Offer of help with SAML module

[daleth]

Hello, let me introduce myself. I work as one of the technical leads for the Shibboleth/OpenSAML projects. Over the last few days we have had a passionate individual post to our list regarding SAML support in Spring Security and Shibboleth interoperability. Within the Shibboleth project the SP implementation we have available plugs in to the web server (Apache/IIS/Netscape). We do not have a Java-native SP nor the resources, currently, to develop one. I know that Spring Security does have a SAML extension written by Vladimir and that a growing number of applications are using Spring Security.

So, I wanted to at least extend a hand on behalf of myself and Scott Cantor, the other technical lead and one of the main editors of the SAML spec. As I mentioned above we're limited on development resources at the moment but if we can be of help I wanted to offer that. At the very least, testing and clarifying interoperability seems like a good thing (and I think was what the poster on our users list was getting at). In addition, I can review code (I'm pretty familiar with Spring core at least) and both Scott and I are willing to answer technical questions about the protocol, why we did certain things in our SP implementations, etc. I think having a high-quality Spring Security SAML module is a win for everyone so if we can be of help with that, just let us know.

You can find us on the Shibboleth lists, the OASIS saml-dev list, or I'm also on the forums here, though Scott is not currently.

-- Chad La Joie

[Luke Taylor]

Hi Chad,

Thanks very much for the offer. I've always had a lot of respect for the Shibboleth project.
Having quality integration between Spring Security and Shibboleth is something we'd definitely like to see and your offer of assistance from the Shibboleth/SAML side is most welcome. The last time I set up a Shibboleth instalation was pre-2.0, so I suspect things have changed a bit since then .

I'll check out the post you mention and get back to you.

Thanks again,

Luke.

[daleth]

Hey Luke,

The thread in question is here:
http://groups.google.com/group/shibb...f13e30266522f3

It's a hijacked thread but the stuff about Spring starts with the Jan 9th post by rcrathore. I said this in the post, but let me re-iterate it here. I have *no* idea whether the current Spring Security SAML module is a good SP implementation or not. The concern I expressed to the poster comes solely from seeing a whole lot more bad SP implementations than good ones.

As to the pre-2.0 software. Yeah, it's changed quite a bit since then. If you need help setting up an IdP for testing purposes let me know or if you'd prefer that we just try a couple quick tests with one of our existing IdPs against some test app that you have, as a start, that's certainly doable as well.

[Rob Winch]

I consider myself to be well versed with Spring and Spring Security and would be happy to contribute.

[ccmtaylor]

I'd be happy to contribute as well. I'm no Spring-Security expert, but I've worked with OpenSAML before to create an InfoCard relying party (JInfoCard) and I've got some background in identity.

Regards,
--Chris

[robdaemon]

I'd love to assist with this wherever I can. I'm looking into integrating Shibboleth2 into a Spring Security-enabled web site, and CXF/Spring Security enabled web service project.

I'm starting with integrating with Vladimir's code from the Spring git repo now.

[clarkedm]

Hi,

How far did you get with integrating SAML Spring security extension with Shibboleth. I have setup shibboleth and currently integrating the security plugin. Would like to know if you hit any blockers or could provide some sample code/config.

Thanks.
David

[rcrathore]

Congratulations to Vladimir and spring security team on SPRING SECURITY SAML 1.0.0.RC2 Release today.

[vsch]

Thank you!