Can I integrate Shibboleth SSO in my Java Webapp without using Apache and shibd?

2.6k views Asked by At

I'm working on a pure Java web application that uses an embedded Jetty and I want to integrate a Shibboleth login. To do this, I'm following switch.ch's guide for Shibboleth Service Provider Deployment, which states:

The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:

  • Apache web servers (versions 1.3.x, 2.x)
  • IIS (versions 6, 7 and 8)

My question is, is there a way to integrate Shibboleth SSO in my Java web application without using an Apache web server or IIS running shibd? Maybe somebody has done this before and could provide example Servlets/Filters or the like?

I don't want an Webserver in front of the application just for Shibboleth, because it would complicate the installation. Currently, the installation is just two steps: extract the artefact and run the start script and I would appreciate if I could keep it like this.

2

There are 2 answers

0
samottenhoff On

The Shibboleth Service Provider takes care of a lot of complex use cases like key rotation, metadata refreshing, and attribute re-mapping. If you have an incredibly simple use case, where you need to authenticate users from one Shibboleth Identity Provider that rarely changes, you can consider validating the SAML 2.0 assertion in your Java code directly.

If you use spring-security already, you should probably start by looking at the spring-security-saml project:

http://projects.spring.io/spring-security-saml/

Alternatively, you can start with a low-level library like OpenSAML (https://wiki.shibboleth.net/confluence/display/OpenSAML/Home) or you can start with a higher level library like the LastPass Java SAML SDK (https://github.com/lastpass/saml-sdk-java).

4
VGaur On

Putting shibboleth sp with web server in front is the easiest way out. Additionally you can add servlet filter and check header , if you find all attributes released by idp validate them against your identity store just for assertion.