The Big OpenSAML Guide
This is the main page on the site where I guide you to all resources on OpenSAML. Here you will find all topics, from beginner to advanced that I have collected over the years.
First, for you that are totally new to OpenSAML is a short introduction.
What is OpenSAML?
OpenSAML is a library to facilitate working with SAML messages. Below are some of the functions that OpenSAML provides:
- Creating SAML messages
- Parsing and exporting SAML objects as XML
- Signing and encryption
- Encoding and message transport
Internet2 provides and supports the library. Shibboleth products, produced by internet2, are one of the examples of identity solutions that utilize the OpenSAML library.
The OpenSAML library is available in Java and C++, however; not all functions are provided in both versions. OpenSAML is licensed under Apache 2.0 and the latest version of OpenSAML supports SAML 2.0, 1.1 and 1.0.
For the beginner
Getting started with OpenSAML 4 - This is a tutorial for getting started with OpenSAML 4, the most current version of the library. In this tutorial I will walk you through, the basics of OpenSAML, adding it to your project and building your first SAML message. It is a good starting point for anyone new to SAML.
The SAML Web browser SSO flow
- Using HTTP Redirect to send and receive messages - This tutorial gives a simple example on how to send a authentication request message (AuthnRequest) using the HTTP Redirect binding. Using HTTP POST to send and receive messages - This tutorial gives a simple example on how to send a message using HTTP POST binding. A popular binding for sending SAML Responses, because of their large size .
- Resolve an artifact with OpenSAML - Here we look on the second step of the HTTP Artifact binding. When a HTTP Artifact is received, it is exchanged over SOAP to the real message. Often a SAML Response message.
Single LogOut
- Single Log Out with OpenSAML - A post that shows how to build and send a SLO(Single LogOut) request using HTTP Redirect binding.
Things needed here and there
- Convenience methods for OpenSAML - Collection of popular helper methods to ease the load of working with OpenSAML. For example creating and logging messages.
- Getting credentials in OpenSAML - It is not straight forward how to use private and public keys to do cryptographic operations in OpenSAML. This tutorial walks you through it.
- Signing with OpenSAML - Signing is the cryptographic way to ensure that a message has not been changed since sent by the sender. This article walk you through how to do this in OpenSAML.
- Verifying signatures with OpenSAML - Of course, it is not much use to have a signed message if you do not know how to check that the signature is valid. This article will show you how to do it in OpenSAML 4.
Books on OpenSAML
To dig deeper into OpenSAML and connecting all the dots I have written a book on the subject.
A Guide to OpenSAML guides you through all steps of using OpenSAML including:
- A basic understanding of Single Sign-On with OpenSAML
- A migration guide for migrating from OpenSAML V2 to V3
- Running sample code to try things out
- A walk though of steps needed to implement SSO in OpenSAML
- Usage of popular bindings and useful security features
SAML 2.0: Designing secure identity federation is not really a book on OpenSAML but as you will understand when learning OpenSAML, you need a very good understanding of SAML to build something good and secure using OpenSAML.
Walking through all topics from introduction to advanced you will learn
- To fully understand SAML and identity federation
- Workings of the main building blocks like NameId, bindings and assertions
- How Single Single-On and Single Logout works in detail
- Different architectural choices and implementation alternatives
- Security best practices and considerations
- Previous security vulnerabilities and what can be learned from them
The SAML specs
As always, when working with SAML it pays of having the official SAML specs close at hand
- SAML Core Specs - The main spec for the SAML messages
- SAML Binding Spec - Specs for bindings used to transport the messages
- SAML Profiles Spec - The profiles showing how to use the SAML messages together for a use-case
- SAML Metadata Spec - Specification for SAML configuration data
Other resource
The official OpenSAML homepage - The official page from Internet2.
Javadoc for OpenSAML - Very useful