Commit 1063db76 authored by Ulf Seltmann's avatar Ulf Seltmann
Browse files

initial release

parents
Pipeline #356 failed with stages
in 13 seconds
stages:
- image
- mirror
'2.6':
stage: image
image: docker:latest
services:
- docker:dind
script: |
mkdir -p ~/.docker && echo "$DOCKER_AUTH_CONFIG" >~/.docker/config.json
export suffix=`expr $CI_COMMIT_TAG ':' '2.6-\(.*\)'`
make 26
docker push ubleipzig/shibboleth:2.6
for tag in "latest" "2" "2.6-${suffix}"; do
docker tag ubleipzig/shibboleth:2.6 ubleipzig/shibboleth:${tag}
docker push ubleipzig/shibboleth:${tag}
done
tags:
- docker
only:
- /^2.6/
except:
- branches
github_mirror:
stage: mirror
image:
name: alpine/git
entrypoint: [ "/bin/sh", "-c" ]
variables:
GIT_STRATEGY: clone
GIT_CHECKOUT: "false"
script: |
cd /tmp
git clone --mirror ${CI_REPOSITORY_URL} project
cd project
git remote add github https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/ubleipzig/shibboleth.git
git push --mirror github
tags:
- docker
FROM debian:stretch-slim
ENTRYPOINT [ "/docker-entrypoint" ]
CMD ["shibd", "-u", "_shibd", "-g", "_shibd", "-F"]
ENV SHIB_HOSTNAME=https://localhost \
SHIB_HANDLER_URL=/Shibboleth.sso \
SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb \
SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf \
SHIB_ATTRIBUTE_MAP=""
ADD assets/docker-entrypoint /docker-entrypoint
ADD assets/*.pem /etc/shibboleth/
RUN chmod a+x /docker-entrypoint \
&& apt-get update \
&& apt-get install -y --no-install-recommends shibboleth-sp2-utils \
&& rm -r /var/lib/apt/lists/*
VOLUME ["/etc/shibboleth", "/run/shibboleth"]
-----BEGIN CERTIFICATE-----
MIIFfzCCBGegAwIBAgIHF2SJb0dzzzANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQG
EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0
ZWxsZTEfMB0GA1UEAxMWREZOLVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNDA0MDkw
ODU5MTFaFw0xNzA0MDgwODU5MTFaMIGFMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
QmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCkRGTi1WZXJlaW4xGTAX
BgNVBAsTEEdlc2NoYWVmdHNzdGVsbGUxJDAiBgNVBAMTG0dSUDogREZOLUFBSSBN
ZXRhZGF0YXNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUR
fxXgew5yir0FWnFXX7R3jqms00mbf5hrp4m/RPm0g3eIvmGcWHyw3L3p1UkygGUz
hLlPY74hXCgP+iiQOxTxO3nxtpA7CQmduhotVGadj9xfRJeDp5f+b9y1ssHNnbNz
QhvhxXbOytT4KAiKy958V8Bmi0YZeWlbGTUvnDuYKwMm/KeRqLqoH3mVGWd9N5+e
rvU5zdQ2KU60YCxQX/Tqhl4rjxAJCdtPtxuSeEpPSn/zMPTNToSXG/HqDbLMn+U8
yc8zMNFKbzOeH4yC1zobZ5IdtZINjb7yTc8YjTYLFX5Uun3D2JgrodRMp3KSyd/0
yNuvIVyzuXpfhkdP8OECAwEAAaOCAhgwggIUMC8GA1UdIAQoMCYwEQYPKwYBBAGB
rSGCLAEBBAMBMBEGDysGAQQBga0hgiwCAQQDATAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDvGJWmiD0xDBpWkM
o7BdbPqAQ1AwHwYDVR0jBBgwFoAUeaJiL87xBjlS53ZtYsfem2p1S0kwgZEGA1Ud
