Add SAML support to your Java applications using this library. Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.
2.8.0 uses xmlsec 2.2.3 which fixes CVE-2021-40690
Version >= 2.5.0 compatible with java8 / java9. Not compatible with java7
2.5.0 sets the 'strict' setting parameter to true.
2.5.0 uses xmlsec 2.1.4 which fixes CVE-2019-12400
Version 2.0.0 - 2.4.0, compatible with java7 / java8.
We introduced some incompatibilities, that could be fixed and make it compatible with java6.
Version 1.1.2 is considered to be deprecated. If you have used it, we strongly recommend that you migrate to the new version. We rebuilt the toolkit on 2.0.0, so code/settings that you had been using in the previous version will no longer be compatible.
SAML is an XML-based standard for web browser single sign-on and is defined by the OASIS Security Services Technical Committee. The standard has been around since 2002, but lately it has become popular due to its advantages as follows:
OneLogin's SAML Java toolkit lets you turn a Java application into a SP (Service Provider) that can be connected to an IdP (Identity Provider).
Supports:
Key features:
In production, the onelogin.saml2.strict setting parameter MUST be set as "true". Otherwise your environment is not secure and will be exposed to attacks.
In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
The IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed.
Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
But there are other scenarios, like a SAAS app where the administrator of the app delegates this functionality to other users. In this case, extra precaution should be taken in order to validate such URL inputs and avoid attacks like SSRF.
The toolkit is hosted on github. You can download it from: * Latest release: https://github.com/onelogin/java-saml/releases/latest * Master repo: https://github.com/onelogin/java-saml/tree/master
The toolkit is hosted at Sonatype OSSRH (OSS Repository Hosting) that is synced to the Central Repository.
Install it as a maven dependency:
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.9.0</version>
</dependency>
java-saml (com.onelogin:java-saml-toolkit) has the following dependencies:
core: * org.apache.santuario:xmlsec * joda-time:joda-time * org.apache.commons:commons-lang3 * commons-codec:commons-codec * testing: * org.hamcrest:hamcrest-core and org.hamcrest:hamcrest-library * junit:junit * org.mockito:mockito-core * logging: * org.slf4j:slf4j-api * ch.qos.logback:logback-classic * For CI: * org.jacoco:jacoco-maven-plugin
also the Java Cryptography Extension (JCE) is required. If you don't have it, download the version of jce-8, unzip it, and drop its content at ${java.home}/jre/lib/security/. JDK 9 and later offer the stronger cryptographic algorithms by default.
toolkit: * com.onelogin:java-saml-core * javax.servlet:servlet-api
maven: * org.apache.maven.plugins:maven-jar-plugin * org.apache.maven.plugins:maven-surefire-plugin * org.apache.maven.plugins:maven-enforcer-plugin
For more info, open and read the different pom.xml files: core/pom.xml, toolkit/pom.xml
The toolkit is hosted on github. You can download it from: * Latest release: https://github.com/onelogin/java-saml/releases/latest * Master repo: https://github.com/onelogin/java-saml/tree/master
At the Package Explorer, select the jsp-sample project, 2nd bottom of the mouse and Run As > Run Server Select a Tomcat Server in order to deploy the server.
OneLogin's new SAML Java SAML Toolkit contains different folders (core, toolkit, samples) and some files.
Let's start describing them:
This folder contains a maven project with the heart of java-saml, classes and methods to handle AuthNRequest, SAMLResponse, LogoutRequest, LogoutResponse and Metadata (low level API). In addition, it contains classes to load the settings of the toolkit and the HttpRequest class, a framework-agnostic representation of an HTTP request.
In the repo, at src/main/java you will find the source; at src/main/resources/schemas, there are xsd schemas used to validate the SAML messages; at src/test/java are the tests for its classes; and at src/test/resources can be found different settings, SAML messages and certificates used by the junit tests.
This folder contains a maven project with the Auth class to handle the low level classes of java-saml-core and the ServletUtils class to handle javax.servlet.http objects, used on the Auth class. In the repo, at src/main/java you will find the source and at src/test/java the junit tests for the classes Auth and ServletUtils.
This folder contains a maven project with a jsp app used to learn how the java-saml toolkit works.
Within the java-saml-tookit-jspsample/src/main/webapp folder are several jsp files, each one representing a different endpoint: - index.jsp Index of the webapp. - dologin.jsp SP-initiated SSO endpoint. - dologout.jsp SP-initiated SLO endpoint. - acs.jsp Service Provider Assertion Consumer Service endpoint. - attrs.jsp Shows attributes collected from the SAMLResponse. - sls.jsp Service Provider Single Logout Service endpoint. - metadata.jsp Publish SP metadata.
At java-saml-tookit-jspsample/src/main/resources folder is the onelogin.saml.properties file which contains the SAML settings.
First of all we need to configure the toolkit. The SP's info, the IdP's info, and in some cases, configuration for advanced security issues, such as signatures and encryption.
All the settings are defined in one unique file; by default, the Auth class loads a onelogin.saml.properties file with the Auth() method, but if we named it in a different way, we can use Auth(filename);
Here are the list of properties to be defined on the settings file: ```properties
onelogin.saml2.strict = false
onelogin.saml2.debug = false
onelogin.saml2.sp.entityid = http://localhost:8080/java-saml-tookit-jspsample/metadata.jsp
onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-saml-tookit-jspsample/acs.jsp
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
onelogin.saml2.sp.single_logout_service.url = http://localhost:8080/java-saml-tookit-jspsample/sls.jsp
$ claude mcp add java-saml \
-- python -m otcore.mcp_server <graph>