https://issues.apache.org/bugzilla/show_bug.cgi?id=54503
Bug ID: 54503
Summary: SAML2 based single sign on
Product: Tomcat 8
Version: trunk
Hardware: Macintosh
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: toby.hob...@cloudseal.com
Classification: Unclassified
Created attachment 29906
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29906&action=edit
Unified diff including new and changed files
SAML2 is a standard for cross-domain single sign on and federation. We have
developed a Tomcat authenticator which acts as a SAML2 service provider i.e. it
allows Tomcat applications to delegate authentication to a single sign on
server (identity provider). We already offer this authenticator to our
customers but we would now like to contribute it to the wider Tomcat community.
Whilst Tomcat already offers single sign on between webapps, SAML2 allows SSO
between different platforms (.NET, PHP etc) and different hosts so we feel it's
a useful contribution.
The authenticator we have developed supports the most common SAML2 profiles and
binding i.e. the Web browser SSO profile using the redirect/post binding. We
have tested it with our own SSO server and also with a PHP implementation
(Simple SAML PHP). It should also work with other SAML2 implementations
although this has not been tested.
I've attached quite a large patch which includes couple of changes to the core
code and several additions:
- A new authenticator (SamlAuthenticator)
- An example webapp which demonstrates some of the features
- Various tests (which make use of the example webapp)
- Updates to the build.xml script
- Updates to the documentation, explaining how to use the new authenticator. We
still need to add some more detail here
- Minor changes to Realm and RealmBase (see below)
The SamlAuthenticator always retrieves the username from the IDP (SSO server)
and it can retrieve the Principal's roles one of two ways: 1) The IDP can pass
the roles across to Tomcat along with the username. 2) Tomcat can lookup the
roles from a configured Realm. To achieve this we had to make a change to Realm
to allow allow "authentication" using a username alone.
The authenticator has 4 dependencies:
- saml2-core (our general saml2 library, in maven central with an Apache 2
license)
- log4j (required by saml2-core)
- commons-codec (required by saml2-core)
- commons-io (required by saml2-core)
This patch should be applied at p0 i.e. "patch -p0 < saml2.diff".
I'm sure there will be plenty of questions which I'm happy to answer
Toby
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