HwSBiTCBhjBBoD+gPYY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tdmVyZWlu
LWdzLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwQaA/oD2GO2h0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvZGZuLXZlcmVpbi1ncy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHf
BggrBgEFBQcBAQSB0jCBzzAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRm
bi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEsGCCsGAQUFBzAChj9odHRwOi8vY2RwMS5w
Y2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHViL2NhY2VydC9nX2NhY2VydC5j
cnQwSwYIKwYBBQUHMAKGP2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLXZlcmVp
bi1ncy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOC
AQEAf3gv6SbxfQrMHzx+iztTBC4HmKNrIQ5oPVkm/k2aYJRTZT6nQyjHv+aKmAg3
ht5yBKmEPE7SUrKWxC4Iv8s40XiiMJRX/3T9JTRkwUEVLFmVVM+AcGJokAog2hS8
AuRXoZWRvDsKlHn/PP0ZFDw35vgtAa3s86G+3GIxIiy4DpNqXLBjq+7JlMFTQRaf
Gn1wFU/Yd9mymcN8hzH8RDvhUcEOBATScEdm+KFZbhykquA1CR4pmhaffEiavj6/
0LpvwN9NQRv8n/JzqA8W1SsZPwCg342LqIqcGeTve3e2joyNyCWHuNYJQjTYur6o
hpNRqAmlu7VxPez3ZzBpI6i5aw==
-----END CERTIFICATE-----
\ No newline at end of file
#!/bin/bash
set -e
chmod 600 /etc/shibboleth/*.pem
chown _shibd:_shibd /etc/shibboleth/*.pem /run/shibboleth -R
if [ "${SHIB_IDP_ENTITY_ID}" != "" ];then
SHIB_SSO_ATTRS="entityID=\"${SHIB_IDP_ENTITY_ID}\""
elif [ "${SHIB_IDP_DISCOVERY_URL}" != "" ];then
SHIB_SSO_ATTRS="discoveryProtocol=\"SAMLDS\" discoveryURL=\"${SHIB_IDP_DISCOVERY_URL}\""
else
echo "you have either to provide the SHIB_IDP_DISCOVERY_URL or the SHIB_IDP_ENTITY_ID
environment variable in order to correctly set up shibboleth. exiting ...";
exit 1;
fi
METADATA_PROVIDER_DFN='
<MetadataProvider type="XML" uri="https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="/etc/shibboleth/dfn-aai-cert.pem"/>
</MetadataProvider>
'
METADATA_PROVIDER_LOCAL='
<MetadataProvider type="XML" file="partner-metadata.xml"/>
'
if [ "${SHIB_ATTRIBUTE_MAP}" != "" ]; then
IFS=',' read -ra attrlist <<< "${SHIB_ATTRIBUTE_MAP}";
for attr in "${attrlist[@]}" ;do
ATTRIBUTE_XML="${ATTRIBUTE_XML}
<Attribute name=\"${attr%%=*}\" id=\"${attr#*=}\" />\n"
done
sed -e 's!</Attributes>!!' -i /etc/shibboleth/attribute-map.xml
echo -e "${ATTRIBUTE_XML}\n</Attributes>" >>/etc/shibboleth/attribute-map.xml
fi
cat >/etc/shibboleth/shibboleth2.xml <<EOF
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="console.logger"
clockSkew="180">
<ApplicationDefaults entityID="${SHIB_SP_ENTITY_ID}" REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="; path=/; secure; HttpOnly" handlerURL="${SHIB_HANDLER_URL}">
<SSO ${SHIB_SSO_ATTRS}>
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="${SHIB_STATUS_ACL} 127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
