oxShibboleth
Overview#
Docker image packaging for oxShibboleth.
Versions#
- Stable:
gluufederation/oxshibboleth:4.0.1_03. - Unstable:
gluufederation/oxshibboleth:4.0.1_dev.
Refer to Changelog for details on new features, bug fixes, or older releases.
Environment Variables#
The following environment variables are supported by the container:
GLUU_CONFIG_ADAPTER: The config backend adapter, can beconsul(default) orkubernetes.GLUU_CONFIG_CONSUL_HOST: hostname or IP of Consul (default tolocalhost).GLUU_CONFIG_CONSUL_PORT: port of Consul (default to8500).GLUU_CONFIG_CONSUL_CONSISTENCY: Consul consistency mode (choose one ofdefault,consistent, orstale). Default tostalemode.GLUU_CONFIG_CONSUL_SCHEME: supported Consul scheme (httporhttps).GLUU_CONFIG_CONSUL_VERIFY: whether to verify cert or not (default tofalse).GLUU_CONFIG_CONSUL_CACERT_FILE: path to Consul CA cert file (default to/etc/certs/consul_ca.crt). This file will be used if it exists andGLUU_CONFIG_CONSUL_VERIFYset totrue.GLUU_CONFIG_CONSUL_CERT_FILE: path to Consul cert file (default to/etc/certs/consul_client.crt).GLUU_CONFIG_CONSUL_KEY_FILE: path to Consul key file (default to/etc/certs/consul_client.key).GLUU_CONFIG_CONSUL_TOKEN_FILE: path to file contains ACL token (default to/etc/certs/consul_token).GLUU_CONFIG_KUBERNETES_NAMESPACE: Kubernetes namespace (default todefault).GLUU_CONFIG_KUBERNETES_CONFIGMAP: Kubernetes configmaps name (default togluu).GLUU_CONFIG_KUBERNETES_USE_KUBE_CONFIG: Load credentials from$HOME/.kube/config, only useful for non-container environment (default tofalse).GLUU_SECRET_ADAPTER: The secrets adapter, can bevaultorkubernetes.GLUU_SECRET_VAULT_SCHEME: supported Vault scheme (httporhttps).GLUU_SECRET_VAULT_HOST: hostname or IP of Vault (default tolocalhost).GLUU_SECRET_VAULT_PORT: port of Vault (default to8200).GLUU_SECRET_VAULT_VERIFY: whether to verify cert or not (default tofalse).GLUU_SECRET_VAULT_ROLE_ID_FILE: path to file contains Vault AppRole role ID (default to/etc/certs/vault_role_id).GLUU_SECRET_VAULT_SECRET_ID_FILE: path to file contains Vault AppRole secret ID (default to/etc/certs/vault_secret_id).GLUU_SECRET_VAULT_CERT_FILE: path to Vault cert file (default to/etc/certs/vault_client.crt).GLUU_SECRET_VAULT_KEY_FILE: path to Vault key file (default to/etc/certs/vault_client.key).GLUU_SECRET_VAULT_CACERT_FILE: path to Vault CA cert file (default to/etc/certs/vault_ca.crt). This file will be used if it exists andGLUU_SECRET_VAULT_VERIFYset totrue.GLUU_SECRET_KUBERNETES_NAMESPACE: Kubernetes namespace (default todefault).GLUU_SECRET_KUBERNETES_CONFIGMAP: Kubernetes secrets name (default togluu).GLUU_SECRET_KUBERNETES_USE_KUBE_CONFIG: Load credentials from$HOME/.kube/config, only useful for non-container environment (default tofalse).GLUU_WAIT_MAX_TIME: How long the startup "health checks" should run (default to300seconds).GLUU_WAIT_SLEEP_DURATION: Delay between startup "health checks" (default to10seconds).GLUU_MAX_RAM_FRACTION: Used in conjunction with Docker memory limitations (docker run -m <mem>) to identify the fraction of the maximum amount of heap memory you want the JVM to use.GLUU_LDAP_URL: The LDAP database's IP address or hostname. Default islocalhost:1636. Multiple URLs can be used using comma-separated values (i.e.192.168.100.1:1636,192.168.100.2:1636).GLUU_SHIB_SOURCE_DIR: absolute path to directory to copy Shibboleth config from (default is/opt/shared-shibboleth-idp)GLUU_SHIB_TARGET_DIR: absolute path to directory to copy Shibboleth config to (default is/opt/shibboleth-idp)GLUU_PERSISTENCE_TYPE: Persistence backend being used (one ofldap,couchbase, orhybrid; default toldap).GLUU_PERSISTENCE_LDAP_MAPPING: Specify data that should be saved in LDAP (one ofdefault,user,cache,site, ortoken; default todefault). Note this environment only takes effect whenGLUU_PERSISTENCE_TYPEis set tohybrid.GLUU_LDAP_URL: Address and port of LDAP server (default tolocalhost:1636); required ifGLUU_PERSISTENCE_TYPEis set toldaporhybrid.GLUU_COUCHBASE_URL: Address of Couchbase server (default tolocalhost); required ifGLUU_PERSISTENCE_TYPEis set tocouchbaseorhybrid.GLUU_COUCHBASE_USER: Username of Couchbase server (default toadmin); required ifGLUU_PERSISTENCE_TYPEis set tocouchbaseorhybrid.GLUU_COUCHBASE_CERT_FILE: Couchbase root certificate location (default to/etc/certs/couchbase.crt); required ifGLUU_PERSISTENCE_TYPEis set tocouchbaseorhybrid.GLUU_COUCHBASE_PASSWORD_FILE: Path to file contains Couchbase password (default to/etc/gluu/conf/couchbase_password); required ifGLUU_PERSISTENCE_TYPEis set tocouchbaseorhybrid.
Shared Directories#
Mounting the volume from host to container, as seen in the -v $PWD/shared-shibboleth-idp:/opt/shared-shibboleth-idp option, is required to ensure oxShibboleth can load the configuration correctly.
By design, each time a Trust Relationship entry is added/updated/deleted via the oxTrust GUI, some Shibboleth-related files will be generated/modified by oxTrust and saved to the /opt/shibboleth-idp directory inside the oxTrust container. A background job in oxTrust container ensures those files are copied to the /opt/shared-shibboleth-idp directory (and also inside the oxTrust container, which must be mounted from container to host).
After those Shibboleth-related files are copied to /opt/shared-shibboleth, a background job in oxShibboleth copies them to the /opt/shibboleth-idp directory inside oxShibboleth container. To ensure files are synchronized between oxTrust and oxShibboleth, both containers must use the same mounted volume, /opt/shared-shibboleth-idp.
The /opt/shibboleth-idp directory is not mounted directly into the container, as there are two known issues with this approach. First, the oxShibboleth container has its own default /opt/shibboleth-idp directory requirements to start the app itself. By mounting /opt/shibboleth-idp directly from the host, the directory will be replaced and the oxShibboleth app won't run correctly. Secondly, oxTrust renames the metadata file, which unfortunately didn't work as expected in the mounted volume.