# Shibboleth IDP version 3 docker This is a dockerized version of shibboleth 3.x. It runs on the `jetty:9-alpine` base image, and has been preconfigured to use the SWAMID saml-2.0 metadata feed. ## Configuration The way this docker image is structured is to try and make it simple to change certain aspects, such as additional local SP additions, FTICKS configuration, changing certificates and metadata. Environment variables: - `IDP_HOSTNAME` e.g. idp.nordu.net - `IDP_SCOPE` e.g. `nordu.net` - `IDP_ENCRYPTION_OPTIONAL` if set to `true` enables support for ServiceProvicers that do not supply an encryption key. - `FTICKS_FEDERATION` e.g. `swamid` if set enables fticks logging. - `FTICKS_SALT` a random salt used to anonymise user id, if not supplied the user id will not be included in logging. - `FTICKS_HOST` if a fticks loggin server should be used you need to set this - `FTICKS_PORT` if a fticks loggin server should be used you need to set this - `IDP_PERSISTENTID_SALT` a random salt used if you need to release `eduPersonTargetdID`. - `IDP_DEBUG` if enabled will set the loglevel to `DEBUT`, which logs the decrypted messages. If you mount a directory in `/opt/data` you can overwrite certain things. - `/opt/data/idp-metadata.xml` if this file is present it will replace the autogenerated metadata. You probably want to do this. - `/opt/data/credentials/` - `idp-signing.key` and `idp-signing.crt` will replace the autogrenerated signing cert. - `idp-encryption.key` and `idp-encryption.crt` will replace the autogenarated encryption certs. - `/opt/data/messages/*` allows you to add a `message.properties` file for localisation. - `/opt/data/sp-metadata/*.xml` you can add metadata for private SPs, they will automatically get the same attributes released as a SWAMID service. ### Template messages Here is an example of the `messages.properties` file from NORDUnet. ``` idp.title=Your IdP title idp.footer=Your footer information here idp.logo=/images/nordunet.png idp.logo.alt-text=Your alt text idp.url.password.change=http://example.com idp.home=NORDUnet Home idp.url.home=https://www.nordu.net idp.aup=Acceptable Use Policy idp.url.aup=https://www.nordu.net/content/acceptable-use-policy idp.privacy=Privacy Statement idp.url.privacy=https://www.nordu.net/content/data-security-and-encryption # Used in index.jsp root.title=Your IdP title root.footer=Your footer information here ``` ## Logging If you mount a directory to `/opt/data` all the IDP logs will be written to `/opt/data/logs`. As mentioned in the configuration section you can enable FTICKS logging by adding an environment variable. If needed you can enable debug logging with an environment variable. ## Deploying in production You might want to change some of the things in `idp/templates` e.g. add a logo in `idp/templates/edit-webapp/images`. 1. Clone the repository 2. Build using `docker build -t shibboleth-docker .` 3. Create a `data` dir that is owned by uid 100 gid 101, on ubuntu it seems to be `libuuid` 4. Gennerate new signing and encryption keys `openssl req -x509 -sha256 -nodes -days 7300 -newkey rsa:4096 -keyout idp-encryption.key -out idp-encryption.crt` and put them in `data/credentials/` 5. Make a proper idp-metadata.xml and put it in `data/`. You can copy the autogenerated one from docker using `docker cp ID:/opt/shibboleth-idp/metadata/idp-metadata.xml .` Remember to change the public keys to match the ones gennerated in step 4. 6. Create `data/messages/messages.properties` ``` docker run --rm -d -ti --name ndn-idp -v /opt/shibboleth-docker/data:/opt/data -e "IDP_HOSTNAME=idp.nordu.net" -e "IDP_SCOPE=nordu.net" -e "JAVA_OPTIONS=-Xmx1500m" -e "FTICKS_FEDERATION=swamid" -e "IDP_ENCRYPTION_OPTIONAL=true" shibboleth-docker ``` In NORDUnet we run our IdP behind nginx. ## Testing The NORDUnet configuration requires that you can reach `ldap.nordu.net`, so make sure you can reach that. E.g. I need to be on VPN to access it. Add the following to your `/etc/hosts` file: ``` 127.0.0.1 idp.nordu.dev sp.nordu.dev ``` Then you can use docker compose to build and start the containers. ``` docker-compose -f compose-dev.yml up --build ``` When everything has started you need to add the SP metadata to the IdP, this can be done by running: ``` curl -k https://sp.nordu.dev/Shibboleth.sso/Metadata -o data/idp/metadata/sp-metadata.xml dokcer-compose -f compose-dev.yml restart shibboleth-docker ``` Now you should be able to navigate to `https://sp.nordu.dev/secure/` where you should be prompted to log in. ### Emulating production You can lie to your own machine and use your local development docker `idp.nordu.net`. - Add `127.0.0.1 idp.nordu.net` to your `/etc/hosts` file. - Create the following data layout ``` data ├── certs │   ├── idp_nordu_net-bundle.pem │   └── idp_nordu_net.key ├── env ├── idp-data │   ├── credentials │   │   ├── idp-encryption.crt │   │   ├── idp-encryption.key │   │   ├── idp-signing.crt │   │   └── idp-signing.key │   └── messages │       └── messages.properties └── nginx └── idp.conf ``` - You can use selfsigned certs for the certs in the certs folder. But all credentials certs need to be from produdction. - `env` can be empty - Run `docker-compose -f compose-prod.yml up --build` # Resources - https://shibboleth.net/products/identity-provider.html - https://wiki.shibboleth.net/confluence/display/IDP30/Installation+Directory+and+Configuration+Files - http://www.jeesty.com/shibboleth Description of how Shibd works with Apache - https://github.com/UNINETT/mod_auth_mellon