I’m trying to read up on SAML 2.0 as much as I can and would like to know if it is possible to, perhaps, put a SAML proxy (not sure of the right terminology but architecturally this makes sense to me) that would trap inbound SAML requests and perform a “translation” to an Unencrypted HTTP Header protected website.
To the the client, it “looks” like a SAML protected site but in reality, there’s a Java Servlet (or something Java-esque) that does all the processing but in actually is sending (or proxying) only what is needed to the Unencrytped HTTP Header-only SSO website.
Is this possible?
If I understand your question correctly, I think the Shibboleth SP does exactly what you have described.
Shibboleth SP can be installed as a module on Apache, IIS, etc. It works as a gate to your real webapp. It handles the authentication, and pass out the user information through environment variables or http heads to your webapp.
You may want to read through pages here https://wiki.shibboleth.net/confluence/display/SHIB2/Home to fully understand how it works. I am pretty sure it works very like what you want.