${METADATA_PROVIDER_DFN}
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
EOF
cat >/etc/shibboleth/metadata.xml <<EOF
<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
-->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_f46fa7b46e8469845f8cb9c328321bbeba0308d2" entityID="${SHIB_SP_ENTITY_ID}">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:Extensions>
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Login"/>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Login" index="1"/>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>dev-dotdeb</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=dev-dotdeb</ds:X509SubjectName>
<ds:X509Certificate>MIIC5TCCAc2gAwIBAgIJAMTHl5c6BBC0MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
BAMTCmRldi1kb3RkZWIwHhcNMTYwODA0MTMwNzQ3WhcNMjYwODAyMTMwNzQ3WjAV
MRMwEQYDVQQDEwpkZXYtZG90ZGViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuU5yPc7A8TmYSOkcA5WexnYdnbuPgIZV6pfCbWAlnsHM7tF2Y2nPM0x3
WIQD6iC2zNQrGa3vdjRDpFNZLZELqC4pCUj3kunLG6DYE5QL+8xuukJmt5OXksXn
wc+8kY4DAu3M/DnS0y6P4UGFMcgj8wZ6xZpzdSLRGqHx4a+dtuORy28sHEoChRqE
IbK2RdHvwIaOKttl1gjILgMKx7QgtBfoTk6iouC24ez9cpQ7zewDSQ9alzUbd7PP
xJg59pjlIZ1tL65TAMRXYy5sKUVONVx0u6znntpxWBfWC0vaB+LtJcPRNNfr3hx/
2rerB5wcgJsdqkI38BuiFF9iDyogSwIDAQABozgwNjAVBgNVHREEDjAMggpkZXYt
ZG90ZGViMB0GA1UdDgQWBBRj9FbPgOUNEIdgS1QtP6+ufIHx4DANBgkqhkiG9w0B
AQUFAAOCAQEAguatA2EtGF7ZrW+xJ7O7qymiLO90QKyIopCXdTeOs/Zcylo+0d8J
FKvbEFAOc3cfPwKfwvOg9yFzAFjpdIPqu+jPWgBG3EA/g0vR8SI31NpI4mPiSnXt
aUpWu42KFIMoHiELletPXan6jKHfHKl+SqTAY1ifVG7qLjSTrxihvn+zhrgKbai4
2c48v2xg1Q1rv11DKWB61y2xhhgOIYlbfsiKlbIznGVDyeBaEd0yF25NgByfLbx1
bcpYpzl5TERBGs27fizTDKUq3hszXzgq3iuo8vdXiFGBdJ0oZXvuTTlSJF0CPQ7K
2mj+QMjgmZXcmRJtE9dC7iGXgREs3v12HA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Artifact/SOAP" index="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/Artifact"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/ECP" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML/POST" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML/Artifact" index="6"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
EOF
# activate debugging for shibboleth
sed -e 's/\(log4j\.rootCategory=\)[^,]\+/\1DEBUG/' -i /etc/shibboleth/console.logger
exec "$@"
\ No newline at end of file
-----BEGIN CERTIFICATE-----
MIIC5TCCAc2gAwIBAgIJAMTHl5c6BBC0MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
BAMTCmRldi1kb3RkZWIwHhcNMTYwODA0MTMwNzQ3WhcNMjYwODAyMTMwNzQ3WjAV
MRMwEQYDVQQDEwpkZXYtZG90ZGViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuU5yPc7A8TmYSOkcA5WexnYdnbuPgIZV6pfCbWAlnsHM7tF2Y2nPM0x3
WIQD6iC2zNQrGa3vdjRDpFNZLZELqC4pCUj3kunLG6DYE5QL+8xuukJmt5OXksXn
