Hello Sandeep, Both keycloack saml adapter [1] or the servlet filter[2] work for me out-of-the-box.
I am using tomcat 9.0.5 Cheers, Luis [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter 2018-06-09 14:09 GMT+02:00 Arnaud Yahoo <a_mer...@yahoo.fr.invalid>: > Hello, > > I recently tried (with success) the tomcat Valve from Fediz (Apache CXF) > > http://cxf.apache.org/fediz-tomcat.html > > Note tha you need to take a recent 1.4.4 snapshot, because 1.4.3 has some > bugs preventing it to work with SAML > > Hope this help > > Arnaud > > > > On 08/06/2018 21:49, Christopher Schultz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Sandeep, >> >> On 6/8/18 10:39 AM, Sandeep Muddamsetty wrote: >> >>> We are trying to implement SAML SSO configuration on Tomact 8.5.X >>> servers . As we came to know that there is no direct >>> implementation of this authentication process through some of the >>> blogs and need to depend on third party tools to make it possible . >>> As we are seeing so many tools while searching for this but not >>> getting exact information to use which tool . Do we have any apache >>> recommended tools for this ?. >>> >> I don't have a particular recommendation for you, but if you find >> something that works well, would you mind sharing your experience with >> the community? >> >> I have implemented SAML SSO myself, but we don't use Tomcat's built-in >> authentication and authorization framework, so it wouldn't be applicable >> . >> >> You will almost certainly have to implement a Valve (which is a >> Tomcat-specific component) to accomplish this. You might want to look >> at the org.apache.catalina.authenticator.FormAuthenticator source code >> to see how it's done. Much of the heavy-lifting is done by the >> AuthenticatorBase class, but the >> doAuthenticate(Request,HttpServletResponse) method is where the "real >> work" gets done to handle the incoming data, etc. >> >> I suspect if you began with that code and started chopping-out pieces >> and replacing them with parsing of the SAML response, validating and >> verifying its authenticity, and then obtaining the user's identity >> through the various SAML attributes sent by the identity provider, you >> could get quite far on your own. >> >> If you want to use an outside authentication system, it wouldn't >> surprise me to discover that Spring Security already had a plug-in for >> this kind of thing. >> >> Hope that helps, >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa3d0ACgkQHPApP6U8 >> pFgk1A//dRubWfOSrqniOQcUz0kFPtgyCYVOKBus6HLoo2+nWR6yXarLvbA8WG0+ >> rOcpmrSI4k2hcsjtDCG1GgtzdKVKdQhWJk5ZZOAomEl5Bwyj97geUxtrsnOwgXBY >> BxY+p1m0IJuTSG5qF8i+zkvdfSRESghPx+wAUwxhf8g/XGucGA+S39HyEUrEGx6y >> hkgdWvZdj13MIBADidY54yyq7mCqccAz+Qn7D87E5i65D4aM4mBjqUM33U+55t/C >> 6FQjRSDJVO0ShRrQg4gPLk7r9f1BNibr0gdiy5oCg4P/zbDLEvVNVnViGQV4gjmx >> P3scgYGhamHLdTyGtmN1Bz19Ls1GFLia9JdA/2AtD41V6wpTIoWoN8wdHDOWTuO6 >> JTRDzTmLimjI38ca5ze26JJITueKK4MTpSL7eAcRopXfW4qoNi6Rc87hUUA/btT7 >> UhZGqeDVlyXTGQi5/KdL6BaFan+s6ILG/Ntuy9jCyohx/Jwrwx0XoksbjgTxYhhd >> zYRlHG8XSEcGt9epHLm5G2Rnk8GfeuzuBtj512+QxsX6VrI2q3sHuIPIgA7Egsa4 >> LMNntcn156spvvrF2AbsGevCqKp+fka6JL6FT7cT7EHJ60spi93kLpKx+oN1j4wI >> YInTT9ClPaEvj85EO5eKJdTAMPReB0Hj3ZvUeoj4Kvx1enenTG4= >> =1Fc/ >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett