Java Service Provider

The current SP implementation is a) a set of plugins to a standard webserver, and b) a separate task. The web server provides a standard set of hooks for external authN and authZ functionality; the web server environment also provides a standard interface for passing information (eg attribute values) between the web server and an application. This could apply equally to Java, or a more native approach could be taken. More likely a hybrid approach would be sensible. We are seeking use cases that describe specifically how a java SP implementation should integrate into the container and servlet environment.

• Should the SP be a filter?
• Should any of it run in a separate context?
• Should it integrate well with Spring? To what extent should the servlet/application be aware of the presence of the SP?
• Is anything viable without losing vendor support in the case of packaged applications?

There are existing open source java-based SAML SP implementations:

• OpenSSO from Sun Microsystems
• a toolkit from the Danish Government, based on OpenSAML, which implements a java SP as a filter
• Enterprise Sign On Engine (ESOE)

Are these existing options sufficient? If not, we need to identify how we would distinguish our work from them to provide added value.