Tomcat SSO valve implementation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat SSO valve implementation

Kevin Oxley
We are trying to support SSO SAML 2.0 for user authentication in Tomcat
(9.0.22).   Can anybody provide a reference to a pre-integrated SAML SSO
valve implementation that you've had a good experience with?
--

Thanks,

Kevin
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO valve implementation

André Warnier (tomcat/perl)
On 16.12.2020 19:39, Kevin Oxley wrote:
> We are trying to support SSO SAML 2.0 for user authentication in Tomcat
> (9.0.22).   Can anybody provide a reference to a pre-integrated SAML SSO
> valve implementation that you've had a good experience with?
>

searching Google for "SAML SP for servlet engine" gives a few links, among them this one :
https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink

I haven't tried it myself. In my cases, I always use an Apache httpd front-end, which does
the authentication prior to proxying to a back-end tomcat (with the Connector attribute '
tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we use Shibboleth as
the SAML SP side.
That works perfectly.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat SSO valve implementation

George Stanchev-2
We use spring-security-saml for application-level SP implementation and it works pretty good too. The project is in the process of being rewritten from scratch though with 2.0 in milestone builds. No direct integration with Tomcat though but on application level.

George

-----Original Message-----
From: André Warnier (tomcat/perl) <[hidden email]>
Sent: Thursday, December 17, 2020 8:42 AM
To: [hidden email]
Subject: Re: Tomcat SSO valve implementation

On 16.12.2020 19:39, Kevin Oxley wrote:
> We are trying to support SSO SAML 2.0 for user authentication in Tomcat
> (9.0.22).   Can anybody provide a reference to a pre-integrated SAML SSO
> valve implementation that you've had a good experience with?
>

searching Google for "SAML SP for servlet engine" gives a few links, among them this one :
https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink

I haven't tried it myself. In my cases, I always use an Apache httpd front-end, which does the authentication prior to proxying to a back-end tomcat (with the Connector attribute '
tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we use Shibboleth as the SAML SP side.
That works perfectly.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO valve implementation

Steve Sanders
Just to add on to the options already listed (which I'm sure work just
great!), we used openSAML and wrote our own valve fairly painlessly and
have been having really good success with it.

Steve Sanders

On Mon, Dec 21, 2020 at 1:17 PM George Stanchev <
[hidden email]> wrote:

> We use spring-security-saml for application-level SP implementation and it
> works pretty good too. The project is in the process of being rewritten
> from scratch though with 2.0 in milestone builds. No direct integration
> with Tomcat though but on application level.
>
> George
>
> -----Original Message-----
> From: André Warnier (tomcat/perl) <[hidden email]>
> Sent: Thursday, December 17, 2020 8:42 AM
> To: [hidden email]
> Subject: Re: Tomcat SSO valve implementation
>
> On 16.12.2020 19:39, Kevin Oxley wrote:
> > We are trying to support SSO SAML 2.0 for user authentication in Tomcat
> > (9.0.22).   Can anybody provide a reference to a pre-integrated SAML SSO
> > valve implementation that you've had a good experience with?
> >
>
> searching Google for "SAML SP for servlet engine" gives a few links, among
> them this one :
> https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink
>
> I haven't tried it myself. In my cases, I always use an Apache httpd
> front-end, which does the authentication prior to proxying to a back-end
> tomcat (with the Connector attribute '
> tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we
> use Shibboleth as the SAML SP side.
> That works perfectly.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO valve implementation

Brian Wolfe
Most apps I have seen implement it themselves using a SAML framework like
spring. usually they build the functionality into their App. I suppose you
could build a tomcat implementation, Tomcat supports J2EE so you could
leverage those mechanisms to get the tomcat session. I don't think there is
anything OOTB for tomcat SAML. Essentially you need to create a couple
endpoints, One for SAML metadata retrieval/generation and one for parsing
an incoming SAML assertion. assuming your providing a service with your
App. You would also want a logout endpoint. You will also need to figure
out login as your App needs to redirect to the IDP in the event an user
does not have a session. Some SPs have a local login and IDP login. So you
would have to implement that.

in my quick google searching there seems to be a tool called PicketLink
that might do some of this for you. This seems to be a decent write up
although I haven't used it.
https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink


On Tue, Dec 22, 2020 at 12:04 PM Steve Sanders <[hidden email]>
wrote:

> Just to add on to the options already listed (which I'm sure work just
> great!), we used openSAML and wrote our own valve fairly painlessly and
> have been having really good success with it.
>
> Steve Sanders
>
> On Mon, Dec 21, 2020 at 1:17 PM George Stanchev <
> [hidden email]> wrote:
>
> > We use spring-security-saml for application-level SP implementation and
> it
> > works pretty good too. The project is in the process of being rewritten
> > from scratch though with 2.0 in milestone builds. No direct integration
> > with Tomcat though but on application level.
> >
> > George
> >
> > -----Original Message-----
> > From: André Warnier (tomcat/perl) <[hidden email]>
> > Sent: Thursday, December 17, 2020 8:42 AM
> > To: [hidden email]
> > Subject: Re: Tomcat SSO valve implementation
> >
> > On 16.12.2020 19:39, Kevin Oxley wrote:
> > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat
> > > (9.0.22).   Can anybody provide a reference to a pre-integrated SAML
> SSO
> > > valve implementation that you've had a good experience with?
> > >
> >
> > searching Google for "SAML SP for servlet engine" gives a few links,
> among
> > them this one :
> >
> https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink
> >
> > I haven't tried it myself. In my cases, I always use an Apache httpd
> > front-end, which does the authentication prior to proxying to a back-end
> > tomcat (with the Connector attribute '
> > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we
> > use Shibboleth as the SAML SP side.
> > That works perfectly.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>


--
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/