Example of a SAML LoginModule for JAAS

1
votes

Has anyone had any experience creating a JAAS LoginModule that uses SAML to authenticate and authorize a user? As I understand JAAS, this would likely require a custom CallbackHandler that understand and can parse a SAML message.

In my case, the authorization is defined as a set of roles in a database, but like your typical Database Login Module. There are, however, no passwords stored in this system. Instead users are authenticated on another site and a SAML exchange is used to pass that authentication event to our system.

My hope is to enable our application code to not have to deal with SAML directly and to be able to leverage standards JAAS techniques for managing permissions/roles/etc.

An example would be most welcome, but any links you may have found would also be wonderful.

1
javasecuritysamljaas
Google as always, hahah: drdobbs.com/web-development/208402532 - Java Drinker
@Java Drinker, thanks for the link. I had read that article before and didn't get much from it. My hope was that this was something that someone had already solved and published as Open Source. Everything I do find is too conceptual. - ra9r
another Google Answer: ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/… ? - childno͡.de

1 Answers

2
votes

The main issue you'll run in to is that there is no standard way to send the user's credentials to the IdP. In the SAML Web SSO flow you have the browser so the IdP can just put up a page asking for the credentials. In the ECP flow, which does not assume browser, does not provide a standard way for delivering the credentials. HTTP BASIC auth? WS-Security? Something else?

So, before you go further you'll need to know which SAML profiles the IdPs support and, if ECP is supported, which mechanisms are available for accepting the user's credentials.