Re: SAML 2.0 with container managed authentication in Tomcat
On Thu, Sep 11, 2014 at 2:26 PM, Maarten van Hulsentop maar...@vanhulsentop.nl wrote: Dear Tomcat-users, We are investigating the best way to support SAML 2.0 (SP) authentication with our application. Our application is using container managed authentication provided by Tomcat, and works very well with basic authentication, form authentication, SPnego and others. My expectation would be that it should be possible to add a Valve and a Realm and have a 3rd party tool supply the SAML2 Relying Party implementation. So far, we have identified a couple of possible candidates. - Apache CXF Fediz. This project still seems young, but the integration would be as i expect. - Spring security might be possible to wrap into a Valve and Realm? - Picketlink? As stated on https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS) I have used picketlink with tomcat as SP and jboss wildfly as IDP and it worked very well. Picketlink works great but the support is rather thin. You may also want to check WSO2. regards Leon P.S. Both provide Filters not Valves.
SAML 2.0 with container managed authentication in Tomcat
Dear Tomcat-users, We are investigating the best way to support SAML 2.0 (SP) authentication with our application. Our application is using container managed authentication provided by Tomcat, and works very well with basic authentication, form authentication, SPnego and others. My expectation would be that it should be possible to add a Valve and a Realm and have a 3rd party tool supply the SAML2 Relying Party implementation. So far, we have identified a couple of possible candidates. - Apache CXF Fediz. This project still seems young, but the integration would be as i expect. - Spring security might be possible to wrap into a Valve and Realm? - Picketlink? As stated on https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS) - Very own Tomcat support not there yet? https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 - Shibbolth (on HTTPD, remote user passed through AJP) Until now we have been using the Shibbolth/HTTPd implementation, but from Tomcat perspective this is not very 'pure'. We would like to configure it all in one place, Tomcat. Whats your view on this? Does anybody else have experience with any of these, or others? Any best practices? Thank you! Regards, Maarten van Hulsentop
Re: SAML 2.0 with container managed authentication in Tomcat
Hello, 2014-09-11 14:26 GMT+02:00 Maarten van Hulsentop maar...@vanhulsentop.nl: Dear Tomcat-users, We are investigating the best way to support SAML 2.0 (SP) authentication with our application. Our application is using container managed authentication provided by Tomcat, and works very well with basic authentication, form authentication, SPnego and others. My expectation would be that it should be possible to add a Valve and a Realm and have a 3rd party tool supply the SAML2 Relying Party implementation. So far, we have identified a couple of possible candidates. - Apache CXF Fediz. This project still seems young, but the integration would be as i expect. - Spring security might be possible to wrap into a Valve and Realm? - Picketlink? As stated on https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS) - Very own Tomcat support not there yet? https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 - Shibbolth (on HTTPD, remote user passed through AJP) Until now we have been using the Shibbolth/HTTPd implementation, but from Tomcat perspective this is not very 'pure'. We would like to configure it all in one place, Tomcat. At work, with exactly the same requirement, we used OIOSAML[1] which has been transformed as a custom tomcat authenticator (from the filter). It works quite well within our organisation with the Shibboleth IDP. There is also an enhancement request on bugzilla on that topic. [2] which seems to prefer adding JASPI(C) to tomcat to add SAML. [1] http://digitaliser.dk/resource/2582561 [2] https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org