LLMpediaThe first transparent, open encyclopedia generated by LLMs

OpenSAML

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SAML Hop 4
Expansion Funnel Raw 85 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted85
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
OpenSAML
NameOpenSAML
DeveloperInternet2, Shibboleth Consortium
Released2002
Programming languageJava, C++
Operating systemCross-platform
GenreSecurity, XML, SAML
LicenseApache License 2.0 (current)

OpenSAML is a software library that implements Security Assertion Markup Language (SAML) standards to enable federated identity, single sign-on, and portable authentication across web applications and services. Originally developed by Internet2 and maintained within the Shibboleth community, OpenSAML provides parsers, builders, and message handlers for SAML protocols and bindings. The library is widely used by academic institutions, government agencies, and commercial identity providers to interoperate with frameworks and services.

History

OpenSAML traces roots to work by Internet2 and the Shibboleth project to standardize federated identity for research and education. Early development coincided with the publication of SAML 1.0 and SAML 2.0 specifications by the OASIS Technical Committee, and contributors included engineers associated with SAML, Liberty Alliance, MIT, University of Michigan, and Stanford University. Over time stewardship shifted among organizations such as the Shibboleth Consortium and community contributors from University of Pennsylvania, GEANT, TERENA, and various national research and education networks including CANARIE and SURFnet. Major revisions paralleled the release of SAML 2.0, updates to XML Signature and XML Encryption standards from the W3C, and broader adoption by projects like Shibboleth IdP, Shibboleth SP, SimpleSAMLphp, and commercial vendors including Microsoft, Oracle Corporation, IBM, Ping Identity, Salesforce, Okta and Google. Legal and licensing transitions moved OpenSAML toward permissive licensing such as the Apache License to facilitate enterprise integration.

Architecture and Components

OpenSAML's architecture separates protocol, binding, and message model layers that mirror SAML schemas developed by OASIS. Core components include XML object models, marshalling/unmarshalling engines, message encoding/decoding, and security processing based on XML Signature (W3C) and XML Encryption (W3C). The library integrates with XML parsers such as Apache Xerces and transformer libraries like Apache Xalan, and relies on cryptographic providers including Bouncy Castle, OpenSSL, and Java's Java Cryptography Architecture via Oracle Corporation's implementations. Runtime environments include application servers and servlet containers like Apache Tomcat, Jetty, JBoss, and GlassFish, and integration patterns often involve web servers and proxies such as Apache HTTP Server, nginx, and HAProxy. OpenSAML exposes APIs compatible with web frameworks such as Spring Framework, Jakarta EE (formerly Java EE), and integrates with identity management systems including Active Directory, FreeIPA, Keycloak, and ForgeRock products.

Features and Supported Standards

OpenSAML implements SAML protocol versions and related standards from organizations like OASIS and W3C. Supported features include SAML assertions, SAML protocol messages (AuthnRequest, Response, LogoutRequest), SAML metadata processing, and bindings such as HTTP Redirect, HTTP POST, SOAP, and Artifact. Security capabilities include XML Signature handling, XML Encryption support, and token processing interoperable with WS-Security families and assertions used by SAML 2.0 deployments. The library also supports profiles and interoperability with standards from Liberty Alliance, SCIM integrations in hybrid deployments, and metadata aggregation patterns used by federations such as eduGAIN, InCommon, and national federations including UK Access Management Federation and Australian Access Federation.

Implementations and Language Bindings

OpenSAML is available in multiple language implementations, notably a Java edition and a C++ edition, with community ports and bindings for other environments. Integrations and wrappers exist for ecosystems and projects such as Shibboleth IdP (Java), Shibboleth SP (C++), SimpleSAMLphp (PHP interop), mod_auth_mellon (Apache module), and identity platforms like Keycloak and WSO2 Identity Server. Commercial products from Oracle Corporation, IBM, ForgeRock, Ping Identity, Okta, and Salesforce incorporate or interoperate with OpenSAML-based tooling. Language bindings, adapters, and SDKs link to frameworks including Spring Security, Apache CXF, Axis2, gSOAP, and cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform via federation connectors.

Security Considerations

Security in OpenSAML centers on correct processing of XML Signatures and XML Encryption as specified by W3C and authenticated assertion handling as defined by OASIS SAML profiles. Implementers must mitigate XML-related threats like XML External Entity (XXE) attacks (mitigated by secure parsers such as Apache Xerces and secure configuration), signature wrapping attacks documented in security advisories from CVE, and replay attacks through timestamps and nonce handling. Cryptographic configuration commonly references providers like Bouncy Castle and OpenSSL and follows guidance from agencies such as NIST on acceptable algorithms and key management. Operational security practices include metadata signing, trust anchor management used by federations such as InCommon and eduGAIN, rigorous patching in response to disclosures tracked by organizations like CERT and US-CERT, and threat modeling aligned with standards from ISO/IEC.

Adoption and Use Cases

OpenSAML is widely adopted in higher education federations such as InCommon, eduGAIN, UK Access Management Federation, and national federations supporting research collaborations among institutions like MIT, Harvard University, Stanford University, University of Oxford, University of Cambridge, Australian National University, ETH Zurich, Tsinghua University, and University of Tokyo. Use cases include enterprise single sign-on for vendors such as Salesforce and Google Workspace, government identity federation initiatives in jurisdictions working with eIDAS frameworks, cloud federation in Amazon Web Services and Microsoft Azure projects, and service provider integrations for learning platforms like Moodle, Canvas (learning management system), and library access systems at institutions like The British Library and Library of Congress. OpenSAML also underpins access control and attribute exchange in research infrastructures, collaboration portals, and commercial identity providers including Okta, Ping Identity, ForgeRock, and Auth0.

Category:Computer security software