Updates to edit your rights:
Here are some SAML 2 options you can use.
Shibboleth SP is a product that implements SAML 2.0 for you, but OpenSAML is just a library with which you can implement SAML 2.0. The library itself is low-level and not even close to SSO solution. OpenSAML itself is not a SAML 2.0 solution.
To use OpenSAML or any SAML 2.0 solution, you will need to exchange metadata as described below. With OpenSAML, you will have to manually generate an XML file for your own metadata. It will be a lot of work, as indicated below. SAML 2.0 products will create a MetaData XML file for you and generate the required RSA keys used to encrypt and sign SAML 2.0 claims. With OpenSAML, you will have API support for loading parts of XML files and APIs to generate and analyze your claims, but you will write Java code that actually creates an interaction with SSO.
SP does not necessarily need ActiveDirectory / LDAP, but you will need some type of directory in your web application that tracks users. If your web application already has a user concept with certain credentials that you can use to match it with the IdP user concept, you can simply map them in your web application based on the attribute values ββin your SAML 2.0 statements. (If your web application does not care which of the users, you can simply allow access to the application based on the fact that the user is "valid".)
-
Integrating Shibboleth2 SSO with a Java web application is not too complicated. Using OpenSAML to implement SSO will work, but it would be a lot more effort than integrating an Apache server with Shibboleth.
Using Shibboleth requires that you have Apache2 with the Shibboleth module enabled and you have the Shibboleth SP daemon installed. They will usually be together in one box. If you use Tomcat to host a Java web application, I recommend that you use mod_proxy_ajp to communicate between the Apache2 HTTP server and Tomcat. This way you can get the variables provided by Shibolleth as servlet request attributes. (You must set the variable prefix to "AJP_" in the shibboleth2.xml file.)
The Shibboleth SP package already processes all the standard SAML SSO scripts that you may encounter, but trying to implement at least one of them with OpenSAML directly in your Java application is fraught with danger both from its operation and from what makes it safe. You will also increase the size of your web application if you use OpenSAML. It is worth noting that Shibboleth SP is not written in Java, so you will not have examples of using OpenSAML for this, but you can get some idea by looking at the Idb code of Shibboleth, which is a Java web application.
In any case, you will need to exchange your SP metadata (easily generated using the Shibboleth SP package) with your identity provider, and also obtain the identity provider metadata on your SP (also easy with the Shibboleth SP package, since you just set up MetadataProvider).
The Shibboleth online documentation will help you many times when you get used to using it.
I think you will have a much better chance of success if you can use the Shibboleth SP package and not implement the SAML 2 SSO solution with OpenSAML libraries. I cannot speak with other SSO solutions for all Java-SAML 2, but they all seem to be large and overly enterprise compared to the simple Shibboleth 2 SP.