definitive answer. Perhaps knowing better about what to research may help. Please let me try:
Your web application will be an SP. Thus, you don't need to research for how to implement an IdP.
You will need at least 1 IdP to test SSO for your application. Therefore, find out what IdP you want to use and research for how to set it up as well as how to configure a service provider trust against it.
What is the protocol you want to use for SSO? Is it SAML 2.0, WSFed, OAuth2, OpenId Connect or something else? Pick one.
Research a good library that you can use to implement the SP role for your application.
You've mentioned Java and Spring so typically you are looking at Spring Security and SAML.
If that's the case. then you need to implement a client side SAML stack.
Refer: SAML : SAML connectivity / toolkit.
I know... I know... there are a lot of articles, resources, etc out there regarding how OAuth and security RestFul APIs with it; however, I'm looking for an actual open-source or third-party product that's already built that I can throw in front of my controllers (as a filter or whatnot) and do my OAuth magic.
I'm perfectly happy (and mostly able) to "roll my own", but if there is already a commercial product out there I would be VERY happy to use it. I mean... I could create my own wheel, but so many other people do it so much better than I could.
I'm using Jersey (JSR-311) as my RestFul framework, not Spring, so I would prefer to not add the extra "weight" of the Spring Security libraries in my application.
Sorry to ask a question I'm sure has been asked 1 zillion times, but I just can't seem to find a very straight-forward product.
Thanks!
Jersey oauth module supports 2-legged OAuth.
Server-side OAuth support javadoc: http://jersey.java.net/nonav/apidocs/latest/jersey/contribs/jersey-oauth/oauth-server/index.html
Client-side OAuth support javadoc: http://jersey.java.net/nonav/apidocs/latest/jersey/contribs/jersey-oauth/oauth-client/index.html
(both are linked from the Jersey home page - http://jersey.java.net)
The modules are available on maven. See http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22com.sun.jersey.contribs.jersey-oauth%22
If you run into issues, you can contact the Jersey team at users#jersey.java.net.
I just strated my project with SAML 2. I want some help related SAML and OpenSAML libraries v.2.0.
Can someone tell me helpful and comprehensive tutorials for it? I just want to do a small POC.
I need Step-by-Step help for SAML. Here are some of my requirements. Please help.
All SAML specific functionality will be implemented using the open source OpenSAML libraries.
We will support both Service Provider (SP) initiated authentication as well as Identity-Provider (IdP) initiated authentication.
My book, A Guide to OpenSAML, gives a good introduction and step by step on SAML and the OpenSAML library.
Also my blog has a couple of examples on this.
https://blog.samlsecurity.com/categories/opensaml/
https://blog.samlsecurity.com/categories/saml/
I would suggest starting here:
http://identitymeme.org/doc/draft-hodges-learning-saml-00.html