This manual describes Spring Security SAML Extension component, it's uses, installation, configuration, design and tested environments.
Component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. Spring Security Extension allows seamless combination of SAML 2.0 and other authentication and federation mechanisms in a single application. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, RM5 IdM or Ping Federate) can be used to connect with Spring Security SAML Extension.
Extension be used in applications which are not primarily secured using Spring Security. It can be adapted for both single and multi-tenant environments.
Spring Security SAML Extension can be either embedded inside application and work along other authentication or single sign-on mechanisms or it can be deployed separately and convey authentication information to applications using a custom mechanism.
Spring Security Extension is probably the most complete open-source SAML 2.0 SP implementation with the widest feature-set and configuration possibilities. Other Java open-source alternatives are e.g. native SAML service providers integrating with IIS or Apache from Shibboleth (SAML processing is done on the web server and not on the application level) or OpenAM Fedlet.
Current implementation should be conformant to SAML SP Lite and SAML eGovernment profile. The following profiles, bindings and features are supported as part of the product:
Web single sign-on profile
Web single sign-on holder-of-key profile
IDP and SP initialized single sign-on
Single logout profile
Enhanced client/proxy profile
Identity provider discovery profile and IDP selection
Metadata interoperability and PKIX trust management
Automatic service provider metadata generation
Metadata loading from files, URLs, file-backed URLs
Processing and automatic reloading of metadata with many identity providers
Support for authentication contexts
Logging for authentication events
Customization of both SP and IDP metadata
Processing of SAML attributes and user data using UserDetails interface
Support for HTTP-POST, HTTP-Redirect, SOAP, PAOS and Artifact bindings
Easy integration with applications using Spring Security
Sample application with an user interface for quick configuration
Internal processing of SAML messages, marshalling and unmarshalling is handled by OpenSAML.
You can use the following supported standards as a reference:
SAML 2.0 basic profiles
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
SAML 2.0 additional profiles
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.pdf
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf
http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.pdf
eGovernment profile
http://kantarainitiative.org/confluence/download/attachments/42139782/kantara-egov-saml2-profile-2.0.pdf
Spring Security SAML Extension requires as minimum Java 1.6.
TODO Apache Tomcat, Jetty, Oracle Weblogic, ....
Source code for the project is maintained on Github.
Snapshot builds of the project are available in the SpringSource repository
Source code of the module is licensed under the Apache License, Version 2.0. You may obtain copy of the license at http://www.apache.org/licenses/LICENSE-2.0.
Issue tracking for the module can be found at Spring Security Extensions Jira. Feel free to submit bugs, patches and feature requests.
For community support please use Spring Security forum. For additional support you can reach me at vladimir.schafer at gmail.com.