OneLogin's SAML Java Toolkit
Add SAML support to your Java applications using this library.
Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.
Version >= 2.5.0 compatible with java8 / java9. Not compatible with java7
2.5.0 sets the 'strict' setting parameter to true.
2.5.0 uses xmlsec 2.1.4 which fixes CVE-2019-12400
Version 2.0.0 - 2.4.0, compatible with java7 / java8.
We introduced some incompatibilities, that could be fixed and make it compatible with java6.
Version 1.1.2 is considered to be deprecated. If you have used it, we strongly recommend that you migrate to the new version.
We rebuilt the toolkit on 2.0.0, so code/settings that you had been using in the previous version will no longer be compatible.
Why add SAML support to my software?
SAML is an XML-based standard for web browser single sign-on and is defined by
the OASIS Security Services Technical Committee. The standard has been around
since 2002, but lately it has become popular due to its advantages as follows:
Usability - One-click access from portals or intranets, deep linking,
password elimination and automatically renewing sessions make life
easier for the user.
Security - Based on strong digital signatures for authentication and
integrity, SAML is a secure single sign-on protocol that the largest
and most security conscious enterprises in the world rely on.
Speed - SAML is fast. One browser redirect is all it takes to securely
sign a user into an application.
Phishing Prevention - If you don’t have a password for an app, you
can’t be tricked into entering it on a fake login page.
IT Friendly - SAML simplifies life for IT because it centralizes
authentication, provides greater visibility and makes directory
integration easier.
Opportunity - B2B cloud vendor should support SAML to facilitate the
integration of their product.
General description
OneLogin's SAML Java toolkit lets you turn a Java application into a SP
(Service Provider) that can be connected to an IdP (Identity Provider).
Supports:
SSO and SLO (SP-Initiated and IdP-Initiated).
Assertion and nameId encryption.
Assertion signatures.
Message signatures: AuthNRequest, LogoutRequest, LogoutResponses.
Enable an Assertion Consumer Service endpoint.
Enable a Single Logout Service endpoint.
Publish the SP metadata (which can be signed).
Key features:
saml2int - Implements the SAML 2.0 Web Browser SSO Profile.
Session-less - Forget those common conflicts between the SP and
the final app; the toolkit delegates session in the final app.
Easy to use - Programmer will be allowed to code high-level and
low-level programming; 2 easy-to-use APIs are available.
Tested - Thoroughly tested.
Popular - OneLogin's customers use it. Add easy support to your java web projects.
Security warning
In production, the onelogin.saml2.strict setting parameter MUST be set as "true". Otherwise your environment is not secure and will be exposed to attacks.
In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
Installation
Hosting
Github
The toolkit is hosted on github. You can download it from:
Maven
The toolkit is hosted at Sonatype OSSRH (OSS Repository Hosting) that is synced to the Central Repository.
Install it as a maven dependency:
com.onelogin
java-saml
2.6.0
Dependencies
java-saml (com.onelogin:java-saml-toolkit) has the following dependencies:
core:
org.apache.santuario:xmlsec
joda-time:joda-time
org.apache.commons:commons-lang3
commons-codec:commons-codec
testing:
org.hamcrest:hamcrest-core and org.hamcrest:hamcrest-library
junit:junit
org.mockito:mockito-core
logging:
org.slf4j:slf4j-api
ch.qos.logback:logback-classic
For CI:
org.jacoco:jacoco-maven-plugin
also the Java Cryptography Extension (JCE) is required. If you don't have it, download the version of jce-8, unzip it, and drop its content at
${java.home}/jre/lib/security/. JDK 9 and later offer the stronger cryptographic algorithms by default.
toolkit:
com.onelogin:java-saml-core
javax.servlet:servlet-api
maven:
org.apache.maven.plugins:maven-jar-plugin
org.apache.maven.plugins:maven-surefire-plugin
org.apache.maven.plugins:maven-enforcer-plugin
For more info, open and read the different pom.xml files:
core/pom.xml, toolkit/pom.xml
Working with the github repository code and Eclipse.
Get the toolkit.
The toolkit is hosted on github. You can download it from:
Adding java-saml toolkit components as a project
Open Eclipse and set a workspace
File > Import > Maven : Existing Maven Projects > Select the path where the core folder of the Java Toolkit is /java-saml/core, resolve the Workspace project and select the pom.xml
File > Import > Maven : Existing Maven Projects > Select the path where the toolkit folder of the Java Toolkit is /java-saml/toolkit, resolve the Workspace project and select the pom.xml
Adding the java-saml-tookit-jspsample as a project
File > Import > Maven : Existing Maven Projects > Select the path where the core folder of the Java Toolkit is /java-saml/samples/java-saml-tookit-jspsample, resolve the Workspace project and select the pom.xml
Deploy the java-saml-tookit-jspsample
At the Package Explorer, select the jsp-sample project, 2nd bottom of the mouse and Run As > Run Server
Select a Tomcat Server in order to deploy the server.
Getting started
Learning the toolkit
OneLogin's new SAML Java SAML Toolkit contains different folders (core, toolkit, samples) and some files.
Let's start describing them:
core (com.onelogin:java-saml-core)
This folder contains a maven project with the heart of java-saml, classes and methods to handle AuthNRequest, SAMLResponse, LogoutRequest, LogoutResponse and Metadata (low level API). In addition, it contains classes to load the settings of the toolkit and the HttpRequest class, a framework-agnostic representation of an HTTP re