This is heavy handedly slimmed down image from Shibboleth Identity Provider software previously built based on CSC fork of original Unicon image which has not been updated since.
Refer to Dockerfile for details of current version. We do not promise active maintenance unless otherwise specifically agreed. If you find images lagging behind, please do update:
Currently the purpose of this repository is to provide an image in Dockerhub that is somewhat automatically updated using Travis. I use it to develop Shibboleth IdP based services further.
You may find some other purpose. If you do, please tell us about it in some imaginative way!
For additional older images not yet pruned, please see Dockerhub tag listing.
The old mechanism of creating an IdP configuration has been removed from this image. Shibboleth Project doesn't yet maintain or support an official Docker Deployment method for the product, so you will need expertiese in the product to implement working installation using Docker anyhow. So basically what I'm saying is that don't rely on this image if you are not familiar with the Shibboleth product.
On top of this image you will need something else, some other layer to configure it and make it runnable in your environment. If you only want to try or see it out, do:
docker run --rm -p 8080:8080 --name shibboleth-idp -it klaalo/shibboleth-idp
Then, optionnally, access the container with:
docker exec -it shibboleth-idp /bin/bash
There has been consideration wether this basic image should have USER jetty
instruction included. Currently it is a deliberate decision to leave it out from this base image. However, this can not be emphasized too much, hence, we will repeat it:
DO NOT RUN Jetty as ROOT
Some argumentation and reasoning behind our decision for not including root privilege revocation during base image build can be found in previously linked Docker reference. Make note also that Jetty base image does not do privilege revocation, but leaves that for user discretion (see section Security in image reference).
To make this sink in we say also this again: you need to implement another layer on top of this image before deploying the service to production use in your case and your environment. At that layer at latest you should apply some mechanism to enforce least privilege principle. It may very well be that you need to fork our example of image build and better suit it to your needs to meet another Docker best practice that suggests to minimise the layers in Docker images.
Few other references for your convenience:
- OWASP Community Access Control guideline
- CISA Essentials Starter Kit
- NIST 80-53r5
- VAHTI 1/2013 SNT-011
Build script makes two image versions available. There is currently default Dockerfile
that uses Jetty v10 in Amazon Corretto jdk17 from official Jetty Docker image. In addition the old image version is available that uses Jetty v9 in jdk11 also from official Jetty Docker image.
See more info about System Requirements in Shibboleth Wiki
Make note that Nashorn engine was removed starting from Java 15. As it is quite essential part in Shibboleth in many attribute-reslover implementations, it was decided to be added manually in this image. There is special task related to this in the Dockerfile. We are very interested in hearing your comments and receiving your pull requests regarding this decision. Read more in this LinkedIn article.
Also, in Jetty 10 image version, TLS support was removed in Jetty. It is assumed that the container is not exposed in naked to the Internet, but instead the service is being run behind a load balancer offloading the TLS. To this end, http2
module was removed in the builder script and respectively http-forwarded
was added to facilitate necessities running behind a HTTP proxy.
If naked TLS should be necessary, one can still use the old Jetty 9 version.
This project was originally developed as part of Unicon's Open Source Support program, which was funded by Unicon's program subscribers.
- John Gasper (jgasper@unicon.net)
Unicon discontinued to maintain this image. They were the first implementors on this.
- Sami Silén (sami.silen@csc.fi)
CSC guys have done quite a lot around this after Unicon.
- Juho Erkkilä (awesome devOps automation pipeline guru in Weare)
Juho has done lot of work in improving the Dockerfile
- Kari Laalo (you know how to reach me)
I just try to glue things together somehow
- Social preview image in Github Photo by FLY:D on Unsplash.
- Git icon by Icons8
This has come quite far from original Unicon implementation, so I dared to alter this section. See LICENSE file for further details.