After an explanation of the basic idea, did search for "Tomcat Windows Integration" and immediately got How-to document.

https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

>I don't think this is what I am looking for. I can't rely on the Windows login for the users identity since what I need is their eDir LDAP DN as authenticated by OSP to sspr.

Hi Rob,

This is exactly end result in my case: I use Windows logon info for initiate query to eDirectory and get correspondent eDirectory object. 

We cannot be certain that the Windows login is the same as the eDirectory login. I want the current OSP session's user DN (from eDirectory), not the AD user DN (based on the workstation login). Therefore this approach doesn't fit our use case.

I think I have a simple solution if I can just get past some issues in my development lab (the 4.7 server is using self-signed certs and I think thought was preventing my test javascript from running, but it seems to be happy with the cert now.

I created this HTML

<html>
 <head>
  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self';
script-src https://idm2.lab.cisus.com:9443/* 'self'; style-src 'self'">

  <meta charset="utf-8"/>
  <title>Who do I think you are?</title>
  <script src='WhoAmI.js'/>

 </head>

 <body>
 </body>
</html>

And then this javascript as WhoAmI.js:

fetch('//idm2.lab.cisus.com:9443/IDMProv/rest/access/users/fullName')
.then(
function(response) {
if (response.status !== 200) {
console.log('Looks like there was a problem. Status Code: ' +
response.status);
return;
}

// Examine the text in the response
response.json().then(function(data) {
console.log(data);
});
}
)
.catch(function(err) {
console.log('Fetch Error :-S', err);
});

Calling my html file from a browser that is already logged in to OSP, I would hope to get something similar to this back in the console:

{"dn":"cn=mary,ou=users,o=data","surname":"Contrary"}

but instead I get this in my debugger in Firefox

Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified

Hi Rob,

I'm happy to hear that you found a solution.

>We cannot be certain that the Windows login is the same as the eDirectory login. I want the current OSP session's user DN (from eDirectory), not the AD user DN (based on the workstation login). Therefore this approach doesn't fit our use case

It looks like you still have some confusions related to my solution.

Maybe it is not applicable to your current case, but I will try to explain it again.

1. We have a user in eDirectory. eDir DN: cn=user1,ou=Staff,o=Org

2. User has accounts in 2 different AD domains (even with completely different name convention).

AD1 DN: cn=user1,cn=users,dc=AD1,dc=com, AD1 logon: AD1\user1 

AD2 DN: cn=u1,cn=users,dc=AD2,dc=com, AD1 logon: AD2\u1

3. User object in eDirectory has information about AD logon names in the custom attribute NTLogonList. part of user LDIF:

dn: CN=user1,ou=Staff,o=Org
NTLogonList: AD1\user1
NTLogonList: AD2\u1

4. LDAP query to eDirectory with ANY of available AD logon names will return proper eDirectory DN

&(ntlogonlist=AD2\u1)(cn=A*) 

Result: CN=user1,ou=Staff,o=Org