initial release

1063db76 · Ulf Seltmann · 1063db76 · 1063db76 · 1063db76 · 1063db76
Commit 1063db76 authored Jul 02, 2018 by Ulf Seltmann
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+stages:
+- image
+- mirror
+
+'2.6':
+  stage: image
+  image: docker:latest
+  services:
+  - docker:dind
+  script: |
+    mkdir -p ~/.docker && echo "$DOCKER_AUTH_CONFIG" >~/.docker/config.json
+    export suffix=`expr $CI_COMMIT_TAG ':' '2.6-\(.*\)'`
+    make 26
+    docker push ubleipzig/shibboleth:2.6
+    for tag in "latest" "2" "2.6-${suffix}"; do
+      docker tag ubleipzig/shibboleth:2.6 ubleipzig/shibboleth:${tag}
+      docker push ubleipzig/shibboleth:${tag}
+    done
+  tags:
+  - docker
+  only:
+  - /^2.6/
+  except:
+  - branches
+
+github_mirror:
+  stage: mirror
+  image:
+    name: alpine/git
+    entrypoint: [ "/bin/sh", "-c" ]
+  variables:
+    GIT_STRATEGY: clone
+    GIT_CHECKOUT: "false"
+  script: |
+    cd /tmp
+    git clone --mirror ${CI_REPOSITORY_URL} project
+    cd project
+    git remote add github https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/ubleipzig/shibboleth.git
+    git push --mirror github
+  tags:
+  - docker
--- a/2.6/Dockerfile
+++ b/2.6/Dockerfile
+FROM debian:stretch-slim
+ENTRYPOINT [ "/docker-entrypoint" ]
+CMD ["shibd", "-u", "_shibd", "-g", "_shibd", "-F"]
+
+ENV SHIB_HOSTNAME=https://localhost \
+	SHIB_HANDLER_URL=/Shibboleth.sso \
+	SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb \
+	SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf \
+	SHIB_ATTRIBUTE_MAP=""
+
+ADD assets/docker-entrypoint /docker-entrypoint
+
+ADD assets/*.pem /etc/shibboleth/
+
+RUN chmod a+x /docker-entrypoint \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends shibboleth-sp2-utils \
+	&& rm -r /var/lib/apt/lists/*
+
+VOLUME ["/etc/shibboleth", "/run/shibboleth"]
--- a/2.6/assets/dfn-aai-cert.pem
+++ b/2.6/assets/dfn-aai-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIFfzCCBGegAwIBAgIHF2SJb0dzzzANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQG
+EwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEZMBcGA1UECxMQR2VzY2hhZWZ0c3N0
+ZWxsZTEfMB0GA1UEAxMWREZOLVZlcmVpbi1HUy1DQSAtIEcwMjAeFw0xNDA0MDkw
+ODU5MTFaFw0xNzA0MDgwODU5MTFaMIGFMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCkRGTi1WZXJlaW4xGTAX
+BgNVBAsTEEdlc2NoYWVmdHNzdGVsbGUxJDAiBgNVBAMTG0dSUDogREZOLUFBSSBN
+ZXRhZGF0YXNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUR
+fxXgew5yir0FWnFXX7R3jqms00mbf5hrp4m/RPm0g3eIvmGcWHyw3L3p1UkygGUz
+hLlPY74hXCgP+iiQOxTxO3nxtpA7CQmduhotVGadj9xfRJeDp5f+b9y1ssHNnbNz
+QhvhxXbOytT4KAiKy958V8Bmi0YZeWlbGTUvnDuYKwMm/KeRqLqoH3mVGWd9N5+e
+rvU5zdQ2KU60YCxQX/Tqhl4rjxAJCdtPtxuSeEpPSn/zMPTNToSXG/HqDbLMn+U8
+yc8zMNFKbzOeH4yC1zobZ5IdtZINjb7yTc8YjTYLFX5Uun3D2JgrodRMp3KSyd/0
+yNuvIVyzuXpfhkdP8OECAwEAAaOCAhgwggIUMC8GA1UdIAQoMCYwEQYPKwYBBAGB