wc+8kY4DAu3M/DnS0y6P4UGFMcgj8wZ6xZpzdSLRGqHx4a+dtuORy28sHEoChRqE
IbK2RdHvwIaOKttl1gjILgMKx7QgtBfoTk6iouC24ez9cpQ7zewDSQ9alzUbd7PP
xJg59pjlIZ1tL65TAMRXYy5sKUVONVx0u6znntpxWBfWC0vaB+LtJcPRNNfr3hx/
2rerB5wcgJsdqkI38BuiFF9iDyogSwIDAQABozgwNjAVBgNVHREEDjAMggpkZXYt
ZG90ZGViMB0GA1UdDgQWBBRj9FbPgOUNEIdgS1QtP6+ufIHx4DANBgkqhkiG9w0B
AQUFAAOCAQEAguatA2EtGF7ZrW+xJ7O7qymiLO90QKyIopCXdTeOs/Zcylo+0d8J
FKvbEFAOc3cfPwKfwvOg9yFzAFjpdIPqu+jPWgBG3EA/g0vR8SI31NpI4mPiSnXt
aUpWu42KFIMoHiELletPXan6jKHfHKl+SqTAY1ifVG7qLjSTrxihvn+zhrgKbai4
2c48v2xg1Q1rv11DKWB61y2xhhgOIYlbfsiKlbIznGVDyeBaEd0yF25NgByfLbx1
bcpYpzl5TERBGs27fizTDKUq3hszXzgq3iuo8vdXiFGBdJ0oZXvuTTlSJF0CPQ7K
2mj+QMjgmZXcmRJtE9dC7iGXgREs3v12HA==
-----END CERTIFICATE-----
\ No newline at end of file
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5TnI9zsDxOZhI
6RwDlZ7Gdh2du4+AhlXql8JtYCWewczu0XZjac8zTHdYhAPqILbM1CsZre92NEOk
U1ktkQuoLikJSPeS6csboNgTlAv7zG66Qma3k5eSxefBz7yRjgMC7cz8OdLTLo/h
QYUxyCPzBnrFmnN1ItEaofHhr52245HLbywcSgKFGoQhsrZF0e/Aho4q22XWCMgu
AwrHtCC0F+hOTqKi4Lbh7P1ylDvN7ANJD1qXNRt3s8/EmDn2mOUhnW0vrlMAxFdj
LmwpRU41XHS7rOee2nFYF9YLS9oH4u0lw9E01+veHH/at6sHnByAmx2qQjfwG6IU
X2IPKiBLAgMBAAECggEAPphrKsm+jz2/XVGxLtzJx4x6sJ98+BNozlf5S20hCCG7
EikbbrV9UnzQC8x8bggi98nrzT7eFvXMq6OkCipm36bIIeTODIiBHZIVq3dlHOeP
t8daX0Sx/NhxUxzTO+/WwJSHm+QEfWXLIHI7hfdvfVaA/mMQAU+DhxWRWYUzJ2Xg
4eTbYEI+MThaSazrDgL9a0lgv5/GlNd7xwL0qTDJBNnnYigKHJCiie0eF51Ej5NO
S8HbJakIb1DipSOnQuzPpMD82x4QMs6CICcF6c/TO6+vl2D+C9uLMCRwqTn3B20B
oqgxZhLKVddRMyzPWMsTkYObNSripTgwV5/M/pXH4QKBgQDajOxuhFG104j8KZMb
t6VBEBKBTNFDHM1jyLQHHXFy75W67tEwIEP3BLLwEOGPugNesjpEVwHdWzuSjIpS
yGAYOGca5TPZrkXgFbi70c39j1YFNe7IdJyye0cxUm8tGSpS3ugL0ntI4kWZtiIq
xKsenwmVz/O42+xI6DYoYqiqWQKBgQDZDze5EiJ0wcZQapF50akXtXCOvZvKjcY+
UmemKIVOn+juQccVKPX8f5Y9J6epUNoHGceGDjIzZimJQyzdyLa5U69CrbVjUVpC
rfVIiPxDinJD3kTBJCnSD+iGZ9auuGq+IOhxwGWPJ/KpzBMIKgcqvfA0+jjCMa+q
ZiPx7WqDQwKBgB8EQwXIR6RrehR3fgZAAPcD5extz4Eb1FZmBI7B8fji4bge7pdK
7Ppgs1h4vNpeBt5oovZR9tTIfuLkiTkIcQLe9lsNzlcFcatEyev18asbrZSdu969
FgQKlOb+EQMwgB40vm/3FkIYwtH21FCHitWUspKNacSBib4rHoyKu+85AoGAe1pG
lIpVwnyMsw6c9dnMeojGGphufMHtM2WpOag1eeUufpgrBz9r676mJsLuaS5leTuR
RAG1Tbh1Smg+ixuRm+iO5RnKx1JoNRSfHEWc9tUq8p7R++ENUy9vOVKxkkGDh+Ez
t9Fa5ewR36T1++HGiOfAJps8vj92USQSsV329fkCgYEAzcPskYLS0+Kd1F7bvGo8
K6fu+r7tvoUq1aCigclBWsLx5cWCq74tNYZTqE+Co8bQilh/+6MERi2IDiBY34d1
+7Nmd3le3en2bkySJ9mrIm9bUPzH8m6SAoiiqVlKID9DQfhhOrUI1FZ8b2nP66Gf
H2zBcxL4okxF+zqMuIOJ0Jw=
-----END PRIVATE KEY-----
\ No newline at end of file
# Changelog
## 2.6-0 - 2018-07-02
* initial release
# shibboleth
*shibboleth* is the shibboleth-authenticator as daemon `shibd` which communicates on socket `/var/run/shibboleth/shibd.sock`. This image should be used in connection with the [ubleipzig/httpd] webserver image, which provides the shibboleth-handler als apache2-module.
