I've created a ZIP archive which contains two tomcat setups for the replying party (secured web application) and the identity provider (IDP). It's much easier to start with this approach and make the experience how easily a web application can be SSO enabled using SAML tokens according to the Passive Requestor Profile of WS-Federation specification.
You can download the package here.
Installation
Unzip the downloaded archive which contains in each sub-directory a dedicated tomcat instance. The two tomcat instances are described below.
tomcat-idp
Start the Tomcat container:
tomcat-idp/bin/startup.sh
(or startup.bat for windows)
Mar 8, 2012 8:59:13 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-9080"]
Mar 8, 2012 8:59:13 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-9443"]
Mar 8, 2012 8:59:13 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 4245 ms
The Tomcat IDP instance creates an HTTPS listener (9443) and HTTP listener (9080). The insecure port is used for remote deployment during the maven build.
This tomcat instance has got two WAR files deployed: fedizidp and fedizidpsts.
You can find more information how to build and deploy the corresponding package here:
tomcat-rp
start the Tomcat container:
tomcat-rp/bin/startup.sh
(or startup.bat for windows)
Mar 8, 2012 9:00:05 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Mar 8, 2012 9:00:05 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Mar 8, 2012 9:00:05 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2840 ms
The Tomcat RP instance creates an HTTPS listener (8443) and HTTP listener (8080). The insecure port is used for remote deployment during the maven build.
This tomcat instance has got one WAR file deployed: fedizhelloworld
You can find more information how to build and deploy the package here:
Test
Enter the following URL in the browser:
https://localhost:8443/fedizhelloworld/secureservlet/fed
to access the web application which redirects to the IDP component. The IDP challenges the browser to enter username/password. Next, the IDP/STS issues the SAML token which contains all requested claims information and "redirects" the browser back to the application.
This post describes how to test the fedizhelloworld application. The configured users and their claims are described here.
Secure your own web application
Follow these steps to secure your own web application:
- If it is another Tomcat instance than tomcat-rp ensure to deploy the federation plugin into this tomcat instance as described here
- Configure the Tomcat Valve FederationAuthenticator in your META-INF/context.xml or Tomcat server.xml as described here
- Configure the URL of your web application (including the servlet context name) in the RPClaims.xml (bean realm2ClaimsMap) in
<tomcat-idp>/webapps/fedizidp/WEB-INF/RPClaims.xml
and update the claims if required - You can manage the claims of the users in
<tomcat-idp>/webapps/fedizidpsts/WEB-INF/userClaims.xml