An Alpine Linux based implementation of the Shibboleth⁠ Service Provider, version 2.5, running inside Apache httpd 2.4.

Maintained by the Open Justice Broker Consortium⁠ GitHub: https://github.com/ojbc/docker⁠ Dockerfile: https://github.com/ojbc/docker/blob/master/portal/Dockerfile⁠

For more on Shibboleth 2, see: https://wiki.shibboleth.net/confluence/display/SHIB2/Home⁠.

Note that this image builds Shib SP (and its dependencies) from source, because there is no APK package available.

Usage

The image does not expose any ports by default, as the OJBC standard approach is to use Weave (https://github.com/weaveworks/weave⁠). If you want to expose ports, just extend the image and add an EXPOSE directive. Apache httpd runs on the standard http ports (80 and 443).

The default configurations for Shib SP and Apache are in the files here: https://github.com/ojbc/docker/tree/master/portal/files⁠. These files setup the SAML metadata, the SP config, etc.

By default, Apache protects the URLs /secure and /ojb-web-util by forwarding them for Shib authentication.

Requests to /ojb-web-util are proxied, via mod_proxy_ajp, to an AJP connector running on the machine tomcat.ojbc.local:8009. It is assumed that this Tomcat process has a webapp ojb-web-util that it makes available at the standard URL (/ojb-web-util).

In the default configuration, the SP forwards requests to a Shibboleth Discovery Service, for the user to select the IDP that he/she wishes to use to authenticate. See ojbc/samlds.

If you want to use the portal to protect access to a different webapp, then deploy that webapp on tomcat.ojbc.local, and then extend this image to add an appropriate ProxyPass to /etc/apache2/conf.d/proxy.conf and an appropriate Location section to /etc/apache2/conf.d/shib.conf.