It sounds like you're trying to host the SAML metadata file. This is usually the responsibility of the identity provider service.
Presumably, your metadata file also contains the address of the identity provider that the vendor application authenticates against. Does the service at this address not host its own copy of the metadata?
I also find it very strange that the vendor app
must retrieve the file through HTTP. Most applications that use SAML authentication are also able to read a metadata file that is bundled with the application. Maybe you can hack around it by configurating the location of the metadata file using the
file protocol, rather than the
http protocol.
Anyway, if you're stuck with having to host the metadata file yourself, then I recommend hosting it in a separate web server. You can do it in a second Tomcat instance, or as Tim has pointed out, you can also do it with another web server.
Himai Minh wrote:Nowadays, with Spring Boot, people use embedded Tomcat server instead of deploying WAR to an external Tomcat.
That assumes that you write your application using Spring. The
Java web application development ecosystem consists of more than just Spring.
Also, one of the Spring Framework advocate, Josh Long has a quote "make jar , not war". So, that means we can package Spring Boot applications in jar files, instead of using war files.
This might be a nice maxim for small to medium size development houses, but many larger developers have a very mature infrastructure of finely tuned application servers, and require you to deploy your application into them as a WAR. Bundling an embedded application server with every application is nice if you want to quickly deploy a simple web application at your customers, but for more complex enterprise software it is not only pointless, it's wasteful as well.