+rSGCLAEBBAMBMBEGDysGAQQBga0hgiwCAQQDATAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDvGJWmiD0xDBpWkM
+o7BdbPqAQ1AwHwYDVR0jBBgwFoAUeaJiL87xBjlS53ZtYsfem2p1S0kwgZEGA1Ud
+HwSBiTCBhjBBoD+gPYY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tdmVyZWlu
+LWdzLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwQaA/oD2GO2h0dHA6Ly9jZHAyLnBj
+YS5kZm4uZGUvZGZuLXZlcmVpbi1ncy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHf
+BggrBgEFBQcBAQSB0jCBzzAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRm
+bi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEsGCCsGAQUFBzAChj9odHRwOi8vY2RwMS5w
+Y2EuZGZuLmRlL2Rmbi12ZXJlaW4tZ3MtY2EvcHViL2NhY2VydC9nX2NhY2VydC5j
+cnQwSwYIKwYBBQUHMAKGP2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLXZlcmVp
+bi1ncy1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOC
+AQEAf3gv6SbxfQrMHzx+iztTBC4HmKNrIQ5oPVkm/k2aYJRTZT6nQyjHv+aKmAg3
+ht5yBKmEPE7SUrKWxC4Iv8s40XiiMJRX/3T9JTRkwUEVLFmVVM+AcGJokAog2hS8
+AuRXoZWRvDsKlHn/PP0ZFDw35vgtAa3s86G+3GIxIiy4DpNqXLBjq+7JlMFTQRaf
+Gn1wFU/Yd9mymcN8hzH8RDvhUcEOBATScEdm+KFZbhykquA1CR4pmhaffEiavj6/
+0LpvwN9NQRv8n/JzqA8W1SsZPwCg342LqIqcGeTve3e2joyNyCWHuNYJQjTYur6o
+hpNRqAmlu7VxPez3ZzBpI6i5aw==
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/2.6/assets/docker-entrypoint
+++ b/2.6/assets/docker-entrypoint
+#!/bin/bash
+set -e
+
+chmod 600 /etc/shibboleth/*.pem
+chown _shibd:_shibd /etc/shibboleth/*.pem /run/shibboleth -R
+
+if [ "${SHIB_IDP_ENTITY_ID}" != "" ];then
+	SHIB_SSO_ATTRS="entityID=\"${SHIB_IDP_ENTITY_ID}\""
+elif [ "${SHIB_IDP_DISCOVERY_URL}" != "" ];then
+	SHIB_SSO_ATTRS="discoveryProtocol=\"SAMLDS\" discoveryURL=\"${SHIB_IDP_DISCOVERY_URL}\""
+else
+	echo "you have either to provide the SHIB_IDP_DISCOVERY_URL or the SHIB_IDP_ENTITY_ID
+environment variable in order to correctly set up shibboleth. exiting ...";
+	exit 1;
+fi
+
+METADATA_PROVIDER_DFN='
+        <MetadataProvider type="XML" uri="https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="/etc/shibboleth/dfn-aai-cert.pem"/>
+        </MetadataProvider>
+'
+
+METADATA_PROVIDER_LOCAL='
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+'
+
+if [ "${SHIB_ATTRIBUTE_MAP}" != "" ]; then
+  IFS=',' read -ra attrlist <<< "${SHIB_ATTRIBUTE_MAP}";
+  for attr in "${attrlist[@]}" ;do
+    ATTRIBUTE_XML="${ATTRIBUTE_XML}
+  <Attribute name=\"${attr%%=*}\" id=\"${attr#*=}\" />\n"
+  done
+  sed -e 's!</Attributes>!!' -i /etc/shibboleth/attribute-map.xml
+  echo -e "${ATTRIBUTE_XML}\n</Attributes>" >>/etc/shibboleth/attribute-map.xml
+fi
+
+cat >/etc/shibboleth/shibboleth2.xml <<EOF
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    logger="console.logger"
+    clockSkew="180">
+
+    <ApplicationDefaults entityID="${SHIB_SP_ENTITY_ID}" REMOTE_USER="eppn persistent-id targeted-id">
+
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="; path=/; secure; HttpOnly" handlerURL="${SHIB_HANDLER_URL}">
