blob: f717eb85fc68cfe33eac3b026ace2bbf66f38843 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
# Shibboleth IDP version 3 docker
This is a dockerized version of shibboleth 3.x. It runs on the `jetty:9-alpine` base image, and has been preconfigured to use the SWAMID saml-2.0 metadata feed.
## Configuration
The way this docker image is structured is to try and make it simple to change certain aspects, such as additional local SP additions, FTICKS configuration, changing certificates and metadata.
Environment variables:
- `IDP_HOSTNAME` e.g. idp.nordu.net
- `IDP_SCOPE` e.g. `nordu.net`
- `IDP_ENCRYPTION_OPTIONAL` if set to `true` enables support for ServiceProvicers that do not supply an encryption key.
- `FTICKS_FEDERATION` e.g. `swamid` if set enables fticks logging.
- `FTICKS_SALT` a random salt used to anonymise user id, if not supplied the user id will not be included in logging.
- `FTICKS_HOST` if a fticks loggin server should be used you need to set this
- `FTICKS_PORT` if a fticks loggin server should be used you need to set this
- `IDP_PERSISTENTID_SALT` a random salt used if you need to release `eduPersonTargetdID`.
- `IDP_DEBUG` if enabled will set the loglevel to `DEBUT`, which logs the decrypted messages.
If you mount a directory in `/opt/data` you can overwrite certain things.
- `/opt/data/idp-metadata.xml` if this file is present it will replace the autogenerated metadata. You probably want to do this.
- `/opt/data/credentials/`
- `idp-signing.key` and `idp-signing.crt` will replace the autogrenerated signing cert.
- `idp-encryption.key` and `idp-encryption.crt` will replace the autogenarated encryption certs.
- `/opt/data/messages/*` allows you to add a `message.properties` file for localisation.
- `/opt/data/sp-metadata/*.xml` you can add metadata for private SPs, they will automatically get the same attributes released as a SWAMID service.
### Template messages
Here is an example of the `messages.properties` file from NORDUnet.
```
idp.title=Your IdP title
idp.footer=Your footer information here
idp.logo=/images/nordunet.png
idp.logo.alt-text=Your alt text
idp.url.password.change=http://example.com
idp.home=NORDUnet Home
idp.url.home=https://www.nordu.net
idp.aup=Acceptable Use Policy
idp.url.aup=https://www.nordu.net/content/acceptable-use-policy
idp.privacy=Privacy Statement
idp.url.privacy=https://www.nordu.net/content/data-security-and-encryption
# Used in index.jsp
root.title=Your IdP title
root.footer=Your footer information here
```
## Logging
If you mount a directory to `/opt/data` all the IDP logs will be written to `/opt/data/logs`.
As mentioned in the configuration section you can enable FTICKS logging by adding an environment variable.
If needed you can enable debug logging with an environment variable.
## Deploying in production
You might want to change some of the things in `idp/templates` e.g. add a logo in `idp/templates/edit-webapp/images`.
1. Clone the repository
2. Build using `docker build -t shibboleth-docker .`
3. Create a `data` dir that is owned by uid 100 gid 101, on ubuntu it seems to be `libuuid`
4. Gennerate new signing and encryption keys `openssl req -x509 -sha256 -nodes -days 7300 -newkey rsa:4096 -keyout idp-encryption.key -out idp-encryption.crt` and put them in `data/credentials/`
5. Make a proper idp-metadata.xml and put it in `data/`. You can copy the autogenerated one from docker using `docker cp ID:/opt/shibboleth-idp/metadata/idp-metadata.xml .` Remember to change the public keys to match the ones gennerated in step 4.
6. Create `data/messages/messages.properties`
```
docker run --rm -d -ti --name ndn-idp -v /opt/shibboleth-docker/data:/opt/data -e "IDP_HOSTNAME=idp.nordu.net" -e "IDP_SCOPE=nordu.net" -e "JAVA_OPTIONS=-Xmx1500m" -e "FTICKS_FEDERATION=swamid" -e "IDP_ENCRYPTION_OPTIONAL=true" shibboleth-docker
```
In NORDUnet we run our IdP behind nginx.
## Testing
The NORDUnet configuration requires that you can reach `ldap.nordu.net`, so make sure you can reach that. E.g. I need to be on VPN to access it.
Add the following to your `/etc/hosts` file:
```
127.0.0.1 idp.nordu.dev sp.nordu.dev
```
Then you can use docker compose to build and start the containers.
```
docker-compose -f compose-dev.yml up --build
```
When everything has started you need to add the SP metadata to the IdP, this can be done by running:
```
curl -k https://sp.nordu.dev/Shibboleth.sso/Metadata -o data/idp/metadata/sp-metadata.xml
dokcer-compose -f compose-dev.yml restart shibboleth-docker
```
Now you should be able to navigate to `https://sp.nordu.dev/secure/` where you should be prompted to log in.
### Emulating production
You can lie to your own machine and use your local development docker `idp.nordu.net`.
- Add `127.0.0.1 idp.nordu.net` to your `/etc/hosts` file.
- Create the following data layout
```
data
├── certs
│ ├── idp_nordu_net-bundle.pem
│ └── idp_nordu_net.key
├── env
├── idp-data
│ ├── credentials
│ │ ├── idp-encryption.crt
│ │ ├── idp-encryption.key
│ │ ├── idp-signing.crt
│ │ └── idp-signing.key
│ └── messages
│ └── messages.properties
└── nginx
└── idp.conf
```
- You can use selfsigned certs for the certs in the certs folder. But all credentials certs need to be from produdction.
- `env` can be empty
- Run `docker-compose -f compose-prod.yml up --build`
# Resources
- https://shibboleth.net/products/identity-provider.html
- https://wiki.shibboleth.net/confluence/display/IDP30/Installation+Directory+and+Configuration+Files
- http://www.jeesty.com/shibboleth Description of how Shibd works with Apache
- https://github.com/UNINETT/mod_auth_mellon
|