The base image is [debian:stretch-slim].
## supported Tags
* 2.6-*, 2.6, 2, latest ([2.6/Dockerfile])
## Usage of the Image
This Image is a support image and should be used in connection with [ubleipzig/httpd]. Furthermore it is necessare to set up a service-provider (SP) according to the federation-service where the SP should be used. The image can be used as follows:
```bash
$# docker run --name shibboleth \
-e SHIB_HOSTNAME=https://www.example.com \
-e SHIB_SP_ENTITY_ID=my-shibboleth-entity-id \
ubleipzig/shibboleth
$# docker run --name httpd \
--volumes-from shibboleth \
-v /path/to/static/files:/var/www/html \
-p 80:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
This starts the shibboleth-container and then mounts its volumes via `--volumes-from` into the httpd-container where the requests are handled. Be aware that the images won't work out-of-the-box. There is configuration you have to take care of:
## advanced configuration
* `SHIB_HOSTNAME=https://localhost`: the host-part of the shibboleth-handler. Has to be accessable from the IdP.
* `SHIB_HANDLER_URL=/Shibboleth.sso`: the path-part of the shibboleth-handler. Has to be accessable from the IdP.
* `SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb`: the Entity-ID, which identifies the SP against the IdP (local or federated)
* `SHIB_IDP_ENTITY_ID=""`: the Entity-ID of the IdP which shall be used to log in.
* `SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf`: the URL of the discovery-service, of which IdP shall be used to log in. Specify either `SHIB_IDP_ENTITY_ID` or this variable.
* `SHIB_ATTRIBUTE_MAP=""`: simple 'name=id'-assignment separated by comma , die als Attribute hinzugefügt werden, z.B. `SHIB_ATTRIBUTE_MAP='foo=urn:1.2.3,bar=urn:1.2.4'`
[ubleipzig/httpd]: https://hub.docker.com/r/ubleipzig/httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.6/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/2.6/Dockerfile
This diff is collapsed.
# shibboleth
*shibboleth* ist der Shibboleth-Authenticator, der durch den daemon `shibd` bereitgestellt wird und an Socket `/var/run/shibboleth/shibd.sock` kommuniziert. Das Image sollte zusammen mit dem [ubleipzig/httpd] Webserver-Image verwendet werden, welches den Shibboleth-Listener als Apache2-Modul zur Verfügung stellt.
Das Basis-Image ist [debian:stretch-slim].
## Unterstützte tags
* 2.6-*, 2.6, 2, latest ([2.6/Dockerfile])
## Nutzung des Images
Das Image ist ein Hilfsimage und sollte zusammen mit [ubleipzig/httpd] verwendet werden. Weiterhin ist es notwendig, einen entsprechenden Service-Provider an übergeordneter Stelle einzurichten.