+            <SSO ${SHIB_SSO_ATTRS}>
+              SAML2 SAML1
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="${SHIB_STATUS_ACL} 127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        ${METADATA_PROVIDER_DFN}
+
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
+EOF
+
+cat >/etc/shibboleth/metadata.xml <<EOF
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_f46fa7b46e8469845f8cb9c328321bbeba0308d2" entityID="${SHIB_SP_ENTITY_ID}">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Login"/>
+      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Login" index="1"/>
+    </md:Extensions>
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>dev-dotdeb</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=dev-dotdeb</ds:X509SubjectName>
+          <ds:X509Certificate>MIIC5TCCAc2gAwIBAgIJAMTHl5c6BBC0MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAMTCmRldi1kb3RkZWIwHhcNMTYwODA0MTMwNzQ3WhcNMjYwODAyMTMwNzQ3WjAV
+MRMwEQYDVQQDEwpkZXYtZG90ZGViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuU5yPc7A8TmYSOkcA5WexnYdnbuPgIZV6pfCbWAlnsHM7tF2Y2nPM0x3
+WIQD6iC2zNQrGa3vdjRDpFNZLZELqC4pCUj3kunLG6DYE5QL+8xuukJmt5OXksXn
+wc+8kY4DAu3M/DnS0y6P4UGFMcgj8wZ6xZpzdSLRGqHx4a+dtuORy28sHEoChRqE
+IbK2RdHvwIaOKttl1gjILgMKx7QgtBfoTk6iouC24ez9cpQ7zewDSQ9alzUbd7PP
+xJg59pjlIZ1tL65TAMRXYy5sKUVONVx0u6znntpxWBfWC0vaB+LtJcPRNNfr3hx/
+2rerB5wcgJsdqkI38BuiFF9iDyogSwIDAQABozgwNjAVBgNVHREEDjAMggpkZXYt
+ZG90ZGViMB0GA1UdDgQWBBRj9FbPgOUNEIdgS1QtP6+ufIHx4DANBgkqhkiG9w0B
+AQUFAAOCAQEAguatA2EtGF7ZrW+xJ7O7qymiLO90QKyIopCXdTeOs/Zcylo+0d8J
+FKvbEFAOc3cfPwKfwvOg9yFzAFjpdIPqu+jPWgBG3EA/g0vR8SI31NpI4mPiSnXt
+aUpWu42KFIMoHiELletPXan6jKHfHKl+SqTAY1ifVG7qLjSTrxihvn+zhrgKbai4
+2c48v2xg1Q1rv11DKWB61y2xhhgOIYlbfsiKlbIznGVDyeBaEd0yF25NgByfLbx1
+bcpYpzl5TERBGs27fizTDKUq3hszXzgq3iuo8vdXiFGBdJ0oZXvuTTlSJF0CPQ7K
+2mj+QMjgmZXcmRJtE9dC7iGXgREs3v12HA==
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML2/ECP" index="4"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML/POST" index="5"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="${SHIB_HOSTNAME}${SHIB_HANDLER_URL}/SAML/Artifact" index="6"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
+EOF
+
+  # activate debugging for shibboleth
+sed -e 's/\(log4j\.rootCategory=\)[^,]\+/\1DEBUG/' -i /etc/shibboleth/console.logger
+
+exec "$@"
\ No newline at end of file
--- a/2.6/assets/sp-cert.pem
+++ b/2.6/assets/sp-cert.pem
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIJAMTHl5c6BBC0MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAMTCmRldi1kb3RkZWIwHhcNMTYwODA0MTMwNzQ3WhcNMjYwODAyMTMwNzQ3WjAV
+MRMwEQYDVQQDEwpkZXYtZG90ZGViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuU5yPc7A8TmYSOkcA5WexnYdnbuPgIZV6pfCbWAlnsHM7tF2Y2nPM0x3
+WIQD6iC2zNQrGa3vdjRDpFNZLZELqC4pCUj3kunLG6DYE5QL+8xuukJmt5OXksXn
+wc+8kY4DAu3M/DnS0y6P4UGFMcgj8wZ6xZpzdSLRGqHx4a+dtuORy28sHEoChRqE
