GateIn 3.3 is on the way and one of the new available features in this release is support for SAML2. SAML Authentication is implemented in GateIn SSO component as another provider to list of existing providers, which are CAS, JOSSO, OpenSSO, OpenAM and SPNEGO. We support the most widely used SAML2 profiles, which are Web Browser SSO Profile (SSO authentication itself) and Single Logout profile (global logout from all web applications, where is user currently logged).

SAML2 authentication itself is established by exchanging encoded XML messages between two web applications, SAML Identity Provider (IDP) and SAML Service Provider (SP). SP is application, which user wants to use. But he doesn't provide his credentials directly to SP but to IDP. So IDP is web application where user authenticates with his credentials and then IDP can send tickets (SAML assertions) to SP applications. User is then automatically logged into SP thanks to SAML ticket received from IDP.

SSO component supports GateIn in role of SP, where is user automatically logged into GateIn portal with usage of SAML assertion received from different IDP application. This flow is described in specification here. But we also support scenario with GateIn in role of IDP application, so user can classically login into his portal and then portal will send assertions to other web applications, which are configured as SP.

Integration is available from SSO version 1.1.2-Beta02, which has been already released. It will be described in details in GateIn reference guide from GateIn 3.3. But if you are impatient, you can try it right now! You will need to build current documentation from GateIn trunk and choose one of prescribed scenarios in SAML section, where you find all the details.

GateIn SSO component is internally using Picketlink Federation library. Picketlink is one of awesome JBoss projects. In GateIn, we are already using Picketlink IDM for identity management, so now we also leverage Picketlink Federation. Picketlink Federation implements SAML2 specification, but additioanly it also implements WS-Trust specification and it provides STS implementation called Picketlink STS. Thanks to it, user will be able to use his SAML assertions in the portlets for invocation of secured protected services like EJB or WS. We also plan to look at integration with WSRP WSS provided in GateIn. So stay tuned!