OpenSAML is a set of open source Java libraries used in support of the Shibboleth Project's implementation of the Security Assertion Markup Language (SAML). It is licensed under the Apache 2.0 license.
OpenSAML 4, the current Java library version, is based on Java 11, and supports SAML 1.0, 1.1, and 2.0. Additionally, various development groups have found the framework created to support OpenSAML useful for their own work and the Java codebase includes some code supporting WS-Addressing, WS-Security, WS-Trust and XACML.
The previous major version based on Java 8 is now End of Life and no longer supported.
The OpenSAML libraries do not provide a complete SAML identity or service provider. If you are looking for such software you should check out the Shibboleth project instead. Also, these libraries will not teach you any of the specifications listed above. The libraries are meant solely to support individuals who have taken the time to read and understand the specifications and are not in general a good solution for those looking for a quick way to implement SAML.
It is very dangerous to attempt to use parts of the library in isolation without making use of all of its relevant components. In particular, implementing your own XML processing code, using XML parsing classes other than the ParserPool components provided by the library, using your own security processing code, omitting proper support for SAML metadata, etc. are all risky choices that may lead to security flaws and incomplete, unsafe, and ill-advised SAML solutions. The Shibboleth Project discourages such approaches in the strongest possible terms. Use all of it that applies to the task at hand, or use none of it.
We do not have significant documentation for this version of the library. Some of the concepts and examples in the (now quite old) OpenSAML 2 Java documentation can be applied, with varying degrees of change, to this version (and that documentation is itself not the best). But you should recognize the inherent risk of relying on this library and you should not expect substantial improvement in this area.
As a general rule, we do not encourage independent use of this code outside of the Shibboleth Project due to the complexity, the lack of documentation, and the serious risks associated with implementing security software without the necessary supporting materials. Nevertheless, the code is open source and there are no formal barriers to doing so.
The current stable release of the Java library is the latest version available from our Nexus repository. In the very rare event that a previous stable release is designated, it will be noted here, but in most cases you can assume that all prior releases are unsupported. Support in this case is primarily about security updates, not support in a more formal sense.
Projects Using OpenSAML
The following projects are those that we know to be using OpenSAML. There are probably others out there floating around; if you have such a project, you can contact us and we'll add it to the list. We do not endorse any of these projects (save for the first ).
- Shibboleth - Shibboleth provides cross-domain single sign-on and attribute-based authorization for browser users. Using the OpenSAML toolkit, Shibboleth implements the SAML SSO and other profiles for identity and service providers.
- Globus Toolkit - The Globus Toolkit (GT) is an open source software toolkit used for building grids. The CAS component of GT issues assertions containing
AuthorizationDecisionStatement elements. Other GT components (in particular, MyProxy and GridShib) are being fitted with SAML interfaces using OpenSAML.
- gLite - gLite provides a framework for building grid applications tapping into the power of distributed computing and storage resources across the Internet.
- VO Privilege Project
- Clarity Security's SSO Toolkit
- Apache WSS4J - open source web service security kit used by the Apache CXF web service framework. WSS4J uses OpenSAML to generate SAML1 and SAML2 assertions as well as parse, sign and validate SAML tokens.
- Apache Rampart
- openLiberty Wakame - Wakame is an open source java implementation of ID-WSF 2.0 and relies heavily on java-xmltooling, java-opensaml2, and java-openws libraries for modeling, marshalling, and unmarshalling xml objects.
- SuisseID - SuisseID aims to provide a digital identity and qualified digital signature in Switzerland. The user attributes are provided by the Claim Assertion Infrastructure (CAI). The OpenSAML library is used in the SuisseID SDK/Java to integrate applications with the infrastructure.
- Spring Security Service Provider - Allows integration of OpenSAML with Spring Security's authentication API
The following organizations have provided substantial resources to the development of OpenSAML over the years.
- The Ohio State University
- Georgetown University
- NSF Middleware Initiative