These instructions require both Docker and Docker Compose to be installed.
First generate a key an certificate for Shibboleth to talk to the IdPs:
pushd certificates
./keygen.sh
popd
This will create
certificates/sp-cert.pem
certificates/sp-key.pem
You will need to request a valid host certificate and key and place them in
certificates/hostcert.pem
certificates/hostkey.pem
If you have any additional IdP providers other than those than come through InCommon Federation, add them to the file provider-metadata.xml
. The contents of this file are added inside the <SPConfig>
, so they should just contain the <MetadataProvider>
section for the additional IdPs. For example, a valid provider-metdadata.xml
can contain one or more IdPs in the format:
<MetadataProvider type="XML" url="https://sugwg-ds.phy.syr.edu/sugwg-orcid-metadata.xml"
backingFilePath="/var/log/shibboleth/sugwg-orcid-metadata.xml" reloadInterval="82800" legacyOrgNames="true"/>
If the service provider will serve more than one hostname, then you will need to edit the file assertion-consumer-service.xml
and add additional <EndpointBase>
for each hostname that the SP will serve. For example, if the host ce-dcc.phy.syr.edu
also serves dcc.cosmicexplorer.org
add the lines:
<EndpointBase>https://dcc.cosmicexplorer.org/Shibboleth.sso</EndpointBase>
<EndpointBase>https://ce-dcc.phy.syr.edu/Shibboleth.sso</EndpointBase>
to assertion-consumer-service.xml
.
If the service provider hosts more than one SAML SP endpoint, then you will need edit the file assertion-consumer-service.xml
and add additional SAML end points to the metadata. Four URLs are generated by default with the hostname of the server, so additonal URLs should start with the index 5
. For example, if the machine ce-dcc.phy.syr.edu
also hosts an end point at dcc.cosmicexplorer.org
, you will need to add the following lines to assertion-consumer-service.xml
:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="/some/other/Shibboleth.sso/SAML2/POST" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="/some/other/Shibboleth.sso/SAML2/POST-SimpleSign" index="6"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="/some/other/Shibboleth.sso/SAML2/Artifact" index="7"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="/some/other/Shibboleth.sso/SAML2/ECP" index="8"/>
This file can also be used to specify additional and ArtifactResolutionService
URLs, starting at index 2
in the format
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="/some/other/Shibboleth.sso/Artifact/SOAP" index="2"/>
Build the image setting the --build-arg
to override the defaults as appropriate, for example:
docker build \
--build-arg SHIBBOLETH_SP_ENTITY_ID=https://ce-roster.phy.syr.edu/shibboleth-sp \
--build-arg SHIBBOLETH_SP_SAMLDS_URL=https://dcc.cosmicexplorer.org/shibboleth-ds/index.html \
--build-arg SP_MD_SERVICENAME="Syracuse University Gravitational Wave Group - CE COmanage" \
--build-arg SP_MD_SERVICEDESCRIPTION="Cosmic Explorer COmanage Roster" \
--build-arg SP_MDUI_DISPLAYNAME="Syracuse University Gravitational Wave Group - CE COmanage" \
--build-arg SP_MDUI_DESCRIPTION="Cosmic Explorer COmanage Roster" \
--build-arg SP_MDUI_INFORMATIONURL="https://cosmicexplorer.org" \
--rm -t sugwg/apache-shibd .
The container requires the environment variables HOSTNAME
and DOMAINNAME
to be set to the host and domain that you want for the container.
Then start the container with
export HOSTIP=128.230.146.17
export DOMAINNAME=phy.syr.edu
docker-compose up --detach
where HOSTIP
is the IP address of the NIC that you want to use.
You can log into the container with
docker exec -it apache-shibd_apache-shibd_1 /bin/bash -l
The Shibboleth configuration files will be copied to the directory shibboleth/
for storage on the host and use by other containers.
To shut down the container, run the command:
docker-compose down