Java – How to validate WS-Federation SAML tokens with Java Service Provider


I am working on a project that uses ws_federation and SAML to authenticate to a Identity Provider running on a IIS server running on .net called thinktecture

I need to write a Java Service Provider that sends a SAML authentication request to the Identity Provider and get the SAML response back on my java web app.

I need to know if there are any good libraries to validate SAML and mabye some direction on setting it up or links to a tutorial on getting started. I have tries spring_security-saml_extensions, but I keep getting errors when I try to put my Identitiy Providers meta-data link into the config files.

Any help would be greatly appreciated!

Also: It would be great if the solution could be integrated into an existing java web application!

Some Additional info:

Below is the XML I can get from the response returned by the IDP in my SP I am working on I was under the impression that this was a SAML token.

<trust:RequestSecurityTokenResponseCollection xmlns:trust="">
<trust:RequestSecurityTokenResponse Context="rm=0&amp;id=passive&amp;ru=%2fApplicant%2fMyAccount%2fHome">
        <wsu:Created xmlns:wsu="">2013-04-17T19:37:18.399Z</wsu:Created>
        <wsu:Expires xmlns:wsu="">2013-04-17T20:07:18.399Z</wsu:Expires>
    <wsp:AppliesTo xmlns:wsp="">
        <wsa:EndpointReference xmlns:wsa="">
            <wsa:Address>https://[SP Server]/</wsa:Address>
        <Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>http://[IDP Server]/trust/idp</Issuer>
            <Signature xmlns="">
                    <CanonicalizationMethod Algorithm="" />
                    <SignatureMethod Algorithm="" />
                    <Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af">
                            <Transform Algorithm="" />
                            <Transform Algorithm="" />
                        <DigestMethod Algorithm="" />
                <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
            <Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z">
                    <Audience>https://[SP Server]</Audience>
                <!-- Data from my database-->
            <AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z">
        <SecurityTokenReference d4p1:TokenType="" xmlns:d4p1="" xmlns="">
            <KeyIdentifier ValueType="">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
        <SecurityTokenReference d4p1:TokenType="" xmlns:d4p1="" xmlns="">
            <KeyIdentifier ValueType="">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>

Best Answer

I found a great library on github that both handles validation of the SAML Token and if you are feeling adventurous is a good tutorial on how to use OpenSAML. The library is called Auth10-Java and it does a great job of breaking down SAML token validation. FYI it also handles WS-Federation protocol.

Public List<Claim> validateAuthenticationResponse(String yourToken){
    SamlTokenValidator validator = new SamlTokenValidator();

    validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using");

    validator.getAudienceUris().add(new URI(“http://localhost:8080/javafederationtest”);

    //validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token.

    List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid

    System.out.println(claims.toString()); //This will show the claims asserted by the token!

This worked great for me and better yet I am learning heaps about SAML and OpenSAML from this library! Just be sure to include all dependencies in your projects build path!