Here are some step-by-step instructions on how to integrate the OIOSAML.JAVA with you java application so authentication can be preformed via a Shibboleth 2 IdP. This integration is assuming that your java application is being deployed to a Apache Tomcat Server, you are familiar with Shibboleth IdP's and SP's, and that you have access to the necessary IdP information that you will need.

1. Download the current OIOSAML.JAVA SP from here.
2. UnZip the archive into a oiosaml.java temporary directory.
3. Copy the endorsed libs from the <oiosaml.java temporary directory>/endorsed to the <Tomcat Server>/common/endorsed directory.
4. Copy the <oiosaml.java temporary directory>/oiosaml.java.jar file to your applications WEB-INF/lib directory.
5. Copy the <oiosaml.java temporary directory>/lib/ files to your applicaitons WEB-INF/lib directory.<br>NOTE: Your application might have duplicate files, like the apache commons lib's. You will have to figure out which library is the newest one.
6. You will need to insert the following lines into your web.xml configuration file

<context-param/>
	<param-name>oiosaml-j.home</param-name>
	<param-value>/path/to/oiosaml.home</param-value>
</context-param>

<servlet>
	<servlet-name>SAMLDispatcherServlet</servlet-name>
	<servlet-class>dk.itst.oiosaml.sp.service.DispatcherServlet</servlet-class>
</servlet>

<servlet-mapping>
	<servlet-name>SAMLDispatcherServlet</servlet-name>
	<url-pattern>/saml/*</url-pattern>
</servlet-mapping>

<filter>
	<filter-name>LoginFilter</filter-name>
	<filter-class>dk.itst.oiosaml.sp.service.SPFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>LoginFilter</filter-name>
	<url-pattern>/protected/*</url-pattern>
</filter-mapping>

7. Now you should war up your application and deploy it locally, so that we can use the automatic configuration utility to create the necessary certificate and configuration information for us.

After you have successfully deployed your application, you can use the OIOSAML.JAVA configuration utility to setup the Service Provider to work with your IdP. This can be done by going to the following url location: http://localhost/deployedapplication/saml/configure. Using this screen you can do the initial setup of the SP to work with your IdP. The main thing that you need is your IdP metadata xml configuration file. A example of what one could look like is here.

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://shibboleth.test.idp/idp"
                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                  xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">unc.edu</shibmd:Scope>
        </Extensions>

        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIID9jCCAt4CCQCh4zHwsWWb7TANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMC
VVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQHEwtDaGFwZWwgSGls
bDE0MDIGA1UEChMrVW5pdmVyc2l0eSBvZiBOb3J0aCBDYXJvbGluYSBhdCBDaGFw
ZWwgSGlsbDEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNl
czEeMBwGA1UEAxMVc3NvLXRlc3QuaXNpcy51bmMuZWR1MB4XDTA4MDYyNDE4MDg0
OFo87jdmdjdk,d9djj3jkdowgbwxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0
aCBDYXJvbGluYTEUMBIGA1UEBxMLQ2hhcGVsIEhpbGwxNDAyBgNVBAoTK1VuaXZl
cnNpdHkgb2YgTm9ydGggQ2Fyb2xpbmEgYXQgQ2hhcGVsIEhpbGwxKDAmBgNVBAsT
H0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxHjAcBgNVBAMTFXNzby10
ZXN0LmlzaXMudW5jLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJgfF9pxjowjr91Ycmp9cf1882NwiVjRYt8/RHrkWVTT+ROpJkxx5gMFT9Jve2+9
/dQzGnw9o0MMspwVWPB1Lc14nU5+qPMbXXcnpL9Ap/7kfM7OzV3pR6M19/36IHe5
J5X1f6KegxezzUFX9+CFfRHtbV+76sdi888sdd+CjsSj9tiRXk0pkbxu6Qtqmw90
qMOEiHGwOr3OwX1alAC+LpqoMco9Xtpq/SlYcIZYmSQ16U42RXct4u0tPUfFLJQ3
3AeVg5BeRl8ltduz3r23SvOQyGqgzDvWcILQ1vO6v3XF1Z2lyP745SrcecNCqLMQ
jLsRUB/buxWd87djkd,ldduCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEANn74LuPN
kXO1rmGcqtdEZ8TdGgcFi08ovO+c2vNOUk+JIcQsPapCAtEmfQiIunQyd0uobt6Z
MK7+XIBMD1eeeY30bqIWV/CtPAfT9Ik2Gf0NHwnllaGDj9lyb8CIkXgCpbQWUUtq
nTlj9cDnZ/3VzG52AwB1ym1fwYjAlfPvGogGq4UubCqL0cDMAFuMXYnHs1CosKR+
b2Hd8J4IYQza0+rFvtbVnpdj7QYvZDptuM+oCkOK9S7TPndCVilz4pc8YWDk5BlK
8IovyA/jSY0pQXa1WpXFc36BmHV3S+13NO0YcLa4axUoIu7OPFNO/CuhIwMLDqdB
UN9XwDG/xQBXTA==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                                   Location="https://shibboleth.test.idp/idp/profile/SAML1/SOAP/ArtifactResolution"
                                   index="1"/>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                                   Location="https://shibboleth.test.idp/idp/profile/SAML2/SOAP/ArtifactResolution"
                                   index="2"/>

