Apex, ORDS3, Tomcat7, Windows Server, SAML 2.0, and Amazon

I currently have an environment of Windows Server 2012 R2, Oracle 12.1, Apex 5, and Tomcat7 (with organizational wildcard certificate). I am also only using LAP authentication, as I have never in around 15 years been able to get the LDAPS authentication to work, and our LDAP administrators seem to be even more lost than I am. Also, later this year I am tasked with migrating my two systems to the Amazon cloud.

So with that basic info out of the way, the IT network security Nazi's finally noticed that I am doing cleartext password authentication, and told me to convert to LDAPS. They don't care that the LDAP admins are clueless as to why I have always been unable to get Apex to authenticate, they just demand it get done.

Since I am also tasked with migrating everything to the Amazon cloud, my agency also has the mandatory requirement that all authentication in the cloud has to be done with SAML 2.0. So rather than waste my time with LDAPS, just to switch in a couple months to SAML, I'd rather spend my time productively with SAML.

And this is where I have a bunch of questions. Some may be easy, or even apparent, but I've been trying to wrap my head around how it will al work in the Amazon cloud and been completely befuddled.

First off, I haven't found anything on the web about SAML in the Windows environment with Tomcat. The best resource I found is witha Linux environment, but along with the Tomcat webserver, he also is using the Apache HTTP server. This appears to me as he is using two web servers? This seems so confusing and unnecessary, but I'm probably missing something. Could it be bacause of the requirement to use the 'mellon' packages (and something else, I forget which one), the only way to get them integrated into the environment is with the Apache HTTP server, and then Tomcat itself is then needed to complete the communication to Apex?

Next question would be if anybody has any experience with all of this as it pertains to a cloud environment, preferably the Amazon cloud. In this regard I am confused about how the parts work together. The Oracle database part residing in the cloud I understand, I'm having problems figuring out how the Tomcat webserver, URL addressing and authentication would work.

Will I keep a machine running locally with the Tomcat web server, which will communicate to the Amazon cloud, determine it is a new connection for the day, then relay the authentication request back to Tomcat to then contact the 'identity provider' (is that an Active Directory server or a LDAP server?), get a token, then attach that token to all communication back and forth to the database? Or does the Tomcat installation reside in the cloud as well (requiring a different Amazon configuration, CHS vs AWS)?

Am I making any sense of this, or am I simply more lost than I know I already am? Thanks for any and all constructive assistance or suggestions.

--