- Any Docker supported OS which is capable of running Linux-based Docker containers
- Docker
(https://docs.docker.com/engine/installation/linux/debian/) - Docker-Compose
(https://docs.docker.com/compose/install/) - Git
(https://www.digitalocean.com/community/tutorials/how-to-install-git-on-debian-8)
- Jetty as Servlet/JSP-Container und Webserver for Shibboleth
- phpLDAPadmin to administrate the LDAP directory
- OpenLDAP as directory service for Shibboleth
- Shibbleth IdP provides Single Sign-On services
-
Create initial base configuration:
chmod +x ./init.sh && ./init.sh
Create a note of the backchannel and cookie password! -
Edit docker-compose environment variables:
JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD: <Backchannel-Passwort from step 1>
-
Configure ./config/idp/conf/idp.properties file
3.1. Set the IdP scope:
# Set the scope used in the attribute resolver for scoped attributes
idp.scope= example.org
3.2. Configure trackSPSessions attribute to allow SLO (Single-Logout):
# Track information about SPs logged into
idp.session.trackSPSessions = true
-
Add metadata providers
5. Set a AttributeFilterPolicy within the ./config/idp/conf/attribute-filter.xml file.
6. Configure attribute resolver
7. Configure attribute filter
-
Letsencrypt cert conversion to p12 format:
openssl pkcs12 -export -out idp-browser.p12 -inkey privkey.pem -in cert.pem -certfile chain.pem
-
Letsencrypt cert conversion to HAProxy pem:
cd haproxy/certs
DOMAIN='yourdomain.net' bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > $DOMAIN.pem'
chmod -R go-rwx .
-
LDAP credentials:
LDAP user: cn=admin,dc=shib
LDAP pw: toor
-
Create selfsigned TLS cert and convert to p12 format:
cd ./config/idp/credentials
openssl req -nodes -new -x509 -keyout jetty.key -out jetty.crt
openssl pkcs12 -passout pass: -inkey jetty.key -in jetty.crt -export -out idp-browser.p12
-
LDAP memberOf search example:
(&(objectClass=*)(memberOf=cn=students,ou=groups,dc=shib))
(&(objectClass=*)(memberOf=cn=professors,ou=groups,dc=shib))
-
Disable IdP Assertion encryption: (./config/idp/conf/relying-party.xml)
https://github.com/dinkel/docker-openldap
https://github.com/dinkel/docker-phpldapadmin
https://github.com/Unicon/shibboleth-idp-dockerized
- Disable assertion encryption
<util:list id="shibboleth.RelyingPartyOverrides">
<!--
Override example that identifies a single RP by name and configures it
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example-federation.us">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
</ut
- AttributeFilterPolicy example
<AttributeFilterPolicy id="https://sp.example-federation.us">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.example-federation.us" />
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="memberOf">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>