Apparently the X509 Login Handler (https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler) was written for using Apache Httpd as the front end of the Shibboleth Java IdP. Could someone provide any insight on how to make X509 authentication to work directly with Tomcat without the Httpd? Thanks a lot! ND