Page tree
Skip to end of metadata
Go to start of metadata

This demo shows how to run midPoint container using SAML2 authentication with Shibboleth IdP.

Note that the bundled SAML2 SP is used in this demo, but midPoint supports using standalone SPs (e.g. Shibboleth SP) too. In that case you need to pass username to midPoint in HTTP header and configure httpHeader module instead of SAML2 in flexible authentication. See following page for details: https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration#FlexibleAuthenticationConfiguration-ModulehttpHeader

Starting

$ cd demo/shibboleth
$ docker-compose up

After docker-compose up command successfully finishes you should see something like this on the console:

midpoint_server_1  | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,191 [] [main] INFO (org.springframework.boot.web.embedded.tomcat.TomcatWebServer): Tomcat started on port(s): 8080 (http) 9090 (http) with context path '/midpoint'
midpoint_server_1  | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,209 [] [main] INFO (com.evolveum.midpoint.web.boot.MidPointSpringApplication): Started MidPointSpringApplication in 60.512 seconds (JVM running for 61.688)

Now you can log into midPoint using https://localhost:8443/midpoint URL. This will redirect you to the Shibboleth login page where you will enter the user name of administrator and a password of password.

After entering that you will get into midPoint.

Containers

The demo/shibboleth composition contains the following containers:

Container nameDescription
shibboleth_midpoint_server_1This is the standard container providing midPoint functionality. It contains standalone Tomcat running midPoint application, reverse Apache proxy (providing Shibboleth authentication, if needed), and TIER Beacon.
shibboleth_midpoint_data_1This container hosts midPoint repository. It contains the MariaDB database created from the TIER MariaDB image.
shibboleth_idp_1Shibboleth identity provider
shibboleth_directory_1LDAP directory used by the Shibboleth IdP as a user registry. (Currently it is not managed by midPoint, although of course it could be.)

Communication

The containers publish the following TCP ports. (Port mapped to localhost denotes the mapping of container port to the host port where it can be reached from the outside.)

ContainerPort numberPort mapped to localhostDescription
shibboleth_midpoint_server_14438443HTTPS port to be used to connect to midPoint application
80-HTTP port to be used to connect to midPoint application
9090-Tomcat AJP port used for Apache httpd ↔ Tomcat communication
shibboleth_midpoint_data_133063306Port used to connect to the default MariaDB repository
shibboleth_idp_1443443HTTPS port to be used for Shibboleth Idp
shibboleth_directory_1389389Port used for LDAP communication

Docker volumes

The following volumes are created to persist data and other relevant files.

Volume nameDescriptionUsed by container
shibboleth_midpoint_homeThe midPoint home directory. Contains schema extensions, logs, custom libraries, custom ConnId connectors, and so on.shibboleth_midpoint_server_1
shibboleth_midpoint_dataVolume hosting MariaDB database used by midPoint.shibboleth_midpoint_data_1
shibboleth_midpoint_mysqlVolume hosting /var/lib/mysql directory.shibboleth_midpoint_data_1
shibboleth_ldapVolume hosting /var/lib/dirsrv directory.shibboleth_directory_1

Configuring the composition

The following configuration properties are supported. Please refer to the main documentation page for their explanation.

PropertyDefault value
ENVdemo
USERTOKEN
REPO_DATABASE_TYPEmariadb
REPO_JDBC_URLdefault
REPO_HOSTmidpoint_data
REPO_PORTdefault
REPO_DATABASEregistry
REPO_USERregistry_user
REPO_MISSING_SCHEMA_ACTIONcreate
REPO_UPGRADEABLE_SCHEMA_ACTIONstop
REPO_SCHEMA_VERSION_IF_MISSING
REPO_SCHEMA_VARIANT
MP_MEM_MAX2048m
MP_MEM_INIT1024m
MP_JAVA_OPTS
TIER_BEACON_OPT_OUT
TIMEZONEUTC

You can tailor these to your needs.

The following Docker secrets are used:

SecretLocation
mp_database_password.txtconfigs-and-secrets/midpoint/application/database_password.txt
mp_keystore_password.txtconfigs-and-secrets/midpoint/application/keystore_password.txt
mp_host-key.pemconfigs-and-secrets/midpoint/httpd/host-key.pem
mp_sp-key.pemconfigs-and-secrets/midpoint/shibboleth/sp-key.pem

The following configuration files are used:

Target fileSource location
/etc/pki/tls/certs/host-cert.pemconfigs-and-secrets/midpoint/httpd/host-cert.pem
/etc/pki/tls/certs/cachain.pemconfigs-and-secrets/midpoint/httpd/host-cert.pem
/etc/shibboleth/idp-metadata.xmlconfigs-and-secrets/midpoint/shibboleth/idp-metadata.xml
/etc/shibboleth/shibboleth2.xmlconfigs-and-secrets/midpoint/shibboleth/shibboleth2.xml
/etc/shibboleth/sp-cert.pemconfigs-and-secrets/midpoint/shibboleth/sp-cert.pem

You can modify or replace these files as needed.

Login without Shibboleth authentication

You can log into midPoint using the usual https://localhost:8443/midpoint/auth/emergency URL that will point you to midPoint login page (instead of Shibboleth one). Then you will use administrator as a user name and 5ecr3t as a password.


Login using bundled SAML2 SP

Midpoint contains bundled SAML2 SP, which can be used instead of Shibboleth SP. To use this SP use https://localhost:8443/midpoint/auth/saml-internal/ URL for accessing midPoint. You will be redirected to the same IdP as it's used in the default settings. Use login "administrator" and password "password" to sign in.


Change authentication to login form

You can change midPoint authentication to internal login form, when you rewrite name of authentication module for sequence admin-gui-default in Default Security Policy. You have to find: 

<sequence>
    <name>admin-gui-default</name>
    <description>
        Default GUI authentication sequence.
    </description>
    <channel>
        <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
        <default>true</default>
        <urlSuffix>gui-default</urlSuffix>
    </channel>
    <module>
        <name>mySamlSso</name>
        <order>30</order>
        <necessity>sufficient</necessity>
    </module>
</sequence>

And change <name>mySamlSso</name> to <name>internalLoginForm</name>. After saving of security policy you have to logout. Then you will use administrator as a user name and 5ecr3t as a password to login.

Implementation

Shibboleth authentication is implemented by using Apache httpd as a reverse proxy for midPoint. Clients connect to Apache listening on port 443 (redirected to localhost:8443). It authenticates the requests using Shibboleth SP (if configured to do so) and forwards them to midPoint on port 9090 (AJP).

This mode of authentication makes use of the following auxiliary environment variables within midPoint container (besides the ones mentioned in the documentation):

Environment variableMeaningDefault value
AJP_ENABLEDenable / disable the endpoint for AJP protocoltrue
AJP_PORTport of endpoint for AJP protocol9090

Notes

The default configuration of Shibboleth provided in this demo is that it authenticates users against LDAP. So, before a user can log into midPoint, he has to have an LDAP account created, with uid matching his name (user.name) in midPoint.

The relevant httpd configuration file for Shibboleth authentication is midpoint.conf.auth.shibboleth.

  • No labels