I found out that Xwiki SAML module from https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-a… differs significantly from what I have. It works according to: http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-… And is implemented in .Net: http://msdn.microsoft.com/en-us/library/ee517291.aspx http://msdn.microsoft.com/en-us/library/bb498017.aspx http://msdn.microsoft.com/en-us/library/bb608217.aspx Even though by standard I should use location parameter in response parameters, actually it can be invoked with GET/POST parameters, e.g. simply by following: https://...gov.lv/.../default.aspx?wa=wsignin1.0&wtrealm=http%3A%2F% 2F11.22.33.44%2Fxwiki where gov.lv is authentication federation service, and 11.22.33.44 is my xwiki site. Then after authentication service redirects back to xwiki with POST parameters: wa= wsignin1.0 wresult= ========================= <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <trust:RequestSecurityTokenResponse> <trust:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss… <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss… </trust:Lifetime> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://11.22.33.44/xwiki</Address> </EndpointReference> </wsp:AppliesTo> <trust:RequestedSecurityToken> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_05d753b3-3f4c-4709-ad74-bdce19fb23c2" Issuer="http://...gov.lv/trust" IssueInstant="2013-04-11T12:41:15.525Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2013-04-11T12:41:15.525Z" NotOnOrAfter="2013-04-11T13:41:15.525Z"> <saml:AudienceRestrictionCondition> <saml:Audience>http://11.22.33.44/xwiki</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> <saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/cla… <saml:AttributeValue>112233-12345</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/cla… <saml:AttributeValue>VALDIS</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/cla… <saml:AttributeValue>VĪTOLIŅŠ</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AuthenticationStatement AuthenticationMethod="URN:..." AuthenticationInstant="2013-04-11T12:41:15.525Z"> <saml:Subject> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_05d753b3-3f4c-4709-ad74-bdce19fb23c2"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>HU3/uQFbvSciSkPXxQURI+hUkNU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>... </ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>... </X509Certificate> </X509Data> </KeyInfo> </ds:Signature> </saml:Assertion> </trust:RequestedSecurityToken> ...Bla, bla, bla... ============================= Am I right, that I need to change: 1. showLogin() where most of authRequest.set... seems unnecessary, 2. checkSAMLResponse() where I need to do request.getParameter("wresult") and somehow extract out necessary data and check them from this XML. Thanks for any hints! Valdis