saml java实现_java-saml

OneLogin's SAML Java Toolkit

Add SAML support to your Java applications using this library.

Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.

Version >= 2.5.0 compatible with java8 / java9. Not compatible with java7

2.5.0 sets the 'strict' setting parameter to true.

2.5.0 uses xmlsec 2.1.4 which fixes CVE-2019-12400

Version 2.0.0 - 2.4.0, compatible with java7 / java8.

We introduced some incompatibilities, that could be fixed and make it compatible with java6.

Version 1.1.2 is considered to be deprecated. If you have used it, we strongly recommend that you migrate to the new version.

We rebuilt the toolkit on 2.0.0, so code/settings that you had been using in the previous version will no longer be compatible.

Why add SAML support to my software?

SAML is an XML-based standard for web browser single sign-on and is defined by

the OASIS Security Services Technical Committee. The standard has been around

since 2002, but lately it has become popular due to its advantages as follows:

Usability - One-click access from portals or intranets, deep linking,

password elimination and automatically renewing sessions make life

easier for the user.

Security - Based on strong digital signatures for authentication and

integrity, SAML is a secure single sign-on protocol that the largest

and most security conscious enterprises in the world rely on.

Speed - SAML is fast. One browser redirect is all it takes to securely

sign a user into an application.

Phishing Prevention - If you don’t have a password for an app, you

can’t be tricked into entering it on a fake login page.

IT Friendly - SAML simplifies life for IT because it centralizes

authentication, provides greater visibility and makes directory

integration easier.

Opportunity - B2B cloud vendor should support SAML to facilitate the

integration of their product.

General description

OneLogin's SAML Java toolkit lets you turn a Java application into a SP

(Service Provider) that can be connected to an IdP (Identity Provider).

Supports:

SSO and SLO (SP-Initiated and IdP-Initiated).

Assertion and nameId encryption.

Assertion signatures.

Message signatures: AuthNRequest, LogoutRequest, LogoutResponses.

Enable an Assertion Consumer Service endpoint.

Enable a Single Logout Service endpoint.

Publish the SP metadata (which can be signed).

Key features:

saml2int - Implements the SAML 2.0 Web Browser SSO Profile.

Session-less - Forget those common conflicts between the SP and

the final app; the toolkit delegates session in the final app.

Easy to use - Programmer will be allowed to code high-level and

low-level programming; 2 easy-to-use APIs are available.

Tested - Thoroughly tested.

Popular - OneLogin's customers use it. Add easy support to your java web projects.

Security warning

In production, the onelogin.saml2.strict setting parameter MUST be set as "true". Otherwise your environment is not secure and will be exposed to attacks.

In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.

Installation

Hosting

Github

The toolkit is hosted on github. You can download it from:

Maven

The toolkit is hosted at Sonatype OSSRH (OSS Repository Hosting) that is synced to the Central Repository.

Install it as a maven dependency:

com.onelogin

java-saml

2.6.0

Dependencies

java-saml (com.onelogin:java-saml-toolkit) has the following dependencies:

core:

org.apache.santuario:xmlsec

joda-time:joda-time

org.apache.commons:commons-lang3

commons-codec:commons-codec

testing:

org.hamcrest:hamcrest-core and org.hamcrest:hamcrest-library

junit:junit

org.mockito:mockito-core

logging:

org.slf4j:slf4j-api

ch.qos.logback:logback-classic

For CI:

org.jacoco:jacoco-maven-plugin

also the Java Cryptography Extension (JCE) is required. If you don't have it, download the version of jce-8, unzip it, and drop its content at

${java.home}/jre/lib/security/. JDK 9 and later offer the stronger cryptographic algorithms by default.

toolkit:

com.onelogin:java-saml-core

javax.servlet:servlet-api

maven:

org.apache.maven.plugins:maven-jar-plugin

org.apache.maven.plugins:maven-surefire-plugin

org.apache.maven.plugins:maven-enforcer-plugin

For more info, open and read the different pom.xml files:

core/pom.xml, toolkit/pom.xml

Working with the github repository code and Eclipse.

Get the toolkit.

The toolkit is hosted on github. You can download it from:

Adding java-saml toolkit components as a project

Open Eclipse and set a workspace

File > Import > Maven : Existing Maven Projects > Select the path where the core folder of the Java Toolkit is /java-saml/core, resolve the Workspace project and select the pom.xml

File > Import > Maven : Existing Maven Projects > Select the path where the toolkit folder of the Java Toolkit is /java-saml/toolkit, resolve the Workspace project and select the pom.xml

Adding the java-saml-tookit-jspsample as a project

File > Import > Maven : Existing Maven Projects > Select the path where the core folder of the Java Toolkit is /java-saml/samples/java-saml-tookit-jspsample, resolve the Workspace project and select the pom.xml

Deploy the java-saml-tookit-jspsample

At the Package Explorer, select the jsp-sample project, 2nd bottom of the mouse and Run As > Run Server

Select a Tomcat Server in order to deploy the server.

Getting started

Learning the toolkit

OneLogin's new SAML Java SAML Toolkit contains different folders (core, toolkit, samples) and some files.

Let's start describing them:

core (com.onelogin:java-saml-core)

This folder contains a maven project with the heart of java-saml, classes and methods to handle AuthNRequest, SAMLResponse, LogoutRequest, LogoutResponse and Metadata (low level API). In addition, it contains classes to load the settings of the toolkit and the HttpRequest class, a framework-agnostic representation of an HTTP re