I have recently working on setting up Shibboleth Service Providers (SP) at our organization. Shibboleth has a c++ SP that works great when integrated with Apache or IIS. Where I have run into issues in getting applications to work with Shibboleth has been with applications deployed on application servers like BEA Weblogic or Oracle OC4J. Vendors seem to support the SAML specification, but they all seem to do it in there own specific way.

I was initially thinking of using a gateway approach with a Apache Shibboleth SP. In this approach I would have a Apache web server installed in front of the application server. I would then setup a proxy pass through to allow data to be sent to the application server. I would have all requests to the application server pass through the Shibboleth SP, parse out the attributes returned from the IdP, and pass them to the application server.

While I do think that this approach will work, I think that a Java SP deployed on the application server would make this process much easier to manage. Currently Shibboleth does not have a Java SP written, even though they have a placeholder for it in the code repository. I have done some research and found a Java SP that seems to work with Shibboleth, GUANXI .

GUANXI does seem to allow applications to be Secured on a Java Application Server and communicate with a Shibboleth IdP. The only downfall I have found with the security is that it currently only works with SAML 1. Even so, this option does seem to initally work for me.

I would like to know if anyone has a good Java SP implemented. I am thinking of trying out OpenSSO as well to see how well that works. I am also thinking of checking out Enterprise Single Sign-on to see how well this will work.