Any SSO solution that supports the SAML2 protocol should work. Apart from the expensive solutions that Oracle, IBM, CA and others provide, you can find the following solutions that definitely work well with Tomcat7 and are open source :
Apereo (ex Jasig) CAS : Used quite a lot in the education community. Simple to setup but specific configurations (like an advanced authentication module) might require some programming effort. It supports Google Apps authentication, but none other SAML2 service. If you really want to only login to Google Apps, that's a great and simple solution.
Forgerock OpenAM : Formerly Sun OpenSSO, this is used in education and industry. Many more features, supports most of the SAML2 service providers out there including Google Apps, but more complex.
Note that if you already have a portal solution, you should check if that portal does not already support SAML2 federation and could act as the SSO server.
Note also that you will need to link the portal authentication and the SSO server authentication, to make sure that your users do not authenticate twice. This can be done in two ways :
- Tell the SSO server to delegate the authentication to your portal solution. This might require some light custom coding depending on your portal.
- The opposite : tell the portal to use the SSO as an authentication solution. Most portals support some kind of authentication delegation so it should only be configuration?
Lastly, if your authentication is setup on Tomcat itself (that is if your portal already delegates the authentication to the Tomcat container), then you can do the same for the SSO server.
