William,
On 4/9/25 11:09 AM, William Crowell wrote:
Is there any current up-to-date documentation on how to setup Apache
Tomcat 9 with SAML and Active Directory that is not AI generated?
I know you can do Keycloak IdP with Tomcat, but I was trying to
avoid setting up an identity provider.
I am finding links, but I think there is some missing information on
how-to.
I'm sorry I didn't see then when you originally posted it, but Tomcat
has no support for SAML at all in its core capabilities. You may be able
to get some kind of add-on to support it.
At $work, we have built our own single-legged SAML support that does
work with AD/ADFS and other SAML providers. (It's single-legged in that
the first message we get is the "SAML response" so the IdP generates its
own SSO request, signs the response, and sends that through the client
to our service.) It's not rocket science, you just parse and validate
the response document against a trusted certificate store and then do
whatever you want.
Something that Tomcat doesn't have is the ability for an application to
just say "this is the user, pretend they just logged-in". So to support
SAML in Tomcat yourself, you'll likely have to implement it at least
partially as a Valve in order to get access to the internals necessary
to shove the user Principal into the right place(s).
I've been considering writing a Passkeys implementation for Tomcat and
something SAML-related could dovetail nicely with that. As yet I haven't
been able to dedicate enough time to wrap my head around JASPI... er,
Jakarta Authentication to understand the best way to implement such
pluggable authentication modules into Tomcat in the cleanest way.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
