Java Service Provider
The current SP implementation is a) a set of plugins to a standard webserver, and b) a separate task. The web server provides a standard set of hooks for external authN and authZ functionality; the web server environment also provides a standard interface for passing information (eg attribute values) between the web server and an application. This could apply equally to Java, or a more native approach could be taken. More likely a hybrid approach would be sensible. We are seeking use cases that describe specifically how a java SP implementation should integrate into the container and servlet environment.
- Should the SP be a filter?
- Should any of it run in a separate context?
- Should it integrate well with Spring? To what extent should the servlet/application be aware of the presence of the SP?
- Is anything viable without losing vendor support in the case of packaged applications?
There are existing open source java-based SAML SP implementations:
- OpenSSO from Sun Microsystems
- a toolkit from the Danish Government, based on OpenSAML, which implements a java SP as a filter
- Enterprise Sign On Engine (ESOE)
Are these existing options sufficient? If not, we need to identify how we would distinguish our work from them to provide added value.