Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Bang Pham Huu pham at
Fri Jan 28 18:13:12 UTC 2022

Hi Nate,

I'm impressed for your quick respond :).

I'm new to Shibboleth of course and I just have a naive idea how it
works in a common sense way.

So, I develop a java web application on machine A, another guy works on
Shibboleth SP on machine B (I have no influence on him).

Then, I just wanted to make my web application sends request to
Shibboleth SP on machine B which will use a test Shibboleth IdP

and finally after logging in, somehow Shibboleth SP on machine B
forwards everything to my web application on machine A.

Then, I can get the testing user's email attribute (subject-id) on my
web application.

I hope I'm clear about my plan.


On 1/28/22 7:06 PM, Nate Klingenstein wrote:
> Bang,
> Thanks for your use of SAMLtest.  We're up to ~75,000 providers and counting.  I'm glad you've found it useful.
> The communication between machine B and machine A is effectively remoting login and session management to a third party rather than performing it in the application, which is both architecturally sound in some instances and requiring of sufficient security and integrity: you basically need an authentication protocol for this.
> The workaround you mention, whether via HTTP forwarding or AJP proxying, is the most natural and easiest way I can think of.  Is there a particular reason you want to avoid it?  There are limited alternatives using Shibboleth, but there are options using other approaches depending on how much you want to build and how sensitive your application is.
> Hope to learn more about your needs,
> Nate
> --------
> Signet, Inc.
> The Art of Access ®
> -----Original message-----
> From: Bang Pham Huu
> Sent: Friday, January 28 2022, 10:53 am
> To: users at
> Subject: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?
> Hello,
> I've a java web application running on Tomcat8 on machine A
> (https://machineA:8080/app)
> and a machine B installed with Apache2 and Shibboleth 3 SP
> (https://machineB/Shibboleth.sso/)
> which is configured to use <>/ as Shibboleth IdP.
> What I want to achieve is:
> - When I access https://machineA:8080/app
>      -> it invokes a java code
> httpServletResponse.sendRedirect(https://machineB/Shibboleth.sso/Login)
>      -> It redirects to Shibboleth IdP on <>
>      -> However, after I logged in with the test user here, it stopped
> on https://machineB but it doesn't redirect to https://machineA:8080/app?
>      I wanted to have the subject-id attribute returned from
> <> in my web application.
> - There is another way around, which is Apache2 on machine B works as
> proxy protecting machine A
>   with Tomcat8 as mentioned (Apache2 redirects to Tomcat8 via AJP 1.3)
> here
> <>.
>   But it is not what I wanted.
> Thanks,

More information about the users mailing list