+IbK2RdHvwIaOKttl1gjILgMKx7QgtBfoTk6iouC24ez9cpQ7zewDSQ9alzUbd7PP
+xJg59pjlIZ1tL65TAMRXYy5sKUVONVx0u6znntpxWBfWC0vaB+LtJcPRNNfr3hx/
+2rerB5wcgJsdqkI38BuiFF9iDyogSwIDAQABozgwNjAVBgNVHREEDjAMggpkZXYt
+ZG90ZGViMB0GA1UdDgQWBBRj9FbPgOUNEIdgS1QtP6+ufIHx4DANBgkqhkiG9w0B
+AQUFAAOCAQEAguatA2EtGF7ZrW+xJ7O7qymiLO90QKyIopCXdTeOs/Zcylo+0d8J
+FKvbEFAOc3cfPwKfwvOg9yFzAFjpdIPqu+jPWgBG3EA/g0vR8SI31NpI4mPiSnXt
+aUpWu42KFIMoHiELletPXan6jKHfHKl+SqTAY1ifVG7qLjSTrxihvn+zhrgKbai4
+2c48v2xg1Q1rv11DKWB61y2xhhgOIYlbfsiKlbIznGVDyeBaEd0yF25NgByfLbx1
+bcpYpzl5TERBGs27fizTDKUq3hszXzgq3iuo8vdXiFGBdJ0oZXvuTTlSJF0CPQ7K
+2mj+QMjgmZXcmRJtE9dC7iGXgREs3v12HA==
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/2.6/assets/sp-key.pem
+++ b/2.6/assets/sp-key.pem
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5TnI9zsDxOZhI
+6RwDlZ7Gdh2du4+AhlXql8JtYCWewczu0XZjac8zTHdYhAPqILbM1CsZre92NEOk
+U1ktkQuoLikJSPeS6csboNgTlAv7zG66Qma3k5eSxefBz7yRjgMC7cz8OdLTLo/h
+QYUxyCPzBnrFmnN1ItEaofHhr52245HLbywcSgKFGoQhsrZF0e/Aho4q22XWCMgu
+AwrHtCC0F+hOTqKi4Lbh7P1ylDvN7ANJD1qXNRt3s8/EmDn2mOUhnW0vrlMAxFdj
+LmwpRU41XHS7rOee2nFYF9YLS9oH4u0lw9E01+veHH/at6sHnByAmx2qQjfwG6IU
+X2IPKiBLAgMBAAECggEAPphrKsm+jz2/XVGxLtzJx4x6sJ98+BNozlf5S20hCCG7
+EikbbrV9UnzQC8x8bggi98nrzT7eFvXMq6OkCipm36bIIeTODIiBHZIVq3dlHOeP
+t8daX0Sx/NhxUxzTO+/WwJSHm+QEfWXLIHI7hfdvfVaA/mMQAU+DhxWRWYUzJ2Xg
+4eTbYEI+MThaSazrDgL9a0lgv5/GlNd7xwL0qTDJBNnnYigKHJCiie0eF51Ej5NO
+S8HbJakIb1DipSOnQuzPpMD82x4QMs6CICcF6c/TO6+vl2D+C9uLMCRwqTn3B20B
+oqgxZhLKVddRMyzPWMsTkYObNSripTgwV5/M/pXH4QKBgQDajOxuhFG104j8KZMb
+t6VBEBKBTNFDHM1jyLQHHXFy75W67tEwIEP3BLLwEOGPugNesjpEVwHdWzuSjIpS
+yGAYOGca5TPZrkXgFbi70c39j1YFNe7IdJyye0cxUm8tGSpS3ugL0ntI4kWZtiIq
+xKsenwmVz/O42+xI6DYoYqiqWQKBgQDZDze5EiJ0wcZQapF50akXtXCOvZvKjcY+
+UmemKIVOn+juQccVKPX8f5Y9J6epUNoHGceGDjIzZimJQyzdyLa5U69CrbVjUVpC
+rfVIiPxDinJD3kTBJCnSD+iGZ9auuGq+IOhxwGWPJ/KpzBMIKgcqvfA0+jjCMa+q
+ZiPx7WqDQwKBgB8EQwXIR6RrehR3fgZAAPcD5extz4Eb1FZmBI7B8fji4bge7pdK
+7Ppgs1h4vNpeBt5oovZR9tTIfuLkiTkIcQLe9lsNzlcFcatEyev18asbrZSdu969
+FgQKlOb+EQMwgB40vm/3FkIYwtH21FCHitWUspKNacSBib4rHoyKu+85AoGAe1pG
+lIpVwnyMsw6c9dnMeojGGphufMHtM2WpOag1eeUufpgrBz9r676mJsLuaS5leTuR
+RAG1Tbh1Smg+ixuRm+iO5RnKx1JoNRSfHEWc9tUq8p7R++ENUy9vOVKxkkGDh+Ez
+t9Fa5ewR36T1++HGiOfAJps8vj92USQSsV329fkCgYEAzcPskYLS0+Kd1F7bvGo8
+K6fu+r7tvoUq1aCigclBWsLx5cWCq74tNYZTqE+Co8bQilh/+6MERi2IDiBY34d1
+7Nmd3le3en2bkySJ9mrIm9bUPzH8m6SAoiiqVlKID9DQfhhOrUI1FZ8b2nP66Gf
+H2zBcxL4okxF+zqMuIOJ0Jw=
+-----END PRIVATE KEY-----
\ No newline at end of file
--- a/Changelog.md
+++ b/Changelog.md
+# Changelog
+
+## 2.6-0 - 2018-07-02
+* initial release
+
--- a/Docker.md
+++ b/Docker.md
+# shibboleth
+
+*shibboleth* is the shibboleth-authenticator as daemon `shibd` which communicates on socket `/var/run/shibboleth/shibd.sock`. This image should be used in connection with the [ubleipzig/httpd] webserver image, which provides the shibboleth-handler als apache2-module.
