How to configure existing spring (web-flow + security) based application as SAML idP

[springf]

Hi,

I am trying to use Spring Security and SAML2 for SSO purpose.
We have an existing application based on spring web flow and spring security which uses db backed authentication mechanism (provider).
We are developing a new application which will not have its own authentication mechanism and will use authentication from 1st application.
I have downloaded the spring-security-saml2-core and sample apps from github, but i am unable to understand, what configuration and dependencies i need in the existing application to make it work like an idP.
I tried running the sample app using idP as ssocircle, but due to some corporate firewall issues, it doesn't work either.
Also, spring-security-saml2-sample app seems behave only as SP.
Can someone, point me in right direction to have my existing app configured as idP.

[thobson]

Spring SAML is indeed a SP, it has no IDP components. If you want to build your own IDP you would be better to look at the OpenSAML project. I should warn you that building your own IDP is a major undertaking (we've done it!) and you may be better off using an off the shelf IDP which can integrate with your existing db store

[springf]

Thanks thobson for your reply,
I was thinking on that terms only and you made it more clear.
I have evaluated openSAML and also gone though openSSO (now known as , openAM), but using any of this approach would mean significant changes in the existing application and possible extraction of authentication logic completely from the existing app.
That summarizes following, as per my understanding,
1. Making already developed spring based web application with authentication logic, to act as IDP is cumbersome job and requires good and thorough understanding of SAML.
2. Use of external IDP provider like openAM, CAS and setting up federation with hosted / remote IDPs and SPs within same Circle of trust. But again, it requires lot of work.

Given the circumstances, what would you suggest, for enabling single sign-on in multiple application with one application acting as IDP?

[thobson]

I'd suggest you go for the second option because writing your own IDP code is challenging, especially as the OpenSAML code is not very well documented. Also I don't think you can afford to take any chances with security related code, a simple bug could leave you wide open

Adopting an off the shelf IDP solution will require some work but it should be pretty simple, especially if you already use spring security for authentication. We have customers who implemented our Cloudseal platform in half a day. Other platforms like CAS and OpenAM will probably require a bit more work but you should still be looking at days rather than weeks.

I hope this helps, let me know if you need any more advice/help

[jamescox]

I released some sample code a while back that shows how to integrate Spring Security and Open SAML. It contains both an IDP and SP. The IDP is also a standalone web app that can be accessed with form login; I think this is what you are specifically asking for.

This is example code, not a framework. You will need to have a good understanding of Spring Security and SAML for this to be useful to you.

Good Luck.