Apache Tomcat Plugin
This page describes how to enable WS-Federation for a an Apache Tomcat instance hosting Relying Party (RP) applications. Also note that from the 1.4.4 release, the Apache Tomcat Fediz plugin also supports SAML SSO. It is at present the only container plugin to support SAML SSO - all of the other plugins only support WS-Federation. Recent version of Apache CXF Fediz ship two Tomcat plugins, one for Apache Tomcat 7 and one for Apache Tomcat 8.
This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server.
...
You can either build the Fediz plugin on your own or download the package here. If you have built the plugin on your own you'll find the required libraries in plugins/tomcat-${version}/target/...zip-with-dependencies.zip
- Create sub-directory
fedizin${catalina.home}/lib - Update calatinacatalina.properties in ${catalina.home}/conf
add the previously created directory to the common loader:
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar - Deploy the libraries to the directory created in (1)
...
The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 8 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.
...
The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available here.
A Valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml
...
META-INF/context.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Context> <Valve className="org.apache.cxf.fediz.tomcattomcat8.FederationAuthenticator" configFile="conf/fediz_config.xml" /> </Context> |
Host level in server.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.cxf.fediz.tomcattomcat8.FederationAuthenticator" configFile="conf/fediz_config.xml" /> </Host> |
Context level in server.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Context path="/fedizhelloworld" docBase="fedizhelloworld"> <Valve className="org.apache.cxf.fediz.tomcattomcat8.FederationAuthenticator" configFile="conf/fediz_config.xml" /> </Context> |
...