Enabling SAML2 Federation For Existing Java Web Application


How to enable SAML2 federation on existing java web application?

There are many scenarios where in-house applications are developed and have their own authentication mechanism. To enable Single Sign On using SAML2 federation on this kind of application, it needs additional code and configuration. This can be achieved in many ways writing java code, some of them are listed below.

1. Servlet filter
2. New authentication endpoint using REST endpoint or servlet

Servlet filter Approach:

Create servlet filter and map for all the requests with wildcard parameter in web.xml. Servlet filter has to validate session for authentication if the session is un-authenticated it has to redirect IDP with SAML2 Request. When IDP sends saml response it has to intercept the request and do saml2 validation. On successful validation of saml2 assertion, parse assertion and read name identifier or saml2 attribute and create an authenticated session at the web application and redirect to target.

Servlet Approach:

Create Servlet and deploy to the web application. Create servlet mapping with a proper endpoint. When a un-authenticated session is identified redirect to this created servlet and complete the federation as similar to servlet filter explained above.


Code Sample:


Download saml service provider sdk Sample eclipse java project which uses coveo saml2-client project. Explore SAMLSP.java for more information.

Copy IDP metadata to resource directory or edit IDP_metadata.xml in resource folder with your IDP information.

In this example servlet, Service Provider assertion consumer endpoint is http(s)://<>/saml2sp/saml2/sp

Service provider entity ID: SAML2_SP_SDK

Finish the Service Provider configuration NetIQ Access Manager with manual entries for SP metadata as shown below:


How To-Best Practice
Support Tip
Comment List