This image is based on tomcat:8.5, Shibboleth IDP 3.3.2 and is customized according the AGID - SPID - Regole tecniche Identity Provider.
To build the image:
docker build -t giafar/shibboleth-idp .
if you change the tag giafar/spid-idp please remember to modify the docker-compose.yml file as well.
To download the image from docker hub
docker pull giafar/spid-idp
To run the image in interactive mode and expose the LDAP protocolo:
docker run -it --name spid-idp -p 443:443 giafar/spid-idp
or in detach mode
docker run -d --name spid-idp -p 443:443 giafar/spid-idp
To look at the logs in detached mode
docker container log --follow spid-idp
To get the ip adddress of a running container
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' spid-idp
The image uses the giafar/openldap backend for user authentication and expects the directory service is located at ldap.example.org
docker run -d --rm --name spid-ldap giafar/spid-ldap
docker run -d --rm --name spid-idp --link=spid-ldap:ldap.example.org giafar/spid-idp
Shibboleth logs are not redirected to the standard docker log so if you wanna follow this kind of log
docker container exec -i spid-idp sh -c 'tail -f /opt/shibboleth-idp/logs/*'
To stop and cleanup everything
docker container stop spid-idp
docker container stop spid-ldap
The image claims to implement a basic AGID Identity Provider according this specs. Some distributions files, Shibboleth Configuration File Summary, have been modified and discussed in this document:
- Access Control Configuration: shibboleth/dist/conf/access-control.xml.dist;
- Attribute Filter Configuration: shibboleth/dist/conf/attribute-filter.xml.dist;
- Attribute Resolver: shibboleth/dist/conf/attribute-resolver.xml.dist;
- LDAP Properties: shibboleth/dist/conf/ldap.properties.dist;
- Logging: shibboleth/dist/conf/logback.xml.dist;
- Metadata Filter Plugin: shibboleth/dist/conf/metadata-providers.xml.dist;
- Authentication Configuration: shibboleth/dist/conf/authn/general-authn.xml.dist;
- IPAddress Authn: shibboleth/dist/conf/authn/ipaddress-authn-config.xml.dist;
- MultiFActor Authn: shibboleth/dist/conf/authn/mfa-authn-config.xml.dist;
- Password Authn: shibboleth/dist/conf/authn/password-authn-config.xml;
Just to allow access from 0.0.0.0/0 network.
See Shibboleth Access Control Configuration
TODO
See Shibboleth Attribute Filter Configuration
TODO
See Shibboleth Attribute Resolver
TODO
TODO
TODO
See Shibboleth Metadata Filter Plugin
TODO
See Shibboleth Authentication Configuration
TODO
See Shibboleth IPAddress Authn
TODO
See Shibboleth MultiFActor Authn
TODO
The tomcat installation exposes the Shibboleth IDP solution via http and https. The tomcat/conf directory is copied inside the /usr/local/tomcat docker image folder and deploy a new server.xml and a Catalina/localhost/idx.xml file which is responsable to deply del idp.war package
The new entry is
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="/opt/shibboleth-idp/credentials/idp.example.org.key" certificateFile="/opt/shibboleth-idp/credentials/idp.example.org.crt" type="RSA" />
</SSLHostConfig>
</Connector>
a preconfigured X509 certificate and the related key are deployed during the docker image build.
Just deploy a new war
<Context docBase="/opt/shibboleth-idp/war/idp.war" unpackWAR="true" swallowOutput="true">
<Manager pathname="" />
</Context>