Let's start by using the docker pull command to pull down the latest unicon/shibboleth-idp image.
~]$ sudo docker pull unicon/shibboleth-idp
Using default tag: latest
latest: Pulling from unicon/shibboleth-idp
8ba884070f61: Pull complete
92743bfef012: Pull complete
893a4307942a: Pull complete
25ba1c88f9e7: Pull complete
bdea16f985ca: Pull complete
0df85c5a1139: Pull complete
Digest: sha256:70315518aa3f1d7d5c20f5bc8c052779228d5e4b9d9a584514ee46fd8294b0f9
Status: Downloaded newer image for unicon/shibboleth-idp:latest
docker.io/unicon/shibboleth-idp:latest
The docker images command should now contain the latest unicon/shibboleth-idp image.
~]$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
unicon/shibboleth-idp latest 83a5c2df0c20 5 years ago 570MB
Let's create a temporary directory.
mkdir /tmp/foo
And move into the temporary directory.
cd /tmp/foo
Let's then use the docker run command to create the Shibboleth IdP files that will be needed when running the Shibboleth IdP container. Since this just a simple Getting Started article, I'm going with all of the defaults and using any password.
~]$ sudo docker run -it --volume $(pwd):/ext-mount --rm unicon/shibboleth-idp init-idp.sh
Please complete the following for your IdP environment:
Hostname: [915633f70b15.localdomain]
SAML EntityID: [https://915633f70b15.localdomain/idp/shibboleth]
Attribute Scope: [localdomain]
Backchannel PKCS12 Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /opt/shibboleth-idp-tmp/bin does not exist.
Warning: /opt/shibboleth-idp-tmp/edit-webapp does not exist.
Warning: /opt/shibboleth-idp-tmp/dist does not exist.
Warning: /opt/shibboleth-idp-tmp/doc does not exist.
Warning: /opt/shibboleth-idp-tmp/system does not exist.
Generating Signing Key, CN = 915633f70b15.localdomain URI = https://915633f70b15.localdomain/idp/shibboleth ...
...done
Creating Encryption Key, CN = 915633f70b15.localdomain URI = https://915633f70b15.localdomain/idp/shibboleth ...
...done
Creating Backchannel keystore, CN = 915633f70b15.localdomain URI = https://915633f70b15.localdomain/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /opt/shibboleth-idp-tmp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 40 seconds
A basic Shibboleth IdP config and UI has been copied to ./customized-shibboleth-idp/ (assuming the default volume mapping was used).
Most files, if not being customized can be removed from what was exported/the local Docker image and baseline files will be used.
There should now be a customized-shibboleth-idp directory in your present working directory.
~]$ sudo ls -l
total 5516
drwxr-x--- 7 root root 80 Apr 24 20:21 customized-shibboleth-idp
And the customized-shibboleth-idp directory should contain something like this.
~]$ sudo ls -l customized-shibboleth-idp/
total 0
drwxr-x--- 2 root root 311 Apr 24 20:21 conf
drwxr-x--- 2 root root 195 Apr 24 20:21 credentials
drwxr-x--- 2 root root 30 Apr 24 20:21 metadata
drwxr-x--- 5 root root 246 Apr 24 20:21 views
drwxr-xr-x 4 root root 31 Apr 24 20:21 webapp
Let's create the idp-browser.p12 file with a password.
sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
sudo openssl pkcs12 -inkey key.pem -in certificate.pem -export -out idp-browser.p12
There should now be a certificate.pem and key.pem and idp-browser.p12 file in your present working directory.
~]$ sudo ls -l
total 16
-rw-r--r-- 1 root root 1310 Apr 25 07:02 certificate.pem
drwxr-x--- 7 root root 140 Apr 24 20:26 customized-shibboleth-idp
-rw-r--r-- 1 root root 117 Apr 24 20:27 Dockerfile
-rw------- 1 root root 2525 Apr 25 07:02 idp-browser.p12
-rw------- 1 root root 1704 Apr 25 07:01 key.pem
Let's delete the certificate.pem and key.pem files as these files were just used to create the idp-browser.p12 file.
sudo rm certificate.pem
sudo rm key.pem
Let's validate your password is working.
sudo openssl pkcs12 -in idp-browser.p12 -info -passin pass:<your password>
And let's move the idp-browser.p12 file into the credentials directory.
sudo mv idp-browser.p12 customized-shibboleth-idp/credentials/
Let's create Dockerfile in the present working directory.
touch Dockerfile
And let's append the following to the Dockerfile.
