Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Fri Jan 28 18:22:06 UTC 2022

Bang,

> I'm impressed for your quick respond :).

It's one of my many bad habits. :D

I understand what you're trying to accomplish.  The "easiest" way to do this would probably be AJP between machine B and machine A, but you could rig up a system where machine B, after receiving the SAML assertion, has a simple shim that processes the attributes, packages them into something like an OAuth token, and then redirects the user back to machine A with enough information to retrieve the temporary token.  Machine A would then create and persist a session for the user.

I would prefer the proxying approach, personally, but it depends on how much infrastructure you want to build and maintain, or whether you can find a toolkit already written and maintained by someone else that is capable of doing something similar.

Maybe someone else on the list has a more clever idea.

Take care,
Nate

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: Bang Pham Huu
Sent: Friday, January 28 2022, 11:13 am
To: users at shibboleth.net
Subject: Re: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?

Hi Nate,

I'm impressed for your quick respond :).

I'm new to Shibboleth of course and I just have a naive idea how it
works in a common sense way.

So, I develop a java web application on machine A, another guy works on
Shibboleth SP on machine B (I have no influence on him).

Then, I just wanted to make my web application sends request to
Shibboleth SP on machine B which will use a test Shibboleth IdP

and finally after logging in, somehow Shibboleth SP on machine B
forwards everything to my web application on machine A.

Then, I can get the testing user's email attribute (subject-id) on my
web application.

I hope I'm clear about my plan.

Thanks,

On 1/28/22 7:06 PM, Nate Klingenstein wrote:
> Bang,
>
> Thanks for your use of SAMLtest.  We're up to ˜75,000 providers and counting.  I'm glad you've found it useful.
>
> The communication between machine B and machine A is effectively remoting login and session management to a third party rather than performing it in the application, which is both architecturally sound in some instances and requiring of sufficient security and integrity: you basically need an authentication protocol for this.
>
> The workaround you mention, whether via HTTP forwarding or AJP proxying, is the most natural and easiest way I can think of.  Is there a particular reason you want to avoid it?  There are limited alternatives using Shibboleth, but there are options using other approaches depending on how much you want to build and how sensitive your application is.
>
> Hope to learn more about your needs,
> Nate
>
> --------
> Signet, Inc.
> The Art of Access ®
>
> https://www.signet.id <https://www.signet.id>
>
> -----Original message-----
> From: Bang Pham Huu
> Sent: Friday, January 28 2022, 10:53 am
> To: users at shibboleth.net <mailto:users at shibboleth.net>
> Subject: Shibboleth 3 SP separated from Tomcat java web application in 2 different machines?
>
> Hello,
>
> I've a java web application running on Tomcat8 on machine A
> (https://machineA:8080/app)
>
> and a machine B installed with Apache2 and Shibboleth 3 SP
> (https://machineB/Shibboleth.sso/)
>
> which is configured to use https://samltest.id <https://samltest.id> <https://samltest.id <https://samltest.id>>/ as Shibboleth IdP.
>
> What I want to achieve is:
>
> - When I access https://machineA:8080/app
>
>      -> it invokes a java code
> httpServletResponse.sendRedirect(https://machineB/Shibboleth.sso/Login)
>
>      -> It redirects to Shibboleth IdP on https://samltest.id <https://samltest.id> <https://samltest.id <https://samltest.id>>
>
>      -> However, after I logged in with the test user here, it stopped
> on https://machineB but it doesn't redirect to https://machineA:8080/app?
>
>      I wanted to have the subject-id attribute returned from
> https://samltest.id <https://samltest.id> <https://samltest.id <https://samltest.id>> in my web application.
>
> - There is another way around, which is Apache2 on machine B works as
> proxy protecting machine A
>
>   with Tomcat8 as mentioned (Apache2 redirects to Tomcat8 via AJP 1.3)
> here
> https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall <https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall> <https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall <https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072431/NativeSPJavaInstall>>.
>
>   But it is not what I wanted.
>
> Thanks,
>
-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw <https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>