A simple SAML application built with opensaml and pac4j to understand the SAML webflow.

An example SAML authentication webflow:

There are three parties involved in the authentication: the user's browser, the Service Provider (SP) - saml-example in this example, and the Identity Provider (IDP). The IDP can be any SAML 2.0 identity provider.

The negotiation looks like this:

First, note that the SP and IDP never directly interact. All the requests go from browser to SP or browser to IDP.

Request 1 is to a secure resource on the SP. The SP doesn't have an authenticated session for the browser, so it returns a special "SAML Login 1" response. This is generated by pac4j and opensaml in saml-example. The response is a form that auto-submits itself (request 2) to the IDP. The form includes a SAMLRequest parameter that encodes it's identity.

The IDP determines the user is not yet authenticated, and presents a login form where the user enters their IDP creds (requests 3 and 4).

The response to the successful login is another auto-submitting form, this time with a SAMLResponse parameter. This is auto-sumbitted to the SP callback URL.

When the form is submitted the SP decodes the SAMLResponse and gets the user credentials and profile. Done!

Create a java keystore and create a key pair with alias saml in the current directory.

keytool -genkey -keyalg RSA -alias saml -keypass changeit -keystore trust.keystore -storepass changeit

Copy the IDP metadata XML document to src/main/resources/idp-metadata.xml. Build, run and browse to localhost:8080.