Apache Tomcat Plugin

This page describes how to enable WS-Federation for an Apache Tomcat instance hosting Relying Party (RP) applications. Also note that from the 1.4.4 release, the Apache Tomcat Fediz plugin also supports SAML SSO. Recent version of Apache CXF Fediz ship two Tomcat plugins, one for Apache Tomcat 7 and one for Apache Tomcat 8.

This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server.

Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance as discussed here, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.

Installation

You can either build the Fediz plugin on your own or download the package here. If you have built the plugin on your own you'll find the required libraries in plugins/tomcat-${version}/target/...zip-with-dependencies.zip

  1. Create sub-directory fediz in ${catalina.home}/lib
  2. Update catalina.properties in ${catalina.home}/conf
    add the previously created directory to the common loader:
    common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar
  3. Deploy the libraries to the directory created in (1)

Configuration

HTTPS configuration

It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports:

  • HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)
  • HTTPS port: 8443 (where IDP and STS are accessed)
  • Server port (for shutdown and other commands): 8005

These are the default ports for a standard Tomcat installation.

The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.

The Tomcat HTTP(s) configuration is done in conf/server.xml.

This is a sample snippet for an HTTPS configuration:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="rp-ssl-key.jks" keyPass="tompass"
               keystorePass="tompass" sslProtocol="TLS" />

The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 8 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.

To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.

Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.

If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.

Fediz Plugin configuration for Your Web Application

The Fediz related configuration is done in a Servlet Container independent configuration file which is described here.

The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available here.

A Valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml

You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.

META-INF/context.xml
  <Context> 
    <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
      configFile="conf/fediz_config.xml" />
  </Context> 
Host level in server.xml
  <Host name="localhost" appBase="webapps"
        unpackWARs="true" autoDeploy="true">
    <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
           configFile="conf/fediz_config.xml" />
  </Host>
Context level in server.xml
  <Context path="/fedizhelloworld" docBase="fedizhelloworld">
    <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
      configFile="conf/fediz_config.xml" />
  </Context>

The Fediz configuration file is a Servlet container independent configuration file and described here

Web Application deployment

Deploy your Web Application to your Tomcat installation (<catalina.home>/webapps). If you're running the Fediz examples, their README files will have instructions on how to do this.

Federation Metadata document

The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which is described here.