Re: Tomcat SSO valve implementation
Most apps I have seen implement it themselves using a SAML framework like spring. usually they build the functionality into their App. I suppose you could build a tomcat implementation, Tomcat supports J2EE so you could leverage those mechanisms to get the tomcat session. I don't think there is anything OOTB for tomcat SAML. Essentially you need to create a couple endpoints, One for SAML metadata retrieval/generation and one for parsing an incoming SAML assertion. assuming your providing a service with your App. You would also want a logout endpoint. You will also need to figure out login as your App needs to redirect to the IDP in the event an user does not have a session. Some SPs have a local login and IDP login. So you would have to implement that. in my quick google searching there seems to be a tool called PicketLink that might do some of this for you. This seems to be a decent write up although I haven't used it. https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink On Tue, Dec 22, 2020 at 12:04 PM Steve Sanders wrote: > Just to add on to the options already listed (which I'm sure work just > great!), we used openSAML and wrote our own valve fairly painlessly and > have been having really good success with it. > > Steve Sanders > > On Mon, Dec 21, 2020 at 1:17 PM George Stanchev < > george.stanc...@microfocus.com> wrote: > > > We use spring-security-saml for application-level SP implementation and > it > > works pretty good too. The project is in the process of being rewritten > > from scratch though with 2.0 in milestone builds. No direct integration > > with Tomcat though but on application level. > > > > George > > > > -Original Message- > > From: André Warnier (tomcat/perl) > > Sent: Thursday, December 17, 2020 8:42 AM > > To: users@tomcat.apache.org > > Subject: Re: Tomcat SSO valve implementation > > > > On 16.12.2020 19:39, Kevin Oxley wrote: > > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > > > (9.0.22). Can anybody provide a reference to a pre-integrated SAML > SSO > > > valve implementation that you've had a good experience with? > > > > > > > searching Google for "SAML SP for servlet engine" gives a few links, > among > > them this one : > > > https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink > > > > I haven't tried it myself. In my cases, I always use an Apache httpd > > front-end, which does the authentication prior to proxying to a back-end > > tomcat (with the Connector attribute ' > > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we > > use Shibboleth as the SAML SP side. > > That works perfectly. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Tomcat SSO valve implementation
Just to add on to the options already listed (which I'm sure work just great!), we used openSAML and wrote our own valve fairly painlessly and have been having really good success with it. Steve Sanders On Mon, Dec 21, 2020 at 1:17 PM George Stanchev < george.stanc...@microfocus.com> wrote: > We use spring-security-saml for application-level SP implementation and it > works pretty good too. The project is in the process of being rewritten > from scratch though with 2.0 in milestone builds. No direct integration > with Tomcat though but on application level. > > George > > -Original Message- > From: André Warnier (tomcat/perl) > Sent: Thursday, December 17, 2020 8:42 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat SSO valve implementation > > On 16.12.2020 19:39, Kevin Oxley wrote: > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > > (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO > > valve implementation that you've had a good experience with? > > > > searching Google for "SAML SP for servlet engine" gives a few links, among > them this one : > https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink > > I haven't tried it myself. In my cases, I always use an Apache httpd > front-end, which does the authentication prior to proxying to a back-end > tomcat (with the Connector attribute ' > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we > use Shibboleth as the SAML SP side. > That works perfectly. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Tomcat SSO valve implementation
We use spring-security-saml for application-level SP implementation and it works pretty good too. The project is in the process of being rewritten from scratch though with 2.0 in milestone builds. No direct integration with Tomcat though but on application level. George -Original Message- From: André Warnier (tomcat/perl) Sent: Thursday, December 17, 2020 8:42 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSO valve implementation On 16.12.2020 19:39, Kevin Oxley wrote: > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO > valve implementation that you've had a good experience with? > searching Google for "SAML SP for servlet engine" gives a few links, among them this one : https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink I haven't tried it myself. In my cases, I always use an Apache httpd front-end, which does the authentication prior to proxying to a back-end tomcat (with the Connector attribute ' tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we use Shibboleth as the SAML SP side. That works perfectly. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSO valve implementation
On 16.12.2020 19:39, Kevin Oxley wrote: We are trying to support SSO SAML 2.0 for user authentication in Tomcat (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO valve implementation that you've had a good experience with? searching Google for "SAML SP for servlet engine" gives a few links, among them this one : https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink I haven't tried it myself. In my cases, I always use an Apache httpd front-end, which does the authentication prior to proxying to a back-end tomcat (with the Connector attribute ' tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we use Shibboleth as the SAML SP side. That works perfectly. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat SSO valve implementation
We are trying to support SSO SAML 2.0 for user authentication in Tomcat (9.0.22). Can anybody provide a reference to a pre-integrated SAML SSO valve implementation that you've had a good experience with? -- Thanks, Kevin
