Dear Tomcat-users, We are investigating the best way to support SAML 2.0 (SP) authentication with our application. Our application is using container managed authentication provided by Tomcat, and works very well with basic authentication, form authentication, SPnego and others.
My expectation would be that it should be possible to add a Valve and a Realm and have a 3rd party tool supply the SAML2 Relying Party implementation. So far, we have identified a couple of possible candidates. - Apache CXF Fediz. This project still seems young, but the integration would be as i expect. - Spring security might be possible to wrap into a Valve and Realm? - Picketlink? As stated on https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS) - Very own Tomcat support not there yet? https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 - Shibbolth (on HTTPD, remote user passed through AJP) Until now we have been using the Shibbolth/HTTPd implementation, but from Tomcat perspective this is not very 'pure'. We would like to configure it all in one place, Tomcat. Whats your view on this? Does anybody else have experience with any of these, or others? Any best practices? Thank you! Regards, Maarten van Hulsentop