```bash
$# docker run --name shibboleth \
-e SHIB_HOSTNAME=https://www.example.com \
-e SHIB_SP_ENTITY_ID=my-shibboleth-entity-id \
ubleipzig/shibboleth
$# docker run --name httpd \
--volumes-from shibboleth \
-v /path/to/static/files:/var/www/html \
-p 80:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
Hierbei startet der shibboleth-container und mountet die Volumes via `--volumes-from` in den httpd-container, welcher die Requests entgegennimmt. Bedenke, das dieses Image nicht Out-of-the-Box funktioniert. Es muss entsprechend deiner Umgebung konfiguriert werden:
## erweiterte Konfiguration
* `SHIB_HOSTNAME=https://localhost`: der Host-Teil des Shibboleth-Handlers. Muss vom IdP erreichbar sein.
* `SHIB_HANDLER_URL=/Shibboleth.sso`: der Path-Teil des Shibboleth-Handlers. Muss vom IdP erreichbar sein.
* `SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb`: die Entity-ID, mit der der SP vom IDP identifiziert werden kann (lokal oder Föderation)
* `SHIB_IDP_ENTITY_ID=""`: die Entity-ID des IdP, der zur Anmeldung genutzt werden soll.
* `SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf`: die URL zum Discovery-Dienst, über den der IdP zur Anmeldung ausgewählt wird. Benutze entweder `SHIB_IDP_ENTITY_ID` oder diese Variable.
* `SHIB_ATTRIBUTE_MAP=""`: simple 'name=id'-Zuweisung mit Komma getrennt, die als Attribute hinzugefügt werden, z.B. `SHIB_ATTRIBUTE_MAP='foo=urn:1.2.3,bar=urn:1.2.4'`
[ubleipzig/httpd]: https://hub.docker.com/r/ubleipzig/httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.6/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/2.6/Dockerfile
HTTP_PROXY = http://proxy.uni-leipzig.de:3128
HTTPS_PROXY = http://proxy.uni-leipzig.de:3128
IMAGE_NAME = ubleipzig/shibboleth
.PHONY: 2.6
2.6:
docker build --pull \
--build-arg HTTP_PROXY=$(HTTP_PROXY) \
--build-arg HTTPS_PROXY=$(HTTPS_PROXY) \
--build-arg NO_PROXY=$(NO_PROXY) \
--build-arg http_proxy=$(HTTP_PROXY) \
--build-arg https_proxy=$(HTTPS_PROXY) \
--build-arg no_proxy=$(NO_PROXY) \
-t $(IMAGE_NAME):2.6 \
2.6
\ No newline at end of file
# shibboleth
This repository holds the Dockerfiles for the shibbooleth-image.
## Image-Tags
The images are created via a gitlab-pipeline, see [.gitlab-ci.yml]. There are several tags which can be used:
* `2.6-*`: points to a specific build. Each build is specified by a number. The higher, the latter.
* `2.6`: points to the latest build from the `2.6`-line. It is the same as the last `2.6-*`.
* `2`: points to the latest build from the `2`-line. If there will be a `2.6`-line it will point to that latest build.
* `latest`: always points to the latest build.
## create images
Pushing the Code to the Repository does nothing. Images are created via GIT-Tags.
```
git tag -a 2.6-2 -m 'minor optimization'
git push origin 2.6-2
```
_this will create a new image with a tag named `2.6-2`. Also the Tags `2.6`, `2`, and `latest` will point to this image._
Only Repository-Masters will be able to create a new Tag.
## Contribution
In case you want to contribute please fork and make a pull-request at [Gitlab-hosting of Leipzig University]. This is due to internal policies and the higher flexibility when it comes to build images and push to [Docker-Hub]
## Todo
* Tests
[.gitlab-ci.yml]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/.gitlab-ci.yml
[Gitlab-hosting of Leipzig University]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth
[Docker-Hub]: https://hub.docker.com/r/ubleipzig/shibboleth/
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment