Monday, May 12, 2008

A Single Sign-on implementation

If you are looking to implement a Single Signon implementation, then a worthwhile library to look at would be OpenSAML 2.0. The 2.0 library is well written and much more intuitive to use compared to its predecessor - OpenSAML 1.0. I recently implemented a SAML 1.1 solution using the 2.0 library on Weblogic 8.1. The library by default is for the Java 1.5 platform, however using Retroweaver, one can use it for Java 1.4 (since Weblogic 8.1 does not work with Java 1.5). The SAML Browser/Artifact profile is pretty easy to understand and implement with the library and good ol' Wikipedia gives an easy explanation of the steps needed to get the communication going. However, I would recommend that you read through the OASIS SAMLBind document to get a better understanding of implementation details.

I used Xfire (v1.2.6) to implement the Artifact Resolution Service at the IdP that the Service provider invokes once it receives the artifact posted to it. Since the OpenSAML library works with the raw xml document, one needs to configure xfire to prevent marshalling of the incoming xml to java POJOs. XFire has a cool way to work with raw xml documents, using a binding called as Message Binding. So the xfire service interface looks like:
public XMLStreamReader invoke(Document samlRequest) throws Exception
and the OpenSAML library can then work with the DOM document using the XMLObjectBuilderFactory request factory.

Some quirks here - while returning the response, I had to return an object of type XMLStreamReader - I used W3CDOMStreamReader to convert to this type. Also, for getting SOAP faults correctly, the interface definition of the service had to throw the base "Exception"class and not a specific exception type.

While the implementation does add a bit of added complexity through the use of XFire, it works out pretty well and allows one to use these excellent libraries -XFire & OpenSAML 2.0 - together to leverage the best of both.

The solution is on its way into production this week - fingers crossed....:).

No comments: