Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?
Nate Klingenstein
ndk at signet.id
Fri Jan 28 18:06:27 UTC 2022
Bang,
Thanks for your use of SAMLtest. We're up to ~75,000 providers and counting. I'm glad you've found it useful.
The communication between machine B and machine A is effectively remoting login and session management to a third party rather than performing it in the application, which is both architecturally sound in some instances and requiring of sufficient security and integrity: you basically need an authentication protocol for this.
The workaround you mention, whether via HTTP forwarding or AJP proxying, is the most natural and easiest way I can think of. Is there a particular reason you want to avoid it? There are limited alternatives using Shibboleth, but there are options using other approaches depending on how much you want to build and how sensitive your application is.
Hope to learn more about your needs,
Nate
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
-----Original message-----
From: Bang Pham Huu
Sent: Friday, January 28 2022, 10:53 am
To: users at shibboleth.net
Subject: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?
Hello,
I've a java web application running on Tomcat8 on machine A
(https://machineA:8080/app)
and a machine B installed with Apache2 and Shibboleth 3 SP
(https://machineB/Shibboleth.sso/)
which is configured to use https://samltest.id <https://samltest.id>/ as Shibboleth IdP.
What I want to achieve is:
- When I access https://machineA:8080/app
-> it invokes a java code
httpServletResponse.sendRedirect(https://machineB/Shibboleth.sso/Login)
-> It redirects to Shibboleth IdP on https://samltest.id <https://samltest.id>
-> However, after I logged in with the test user here, it stopped
on https://machineB but it doesn't redirect to https://machineA:8080/app?
I wanted to have the subject-id attribute returned from
https://samltest.id <https://samltest.id> in my web application.
- There is another way around, which is Apache2 on machine B works as
proxy protecting machine A
with Tomcat8 as mentioned (Apache2 redirects to Tomcat8 via AJP 1.3)
here
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall <https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall>.
But it is not what I wanted.
Thanks,
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw <https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
More information about the users
mailing list