OpenSAML


On this page I have tried to create the ultimate pitstop for people trying to learn and use the OpenSAML library.

I'll start out with an introduction to OpenSAML and move on to a some resources that might be of help. I will also introduce my blog post on this subject and my book, A Guide to OpenSAML.

What is OpenSAML?

OpenSAML is a library to facilitate working with SAML messages. Below are some of the functions that OpenSAML provides:
  • Creating SAML messages 
  • Parsing and exporting SAML objects as XML 
  • Signing and encryption 
  • Encoding and message transport 

Internet2 provides and supports the library. Shibboleth products, produced by internet2, are one of the examples of identity solutions that utilize the OpenSAML library.

The OpenSAML library is available in Java and C++, however; not all functions are provided in both versions. OpenSAML is licensed under Apache 2.0 and the latest version of OpenSAML supports SAML 2.0, 1.1 and 1.0.


Helpful resources

My blog posts

When I work with OpenSAML I try to spend some time to blog about different situation and problems I encounter. Here are some of the more popular.

Some on using OpenSAML for the SAML flow
Redirect with AuthnRequest
Resolve an artifact with OpenSAML
Single Log Out with OpenSAML

Some more general
Convenience methods for OpenSAML
Getting credentials in OpenSAML
Verifying signatures with OpenSAML
Signing with OpenSAML


Read all my posts on OpenSAML

My book, A Guide to OpenSAML

A Guide to OpenSAML is a short book that introduces SAML, the SAML Web Browser Profile and the use of OpenSAML.
A Guide to OpenSAML V3

The book has three parts, the first of which introduces SAML, SAML Web Browser Profile and OpenSAML. 
The next part goes deeper into explaining the Web Browser Profile more in detail and shows how to implement it using OpenSAML. 
The last part explains how to use some of the security functions in OpenSAML, like signatures and encryption.

The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:
  • SP initiated Single Sign-On 
  • Authentication request using HTTP Redirect Binding 
  • Assertion transported using HTTP Artifact Binding 
  • SAML Artifact transported using HTTP Redirect Binding 
  • Artifact resolution using SOAP Binding 


The SAML specs

As always, when working with SAML it pays of having the official SAML specs close at hand


SAML Core Specs - The main spec for the SAML messages
SAML Binding Specs - Specs for bindings used to transport the messages
SAML Profiles Spec - The profiles showing how to use the SAML messages together for a use-case
SAML Metadata Spec - Specification for SAML configuration data

Other resource

The official OpenSAML homepage - The official page from Internet2. Has good documentation

Javadoc for OpenSAML - Very useful

Mail lists - The developer list is for OpenSAML discussions. Lots of smart and resourceful people. I have gotten a lot of help from here.

5 comments:

  1. AnonymousSeptember 20, 2016 at 4:42 PM

    Hi Stefan, I've been trying to get any kind of clear instruction on how to create a SAML Response to POST to an SP using an IDP-initiated Single Sign-On structure. I don't have to do much other than generate the response for users to log into Staples Online after authenticating in our application.

    Here is what Staples expects:





    qaaccess.company.com.saml2











    qaaccess.company.com.saml2























    AKr2zPYDvRIccY3Aefh4/1kdWBY=







    .......................











    .......................











    .......................



    AQAB













    BSMITH















    StaplesAdvantage









    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified











    0007654321001NAT







    BSMITH









    Obviously there are some details we have to coordinate with them, like giving them our x.509 cert and exchanging valid userIDs and so on. But I'm stuck on how to sign this, and almost every resources I've looked at is confusing and incomplete, or directs me to yet another confusing, incomplete resource.

    Any help is appreciated. Thanks!

    ReplyDelete
    Replies
    1. Stefan RasmussonOctober 4, 2016 at 11:13 PM

      Hi I don't have a lot of experience on using POST with OpenSAML. I would think you should use HTTPPostEncoder for sending. As for signing, have a look here http://blog.samlsecurity.com/2012/11/signing-with-opensaml.html

      Delete
  2. PallaviMarch 7, 2018 at 5:00 PM

    Hi Stefan,
    We are referring your Open SAML 3 project webprofile-ref-project-v3 for implementing service provider. Thanks for the book, it's extremely helpful. I am successfully able to parse the saml response but while validating the signature I am receiving the following error
    org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful

    Any help for the resolution of the above error will be appreciated.

    Thanks!!

    ReplyDelete
  3. UnknownSeptember 5, 2018 at 6:47 AM

    If OpenSAML is low level will I have to test for all kinds of IdP providers or can I expect it to work for all/most? Like ADFS, Azure AD, Okta, PingOne, PingFederated, F5, Oracle Access Manager, ...

    ReplyDelete
  4. CrisApril 22, 2020 at 2:12 PM

    This comment has been removed by the author.

    ReplyDelete

Subscribe to: Posts (Atom)