+
+The base image is [debian:stretch-slim].
+
+## supported Tags
+
+* 2.6-*, 2.6, 2, latest ([2.6/Dockerfile])
+
+## Usage of the Image
+
+This Image is a support image and should be used in connection with [ubleipzig/httpd]. Furthermore it is necessare to set up a service-provider (SP) according to the federation-service where the SP should be used. The image can be used as follows:
+
+```bash
+$# docker run --name shibboleth \
+  -e SHIB_HOSTNAME=https://www.example.com \
+	-e SHIB_SP_ENTITY_ID=my-shibboleth-entity-id \
+  ubleipzig/shibboleth
+
+$# docker run --name httpd \
+  --volumes-from shibboleth \
+  -v /path/to/static/files:/var/www/html \
+  -p 80:80 \
+  ubleipzig/httpd \
+  apache2 -D FOREGROUND -D shibboleth
+```
+
+This starts the shibboleth-container and then mounts its volumes via `--volumes-from` into the httpd-container where the requests are handled. Be aware that the images won't work out-of-the-box. There is configuration you have to take care of:
+
+## advanced configuration
+
+* `SHIB_HOSTNAME=https://localhost`: the host-part of the shibboleth-handler. Has to be accessable from the IdP.
+* `SHIB_HANDLER_URL=/Shibboleth.sso`: the path-part of the shibboleth-handler. Has to be accessable from the IdP.
+* `SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb`: the Entity-ID, which identifies the SP against the IdP (local or federated)
+* `SHIB_IDP_ENTITY_ID=""`: the Entity-ID of the IdP which shall be used to log in.
+* `SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf`: the URL of the discovery-service, of which IdP shall be used to log in. Specify either `SHIB_IDP_ENTITY_ID` or this variable.
+* `SHIB_ATTRIBUTE_MAP=""`: simple 'name=id'-assignment separated by comma , die als Attribute hinzugefügt werden, z.B. `SHIB_ATTRIBUTE_MAP='foo=urn:1.2.3,bar=urn:1.2.4'`
+
+[ubleipzig/httpd]: https://hub.docker.com/r/ubleipzig/httpd/
+[debian:stretch-slim]: https://hub.docker.com/_/debian/
+[2.6/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/2.6/Dockerfile
--- a/LICENSE
+++ b/LICENSE
--- a/Liesmich.md
+++ b/Liesmich.md
+# shibboleth
+
+*shibboleth* ist der Shibboleth-Authenticator, der durch den daemon `shibd` bereitgestellt wird und an Socket `/var/run/shibboleth/shibd.sock` kommuniziert. Das Image sollte zusammen mit dem [ubleipzig/httpd] Webserver-Image verwendet werden, welches den Shibboleth-Listener als Apache2-Modul zur Verfügung stellt.
+
+Das Basis-Image ist [debian:stretch-slim].
+
+
+## Unterstützte tags
+
+* 2.6-*, 2.6, 2, latest ([2.6/Dockerfile])
+
+## Nutzung des Images
+
+Das Image ist ein Hilfsimage und sollte zusammen mit [ubleipzig/httpd] verwendet werden. Weiterhin ist es notwendig, einen entsprechenden Service-Provider an übergeordneter Stelle einzurichten.