        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                             Location="https://shibboleth.test.idp/idp/profile/Shibboleth/SSO" />


        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://shibboleth.test.idp/idp/profile/SAML2/POST/SSO" />

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                             Location="https://shibboleth.test.idp/idp/profile/SAML2/POST-SimpleSign/SSO" />

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://shibboleth.test.idp/idp/profile/SAML2/Redirect/SSO" />
    </IDPSSODescriptor>

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">unc.edu</shibmd:Scope>
        </Extensions>

        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>

                    <ds:X509Certificate>
MIID9jCCAt4CCQCh4zHwsWWb7TANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMC
VVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQHEwtDaGFwZWwgSGls
bDE0MDIGA1UEChMrVW5pdmVyc2l0eSBvZiBOb3J0aCBDYXJvbGluYSBhdCBDaGFw
ZWwgSGlsbDEoMCYGA1UECxMfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNl
czEeMBwGA1UEAxMVc3NvLXRlc3QuaXNpcy51bmMuZWR1MB4XDTA4MDYyNDE4MDg0
OFo87jdmdjdk,d9djj3jkdowgbwxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0
aCBDYXJvbGluYTEUMBIGA1UEBxMLQ2hhcGVsIEhpbGwxNDAyBgNVBAoTK1VuaXZl
cnNpdHkgb2YgTm9ydGggQ2Fyb2xpbmEgYXQgQ2hhcGVsIEhpbGwxKDAmBgNVBAsT
H0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2VydmljZXMxHjAcBgNVBAMTFXNzby10
ZXN0LmlzaXMudW5jLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJgfF9pxjowjr91Ycmp9cf1882NwiVjRYt8/RHrkWVTT+ROpJkxx5gMFT9Jve2+9
/dQzGnw9o0MMspwVWPB1Lc14nU5+qPMbXXcnpL9Ap/7kfM7OzV3pR6M19/36IHe5
J5X1f6KegxezzUFX9+CFfRHtbV+76sdi888sdd+CjsSj9tiRXk0pkbxu6Qtqmw90
qMOEiHGwOr3OwX1alAC+LpqoMco9Xtpq/SlYcIZYmSQ16U42RXct4u0tPUfFLJQ3
3AeVg5BeRl8ltduz3r23SvOQyGqgzDvWcILQ1vO6v3XF1Z2lyP745SrcecNCqLMQ
jLsRUB/buxWd87djkd,ldduCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEANn74LuPN
kXO1rmGcqtdEZ8TdGgcFi08ovO+c2vNOUk+JIcQsPapCAtEmfQiIunQyd0uobt6Z
MK7+XIBMD1eeeY30bqIWV/CtPAfT9Ik2Gf0NHwnllaGDj9lyb8CIkXgCpbQWUUtq
nTlj9cDnZ/3VzG52AwB1ym1fwYjAlfPvGogGq4UubCqL0cDMAFuMXYnHs1CosKR+
b2Hd8J4IYQza0+rFvtbVnpdj7QYvZDptuM+oCkOK9S7TPndCVilz4pc8YWDk5BlK
8IovyA/jSY0pQXa1WpXFc36BmHV3S+13NO0YcLa4axUoIu7OPFNO/CuhIwMLDqdB
UN9XwDG/xQBXTA==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>

        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                          Location="https://shibboleth.test.idp/idp/profile/SAML1/SOAP/AttributeQuery" />

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                          Location="https://shibboleth.test.idp/idp/profile/SAML2/SOAP/AttributeQuery" />

        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    </AttributeAuthorityDescriptor>

</EntityDescriptor>

After you have completed the setup, the tool will ask if you want to download the configuration files. You will need to do this and register the SP-Metadata.xml file with your IdP and you should be ready to go.

I did have to add some of the following properties to my Shibboleth 2 IdP to allow for this to work. The first thing was I had to set the following properties in the oiosaml-sp.properties file.

oiosaml-sp.assurancelevel=0

oiosaml-sp.nameid.allowcreate = false
oiosaml-sp.nameid.policy = transient

The last thing was to change the ProfileConfiguration attributes in your relying-party.xml file so that you do not encrypt the name id's. Here is a example of what mine looks like.

        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                              encryptNameIds="never" />
        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
                              encryptNameIds="never" />
        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
                              encryptNameIds="never" />

There are a lot of steps to get the oiosaml.java package working with your application. Most of it is just configuration issues between the SP and the IdP. I found that deploying the samldemo.war file included with the downloaded code is great to use to get familiar with setting this product up.