tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51334] New: Web SSO support based on WS-Federation Passive Requestor Profile
Date Tue, 07 Jun 2011 11:39:20 GMT

             Bug #: 51334
           Summary: Web SSO support based on WS-Federation Passive
                    Requestor Profile
           Product: Tomcat 6
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
    Classification: Unclassified

The specification WS-Federation describes the Web SSO solution in chapter 13:

Tomcat should support this standard to integrate with other SSO solutions

Initially, an unauthenticated request is redirected to an identity provider
(IP) which issues for instance a SAML token. The IP is an external system. The
SAML token is validated by Tomcat (Replying Party) and creates the security
context in Tomcat.

The idea is to write a custom Authenticator which triggers the redirect,
verifies the signed SAML token, reads the claims information (like Role), set
up a cookie and create the security context.

The authenticator must provide the following configuration options:
- URL of IDP (mandatory)
- audience URI (mandatory)
- trusted certificate (signed SAML token) (mandatory)
- service (RP) keystore to decrypt encrypted SAML tokens (optional)
- list of requested claims (firstname, lastname, email, ...  see
- URI of the claim which contains the roles (needed for isUserInRole()...)
- token type, SAML 1.1, 2.0

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message