Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

A Shibboleth Identity Provider (IdP) base-image

License

Notifications You must be signed in to change notification settings

klaalo/shibboleth-idp-dockerized

 
 

Repository files navigation

Build Status

Overview

This is heavy handedly slimmed down image from Shibboleth Identity Provider software previously built based on CSC fork of original Unicon image which has not been updated since.

Refer to Dockerfile for details of current version. We do not promise active maintenance unless otherwise specifically agreed. If you find images lagging behind, please do update:

Currently the purpose of this repository is to provide an image in Dockerhub that is somewhat automatically updated using Travis. I use it to develop Shibboleth IdP based services further.

You may find some other purpose. If you do, please tell us about it in some imaginative way!

Supported tags

For additional older images not yet pruned, please see Dockerhub tag listing.

Creating a Shibboleth IdP Configuration

The old mechanism of creating an IdP configuration has been removed from this image. Shibboleth Project doesn't yet maintain or support an official Docker Deployment method for the product, so you will need expertiese in the product to implement working installation using Docker anyhow. So basically what I'm saying is that don't rely on this image if you are not familiar with the Shibboleth product.

Using the Image

On top of this image you will need something else, some other layer to configure it and make it runnable in your environment. If you only want to try or see it out, do:

docker run --rm -p 8080:8080 --name shibboleth-idp -it klaalo/shibboleth-idp

Then, optionnally, access the container with:

docker exec -it shibboleth-idp /bin/bash

Do not run Jetty as root

There has been consideration wether this basic image should have USER jetty instruction included. Currently it is a deliberate decision to leave it out from this base image. However, this can not be emphasized too much, hence, we will repeat it:

DO NOT RUN Jetty as ROOT

Some argumentation and reasoning behind our decision for not including root privilege revocation during base image build can be found in previously linked Docker reference. Make note also that Jetty base image does not do privilege revocation, but leaves that for user discretion (see section Security in image reference).

To make this sink in we say also this again: you need to implement another layer on top of this image before deploying the service to production use in your case and your environment. At that layer at latest you should apply some mechanism to enforce least privilege principle. It may very well be that you need to fork our example of image build and better suit it to your needs to meet another Docker best practice that suggests to minimise the layers in Docker images.

Few other references for your convenience:

Two versions available

Build script makes two image versions available. There is currently default Dockerfile that uses Jetty v10 in Amazon Corretto jdk17 from official Jetty Docker image. In addition the old image version is available that uses Jetty v9 in jdk11 also from official Jetty Docker image.

See more info about System Requirements in Shibboleth Wiki

Nashorn in new Java versions

Make note that Nashorn engine was removed starting from Java 15. As it is quite essential part in Shibboleth in many attribute-reslover implementations, it was decided to be added manually in this image. There is special task related to this in the Dockerfile. We are very interested in hearing your comments and receiving your pull requests regarding this decision. Read more in this LinkedIn article.

TLS not included

Also, in Jetty 10 image version, TLS support was removed in Jetty. It is assumed that the container is not exposed in naked to the Internet, but instead the service is being run behind a load balancer offloading the TLS. To this end, http2 module was removed in the builder script and respectively http-forwarded was added to facilitate necessities running behind a HTTP proxy.

If naked TLS should be necessary, one can still use the old Jetty 9 version.

Authors/Contributors

This project was originally developed as part of Unicon's Open Source Support program, which was funded by Unicon's program subscribers.

Unicon discontinued to maintain this image. They were the first implementors on this.

CSC guys have done quite a lot around this after Unicon.

  • Juho Erkkilä (awesome devOps automation pipeline guru in Weare)

Juho has done lot of work in improving the Dockerfile

  • Kari Laalo (you know how to reach me)

I just try to glue things together somehow

Credits

LICENSE

This has come quite far from original Unicon implementation, so I dared to alter this section. See LICENSE file for further details.

Packages

No packages published

Languages

  • Dockerfile 89.9%
  • Shell 10.1%