On this page I have tried to create the ultimate pitstop for people trying to learn and use the OpenSAML library.
I'll start out with an introduction to OpenSAML and move on to a some resources that might be of help. I will also introduce my blog post on this subject and my book, A Guide to OpenSAML.
What is OpenSAML?
OpenSAML is a library to facilitate working with SAML messages. Below are some of the functions that OpenSAML provides:- Creating SAML messages
- Parsing and exporting SAML objects as XML
- Signing and encryption
- Encoding and message transport
Internet2 provides and supports the library. Shibboleth products, produced by internet2, are one of the examples of identity solutions that utilize the OpenSAML library.
The OpenSAML library is available in Java and C++, however; not all functions are provided in both versions. OpenSAML is licensed under Apache 2.0 and the latest version of OpenSAML supports SAML 2.0, 1.1 and 1.0.
Helpful resources
My blog posts
When I work with OpenSAML I try to spend some time to blog about different situation and problems I encounter. Here are some of the more popular.Some on using OpenSAML for the SAML flow
Redirect with AuthnRequest
Resolve an artifact with OpenSAML
Single Log Out with OpenSAML
Some more general
Convenience methods for OpenSAML
Getting credentials in OpenSAML
Verifying signatures with OpenSAML
Signing with OpenSAML
Read all my posts on OpenSAML
My book, A Guide to OpenSAML
A Guide to OpenSAML is a short book that introduces SAML, the SAML Web Browser Profile and the use of OpenSAML.
The book has three parts, the first of which introduces SAML, SAML Web Browser Profile and OpenSAML.
The next part goes deeper into explaining the Web Browser Profile more in detail and shows how to implement it using OpenSAML.
The last part explains how to use some of the security functions in OpenSAML, like signatures and encryption.
The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:
SAML Core Specs - The main spec for the SAML messages
SAML Binding Specs - Specs for bindings used to transport the messages
SAML Profiles Spec - The profiles showing how to use the SAML messages together for a use-case
SAML Metadata Spec - Specification for SAML configuration data
Javadoc for OpenSAML - Very useful
Mail lists - The developer list is for OpenSAML discussions. Lots of smart and resourceful people. I have gotten a lot of help from here.
The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:
- SP initiated Single Sign-On
- Authentication request using HTTP Redirect Binding
- Assertion transported using HTTP Artifact Binding
- SAML Artifact transported using HTTP Redirect Binding
- Artifact resolution using SOAP Binding
The SAML specs
As always, when working with SAML it pays of having the official SAML specs close at handSAML Core Specs - The main spec for the SAML messages
SAML Binding Specs - Specs for bindings used to transport the messages
SAML Profiles Spec - The profiles showing how to use the SAML messages together for a use-case
SAML Metadata Spec - Specification for SAML configuration data
Other resource
The official OpenSAML homepage - The official page from Internet2. Has good documentationJavadoc for OpenSAML - Very useful
Mail lists - The developer list is for OpenSAML discussions. Lots of smart and resourceful people. I have gotten a lot of help from here.
Hi Stefan, I've been trying to get any kind of clear instruction on how to create a SAML Response to POST to an SP using an IDP-initiated Single Sign-On structure. I don't have to do much other than generate the response for users to log into Staples Online after authenticating in our application.
ReplyDeleteHere is what Staples expects:
qaaccess.company.com.saml2
qaaccess.company.com.saml2
AKr2zPYDvRIccY3Aefh4/1kdWBY=
.......................
.......................
.......................
AQAB
BSMITH
StaplesAdvantage
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
0007654321001NAT
BSMITH
Obviously there are some details we have to coordinate with them, like giving them our x.509 cert and exchanging valid userIDs and so on. But I'm stuck on how to sign this, and almost every resources I've looked at is confusing and incomplete, or directs me to yet another confusing, incomplete resource.
Any help is appreciated. Thanks!
Hi I don't have a lot of experience on using POST with OpenSAML. I would think you should use HTTPPostEncoder for sending. As for signing, have a look here http://blog.samlsecurity.com/2012/11/signing-with-opensaml.html
DeleteHi Stefan,
ReplyDeleteWe are referring your Open SAML 3 project webprofile-ref-project-v3 for implementing service provider. Thanks for the book, it's extremely helpful. I am successfully able to parse the saml response but while validating the signature I am receiving the following error
org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful
Any help for the resolution of the above error will be appreciated.
Thanks!!
If OpenSAML is low level will I have to test for all kinds of IdP providers or can I expect it to work for all/most? Like ADFS, Azure AD, Okta, PingOne, PingFederated, F5, Oracle Access Manager, ...
ReplyDelete