IdP-Initiated Web SSO Profile using JAVA and SAML 2.0

Question

In our web application we act as Identity provider (IdP) which authenticate users through a Login screen with username/password. On successful authentiocation we would like to display a list of hyperlinks which end-users can click to visit partner (service prodicer) web sites. We plan to accomplish these using SAML 2.0 and HTTP POST binding

The message will be placed within an HTML FORM as a hidden form control named SAMLResponse as shown below

...

as i am newbie to implementation of SAMLResponse as hidden element in JAVA JSP Links, i have following queries - How to generate SAMLResponse object in JAVA and then make it as hidden field - Please point me to examples - How to Digitally Sign the SAMLResponse in JAVA - How to encrypt SAMLResponse in JAVA

Is there a equivalent method in the Java world? Are there out of the box solutions and/or tutorials for common servlet containers or application servers?

Answer 1

You might want to have a look at Shibboleth from http://shibboleth.internet2.edu/ , an open source IdP and SP implementation. I found it quite mature, even though the whole SAML stuff is not completely trivial to set up. Once it is working, however, it seems to work just fine. IMHO using a proven implementation is a better idea in security critical contexts than rolling your own with a weak understanding of all the details. This makes your own implementation much more error prone and therefore susceptible to vulnerabilities.

In any case, you can at least look at the IdP component's source code to get hints on how to do certain things, should you still decide to roll your own implementation.

http://svn.middleware.georgetown.edu/view/java-idp/branches/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/