The shibboleth integration for SSO was fairly straightforward. Mostly just adding a bunch of beans into the security.xml. No new classes are required, you can use ones that Spring provides.
However, we did have to alter the SharedLogicController.
In this code, you cast a token to a UsernamePasswordAuthenticationToken. That was causing issues with Shibboleth because it uses a different type of token. However, by changing the cast to the more abstract AbstractAuthenticationToken, everything works. The AbstractAuthenticationToken has all the methods that the SharedLogicController needs, and is a common base for both the UsernamePasswordAuthenticationToken (native) and the PreAuthenticatedAuthenticationToken (shibboleth/saml) that we need. Just letting folks know.