How do I talk to ADFS from Java?
We have a website running on Caucho Resin. It's written primarily in Java using JSP. We have our own custom authentication on the site. (We're not using any third party authentication frameworks.) We would now like to support federation using SAML. Primarily, the IdPs will be running ADFS, but my question is about SAML. In particular, how do I federate with the upstream IdPs from our Java app either using OpenSAML, Shibboleth or some other Java-compatible option?
EDIT: Another option would be OAuth. Pros? Cons?
Answer
Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).
For direct options (which require more modifications to your application) you can:
- code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
- use a ready-made product to integrate into your application, such as Spring SAML or OpenAM Fedlet
For indirect options (which require less modifications to your application) you can:
- use Shibboleth SAML SP plugins on your Apache reverse proxy (if you use one)
- deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token
You can find more comparison details and considerations in this thread.
ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see here and here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.