FROM unicon/shibboleth-idp
MAINTAINER <your email address>
ADD customized-shibboleth-idp/ /opt/shibboleth-idp/
Now let's use the docker pull command to pull down the centos7 image.
~]$ sudo docker pull centos:centos7
centos7: Pulling from library/centos
2d473b07cdd5: Pull complete
Digest: sha256:be65f488b7764ad3638f236b7b515b3678369a5124c47b8d32916d6487418ea4
Status: Downloaded newer image for centos:centos7
docker.io/library/centos:centos7
The docker images command should now contain the latest unicon/shibboleth-idp image and the centos7 image.
~]$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos centos7 eeb6ee3f44bd 2 years ago 204MB
unicon/shibboleth-idp latest 83a5c2df0c20 5 years ago 570MB
Now let's build the Shibboleth IdP image using the Dockerfile.
~]$ sudo docker build --tag="<your domain>/shibboleth-idp:poc" .
Sending build context to Docker daemon 224.3kB
Step 1/3 : FROM unicon/shibboleth-idp
---> 83a5c2df0c20
Step 2/3 : MAINTAINER jeremy.canfield@freekb.net
---> Running in 8352b9288088
Removing intermediate container 8352b9288088
---> 3fe354b66d88
Step 3/3 : ADD customized-shibboleth-idp/ /opt/shibboleth-idp/
---> 6830cb35346d
Successfully built 6830cb35346d
Successfully tagged freekb/shibboleth-idp:poc
The docker images command should now contain the latest unicon/shibboleth-idp image and the centos7 image and the Shibboleth IdP image.
~]$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
freekb/shibboleth-idp poc 6830cb35346d 13 seconds ago 571MB
centos centos7 eeb6ee3f44bd 2 years ago 204MB
unicon/shibboleth-idp latest 83a5c2df0c20 5 years ago 570MB
Let's use the docker run command to create and start a container using the Shibboleth IdP image.
sudo docker run \
--detach \
--publish 0.0.0.0:8443:8443 \
--publish 0.0.0.0:4443:4443 \
--name my-shibboleth-idp \
--env JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=<your p12 password>\
--env JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=<password you entered when creating config files>\
freekb/shibboleth-idp:poc
The docker container ls command should now show the container is up and running.
~]$ sudo docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6909be20300f freekb/shibboleth-idp:poc "run-jetty.sh" 14 seconds ago Up 13 seconds 0.0.0.0:4443->4443/tcp, 0.0.0.0:8443->8443/tcp my-shibboleth-idp
And the docker exec command with the env or printenv command can be used to verify the container as the right password for JETTY_BROWSER_SSL_KEYSTORE_PASSWORD and JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD.
]$ sudo docker exec my-shibboleth-idp env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/bin
HOSTNAME=e6471024340a
JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=itsasecret
JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=itsasecret
JETTY_HOME=/opt/jetty-home
JETTY_BASE=/opt/shib-jetty-base
JETTY_MAX_HEAP=2048m
HOME=/root
The docker logs command will likely contain errors since we haven't taken care of some of the other required configurations, such as SSL. More on that next. First and foremost, I just want to at least know that I can get the container up and running.
sudo docker logs my-shibboleth-idp
By default, the container is listening on ports 4443 and 8443. Let's use firewall-cmd to allow ports 4443 and 8443.
~]$ sudo firewall-cmd --add-port=4443/tcp --permanent
success
~]$ sudo firewall-cmd --add-port=8443/tcp --permanent
success
~]$ sudo firewall-cmd --reload
success
And then go to https://<hostname or IP address of your Docker system>:8443/idp/ and something like this should be displayed.
Did you find this article helpful?
If so, consider buying me a coffee over at