+
+```bash
+$# docker run --name shibboleth \
+  -e SHIB_HOSTNAME=https://www.example.com \
+	-e SHIB_SP_ENTITY_ID=my-shibboleth-entity-id \
+  ubleipzig/shibboleth
+
+$# docker run --name httpd \
+  --volumes-from shibboleth \
+  -v /path/to/static/files:/var/www/html \
+  -p 80:80 \
+  ubleipzig/httpd \
+  apache2 -D FOREGROUND -D shibboleth
+```
+
+Hierbei startet der shibboleth-container und mountet die Volumes via `--volumes-from` in den httpd-container, welcher die Requests entgegennimmt. Bedenke, das dieses Image nicht Out-of-the-Box funktioniert. Es muss entsprechend deiner Umgebung konfiguriert werden:
+
+## erweiterte Konfiguration
+
+* `SHIB_HOSTNAME=https://localhost`: der Host-Teil des Shibboleth-Handlers. Muss vom IdP erreichbar sein.
+* `SHIB_HANDLER_URL=/Shibboleth.sso`: der Path-Teil des Shibboleth-Handlers. Muss vom IdP erreichbar sein.
+* `SHIB_SP_ENTITY_ID=https://hub.docker.com/r/smoebody/dev-dotdeb`: die Entity-ID, mit der der SP vom IDP identifiziert werden kann (lokal oder Föderation)
+* `SHIB_IDP_ENTITY_ID=""`: die Entity-ID des IdP, der zur Anmeldung genutzt werden soll.
+* `SHIB_IDP_DISCOVERY_URL=https://wayf.aai.dfn.de/DFN-AAI-Test/wayf`: die URL zum Discovery-Dienst, über den der IdP zur Anmeldung ausgewählt wird. Benutze entweder `SHIB_IDP_ENTITY_ID` oder diese Variable.
+* `SHIB_ATTRIBUTE_MAP=""`: simple 'name=id'-Zuweisung mit Komma getrennt, die als Attribute hinzugefügt werden, z.B. `SHIB_ATTRIBUTE_MAP='foo=urn:1.2.3,bar=urn:1.2.4'`
+
+[ubleipzig/httpd]: https://hub.docker.com/r/ubleipzig/httpd/
+[debian:stretch-slim]: https://hub.docker.com/_/debian/
+[2.6/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/2.6/Dockerfile
--- a/Makefile
+++ b/Makefile
+HTTP_PROXY = http://proxy.uni-leipzig.de:3128
+HTTPS_PROXY = http://proxy.uni-leipzig.de:3128
+IMAGE_NAME = ubleipzig/shibboleth
+
+.PHONY: 2.6
+
+2.6:
+	docker build --pull \
+		--build-arg HTTP_PROXY=$(HTTP_PROXY) \
+		--build-arg HTTPS_PROXY=$(HTTPS_PROXY) \
+		--build-arg NO_PROXY=$(NO_PROXY) \
+		--build-arg http_proxy=$(HTTP_PROXY) \
+		--build-arg https_proxy=$(HTTPS_PROXY) \
+		--build-arg no_proxy=$(NO_PROXY) \
+		-t $(IMAGE_NAME):2.6 \
+		2.6
\ No newline at end of file
--- a/Readme.md
+++ b/Readme.md
+# shibboleth
+
+This repository holds the Dockerfiles for the shibbooleth-image.
+
+## Image-Tags
+
+The images are created via a gitlab-pipeline, see [.gitlab-ci.yml]. There are several tags which can be used:
+
+* `2.6-*`: points to a specific build. Each build is specified by a number. The higher, the latter.
+* `2.6`: points to the latest build from the `2.6`-line. It is the same as the last `2.6-*`.
+* `2`: points to the latest build from the `2`-line. If there will be a `2.6`-line it will point to that latest build.
+* `latest`: always points to the latest build.
+
+## create images
+
+Pushing the Code to the Repository does nothing. Images are created via GIT-Tags.
+
+```
+git tag -a 2.6-2 -m 'minor optimization'
+git push origin 2.6-2
+```
+_this will create a new image with a tag named `2.6-2`. Also the Tags `2.6`, `2`, and `latest` will point to this image._
+
+
+Only Repository-Masters will be able to create a new Tag.
+
+## Contribution
+
+In case you want to contribute please fork and make a pull-request at [Gitlab-hosting of Leipzig University]. This is due to internal policies and the higher flexibility when it comes to build images and push to [Docker-Hub]
+
+## Todo
+
+* Tests
+
+[.gitlab-ci.yml]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth/blob/master/.gitlab-ci.yml
+[Gitlab-hosting of Leipzig University]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/shibboleth
+[Docker-Hub]: https://hub.docker.com/r/ubleipzig/shibboleth/
\ No newline at end of file