Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Nate Klingenstein ndk at
Fri Jan 28 18:06:27 UTC 2022


Thanks for your use of SAMLtest.  We're up to ~75,000 providers and counting.  I'm glad you've found it useful.

The communication between machine B and machine A is effectively remoting login and session management to a third party rather than performing it in the application, which is both architecturally sound in some instances and requiring of sufficient security and integrity: you basically need an authentication protocol for this.

The workaround you mention, whether via HTTP forwarding or AJP proxying, is the most natural and easiest way I can think of.  Is there a particular reason you want to avoid it?  There are limited alternatives using Shibboleth, but there are options using other approaches depending on how much you want to build and how sensitive your application is.

Hope to learn more about your needs,

Signet, Inc.
The Art of Access ®

-----Original message-----
From: Bang Pham Huu
Sent: Friday, January 28 2022, 10:53 am
To: users at
Subject: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?


I've a java web application running on Tomcat8 on machine A

and a machine B installed with Apache2 and Shibboleth 3 SP

which is configured to use <>/ as Shibboleth IdP.

What I want to achieve is:

- When I access https://machineA:8080/app

     -> it invokes a java code

     -> It redirects to Shibboleth IdP on <>

     -> However, after I logged in with the test user here, it stopped
on https://machineB but it doesn't redirect to https://machineA:8080/app?

     I wanted to have the subject-id attribute returned from <> in my web application.

- There is another way around, which is Apache2 on machine B works as
proxy protecting machine A

  with Tomcat8 as mentioned (Apache2 redirects to Tomcat8 via AJP 1.3)
here <>.

  But it is not what I wanted.


For Consortium Member technical support, see <>
To unsubscribe from this list send an email to users-unsubscribe at <mailto:users-unsubscribe at>

More information about the users mailing list