Implementing SAML 2.0 on the cheap…

An article by Glen    1 Comment

This last year I’ve done more SAML than any man should. I’ve had a couple of clients doing federated identity and single signon stuff, and SAML is all the rage (actually, I’ve found it pretty great to work with once I got my head around XML C14N).

SAML 2.0 is new and shiny and vendors are still scrabling to build libraries to handle it, so to test interop, I built a little test harness. Originally it just used strings for the messages, but some of the messages are so verbose (with just the odd timestamp or url insertion here or there), it was time to make the switch to a templating language before escaping quote characters inside strings drove me crazy.

I’ve been meaning to play with Freemarker for a while, but I finally had a good excuse. I’ve tinkered with Velocity before, so the paradigm was familiar, but one thing I really like about Freemarker is how it can handle its context being a plain vanilla java.util.Map. It also crashes and burns if you don’t provide a value for one of the merge strings in the template (which for me is a good thing, though in the web context it might not be so sweet).

For doing the actual message signing, you can’t go past Apache XML Security. I’ve raved about it before, but it is just sensational. Spec complete, and very easy to work with.

So my little test harness scoops up one of my canned templates, merges in some timestamps and urls, output it all as a string, sends it to XML Security for the signatures, then ships it off to the big hairy vendor for validation. It also slurps in responses from the other end, validates the signature, and gives you feelgood output.

In the end I’ve got a pretty cool little interop app that I can validate a good subset of SAML 2.0 against the big iron. On the very cheap…

Great work Freemarker and XML Security dudes. Your libraries are awesome!