Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1004: Add support for SAML 2.0 SSO #1255

spring-issuemaster opened this Issue Oct 4, 2008 · 22 comments


None yet
1 participant

Farrukh Najmi(Migrated from SEC-1004) said:

Currently there is no out-of-box support for SAML 2.0 tokens within Spring Security.
It is desirable to enhance Spring Security to allow support for SAML 2 Tokens as described in
SAML Token Profile 1.1 of OASIS WSS http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf.
The solution should provide a Acegi Security plugin for SAML 2 compliant Authentication Authority.

There appears to be people out there that have developed extensions to Spring Security to support SAML 2 and are looking for a way
to contribute it to the project:


Perhaps such work from community members may be relevant and help get a solid start on meeting this RFE.

Luke Taylor said:

Well, that thread was some time ago and I asked the poster to submit their code in Jira, but they never did.

This isn’t something we get that many requests for in practice, so it is unlikely to happen in the near future unless someone wants to contribute it. Feel free to submit a patch or sample code.

Tom Leccese said:

Please consider this a request for implementing a SAML plugin. I was actually hoping that there was one already done :(. Anyway, I will investigate implementing this enhancement myself since it is something that my company needs to implement in the next couple of months. If I come up with anything useful I’ll share it here.

Vladimir Schäfer said:


I’ve implemented a SAML v2 integration into Spring Security and the work may be quite close to be ready for inclusion into the project. You’re mostly welcome to check it out and comment!

The implementation is based on OpenSAML library. Everything is Apache 2.0 licensed.

The following features are available:
- SP and IDP initialized WebSSO profile of the SAML v2 protocol stack
- HTTP-POST and HTTP-Redirect bindings
- Automatic generation of SP metadata
- User selection of IDP to federate with
- Multiple IDPs in the circle of trust with metadata loading from filesystem or URL
- Custom loading/storing of user data using UserDetails interface
- Fully configurable using Spring context
- Sample pre-configured web application

The sample web application is created as part of the build process. In order to use it just:

1) Download IDP metadata from your server
2) Change the WEB-INF/security/securityContext.xml configuration to point to your IDP metadata file
3) Deploy the application
4) Download your application metadata from protocol://server:port/appContext/saml/metadata and upload to the IDP
5) Enjoy single sign-on (in case HTTP-POST/HTTP-Redirect binding is supported by the server, which is very likely the case)

More documentation and configuration details can be found in the attached pdf.

The package was so far tested with OpenSSO and Weblogic 10 IDPs. The sample application is deployable at least on Tomcat 6.0.18 and JBoss 4.2.2 GA without problems. Some other servers (at least Weblogic 10.1) may need update of the XML parsing libraries. I’m currently unit testing the code, tests are not yet included in the package.

Have fun!

Andrea Chiodoni said:

Hi, I’ve been testing it and it works perfectly. I was even able to consume the SAML attribute statement (did not succeeded in WebLogic 10). The only “bug” I’ve found is that MetadataGenerator contains the alias of the certificate (apollo) hardcoded.
Thanks for sharing!

Luke Taylor said:

Thanks a lot for the submission. I’ll add it to the sandbox when I get a chance and we’ll look at including it in a future version.

Peter Mularien said:

We see a big increase in the discussion from our customers, partners, and vendors interested in using SAML. Having first-class SAML support in Spring Security would be excellent!

Aslak Knutsen said:

I've made some changes to Vladimirs contribution to add support for:

  • Role mapping based on Assertion response from IP
  • Single 'global' logout support

Luke: could you please add this to the sandbox? It would make it a lot easier to submit patches when the code is backed by a version control system.

Luke Taylor said:

We've started a Spring Security project within Spring Extensions. Vladimir's code will be added there soon hopefully. There relevant information is:

Svn: https://src.springframework.org/svn/se-security
Jira: http://jira.springsource.org/browse/SES
Fisheye: https://fisheye.springsource.org/browse/se-security

Luke Taylor said:

Vladimir has added his code to the Spring Security Extensions project, so you can now track it there (please open any issues under the "saml" module).

Matt Olsen said:

Thank you, Vladimir, for your work on this.

I was getting an xml parsing exception - org.xml.sax.SAXParseException: UndeclaredPrefix: Cannot resolve 'xt:DEFAULT' as a QName: the prefix 'xt' is not declared. This was when trying to run the web app on Tomcat (5 and 6) with jdk 1.5.

In case any one else has the same problem, you need a specific set of jars in the Tomcat endorsed directory (tomcat basedir/common/endorsed for 5, tomcat basedir/endorsed for 6 - you'll need to create that directory for 6). These are for the OpenSAML library. They can be copied from saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib after running mvn package. The list of jars you need in the tomcat endorsed directory are: xercesImpl-2.9.1.jar, xalan-2.7.1.jar, serializer-2.9.1.jar, and xml-apis-2.9.1.jar.

Hopefully this will save someone from the frustration I went through.

Ray Easterday said:

The sample app works great, however, I am unable to obtain the meta data .xml from a client. The Assertions will be sent to me, I am not able to reach back to the SAML server. I have been unsuccessful in configuring the sample app to work under these conditions

Justin Lipton said:

I've got the same issue as Ray above and haven't been able to get my head around how to modify Vladimir's great code to handle this situation.

Vladimir Schäfer said:

Hi, could you please elaborate a bit more on the problem? Do I understand correctly that your need is to process arbitrary SAML assertions (created out of standardized SAML profiles like WebSSO) and send new ones with custom content? It would be best if you'd open a new Jira issue at http://jira.springsource.org/browse/SES with requirements and let's continue there. V.

Peter Mularien said:

Are there plans to bring this up to work with Spring Sec 3.0? Thanks! Peter

Vladimir Schäfer said:

Yes, there are plans, hopefully realized early next year. V.

Matt Raible said:

I'm very interested in using SAML with Spring Security in a current project. Is there anything I can do to help upgrade this project to Spring Security 3.0 and get a release out?

Peter Mularien said:

I would be interested in helping as well.

Vladimir Schäfer said:

Please check the https://jira.springsource.org/secure/ReleaseNote.jspa?projectId=10350&version=11432 for all changes done to the original version attached to this issue. The module was migrated to Spring Security 3.0 already last year (revision 65). If you have any improvement ideas please open a new issue in Jira or contact me directly.

Janet Moyer said:

Are there plans to integrate the SAML extension into the base Spring Security?

Bill Siemen said:

I have upgraded this SAML extension from Spring Security 3.0.7 based to 3.1.0 based. But the sample module's index.jsp can't acquire the credential after logged in successfully. The code on index.jsp is:

Line 15: SAMLCredential credential = (SAMLCredential) SecurityContextHolder.getContext().getAuthentication().getCredentials();

The credential is always null.

Any idea?

Vladimir Schäfer said:

For the lastest version of the project please check https://github.com/SpringSource/spring-security-saml
Or directly download master branch with "git clone git://github.com/SpringSource/spring-security-saml.git"

sahil chawla said:

Hi all ,

I am in a great problem . I am able to pass the SAML token to my service provider but the output comes like -

Username: iTXNxpkua+1IM1fWX4xczVzhnUyO
User format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
IDP: http://localhost:8080/openam_953
Assertion issue time: 2012-01-17T15:21:05.000Z

Not able to get the username in the context .
Please help.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment