Introduction

This packaged TIER Shibboleth-IdP release is a standalone Docker container (Linux-based) implementation of the Shibboleth IdP.  

What is the TIER Shibboleth IdP release?

What is a container?

What is Docker?

Why Docker?

Things to think about for deploying the TIER Shib IdP

Building/Operating the Linux-based Shibboleth IdP

Getting Started

                                            It is possible to use a desktop/laptop as a build machine!

                                                        Docker for Windows

                                                        Docker for Mac

                                                        Others

Prepare for building an image

BUILD the image

                                               --build-arg TOMLOG=${ALTCFG}/logs/tomcat \

                                               --build-arg TOMCERT=${ALTCFG}/credentials/tomcat \

                                               --build-arg TOMWWWROOT=${ALTCFG}/wwwroot \

                                               --build-arg SHBCFG=${ALTCFG}/config/shib-idp/conf \

                                               --build-arg SHBCREDS=${ALTCFG}/credentials/shib-idp \

                                               --build-arg SHBVIEWS=${ALTCFG}/config/shib-idp/views \

                                               --build-arg SHBEDWAPP=${ALTCFG}/config/shib-idp/edit-webapp \

                                               --build-arg SHBMSGS=${ALTCFG}/config/shib-idp/messages \

                                               --build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \

                                               --build-arg SHBLOG=${ALTCFG}/logs/shib-idp .

SHIP the image to a repository


Prepare to run a new swarm service

                                         --token <big-long-string> \

                                         <managerIP-from-previous-step>:2377   

*you can get the needed cmd above with the actual token on the manager node by running: docker swarm join-token worker

 

 

RUN a new service on your swarm

                          --replicas 2 \

                          --name shib-idp \

                          --with-registry-auth \

                         --publish 443:443 \

                         --health-interval=5m --health-cmd "curl -k --fail https://127.0.0.1/idp/status || exit 1" \

                         <repo.mycampus.edu>:<port>/shib-idp-tier:<your userID>

                          --replicas 2 \

                          --name shib-idp \

                          --with-registry-auth \

 -p 443:443 \

 --health-interval=5m --health-cmd "curl -k --fail https://127.0.0.1:443/idp/status || exit 1" \

 --mount type=bind,source=${PWD}/config/tomcat,destination=/usr/local/tomcat/conf \

 --mount type=bind,source=${PWD}/wwwroot,destination=/usr/local/tomcat/webapps/ROOT \

 --mount type=bind,source=${PWD}/logs/tomcat,destination=/usr/local/tomcat/logs \

 --mount type=bind,source=${PWD}/credentials/tomcat,destination=/opt/certs \

 --mount type=bind,source=${PWD}/config/shib-idp/conf,destination=/opt/shibboleth-idp/conf \

 --mount type=bind,source=${PWD}/credentials/shib-idp,destination=/opt/shibboleth-idp/credentials \

 --mount type=bind,source=${PWD}/config/shib-idp/views,destination=/opt/shibboleth-idp/views \

 --mount type=bind,source=${PWD}/config/shib-idp/edit-webapp,destination=/opt/shibboleth-idp/edit-webapp \

 --mount type=bind,source=${PWD}/config/shib-idp/messages,destination=/opt/shibboleth-idp/messages \

 --mount type=bind,source=${PWD}/config/shib-idp/metadata,destination=/opt/shibboleth-idp/metadata \

 --mount type=bind,source=${PWD}/logs/shib-idp,destination=/opt/shibboleth-idp/logs \

 <repo.mycampus.edu>:<port>/shib-idp-tier:<your userID>

 

 

 --replicas 2 \

 --name shib-idp \

 --with-registry-auth \

 --publish 443:443 \

 --secret source=idp.properties,target=/opt/shibboleth-idp/conf/idp.properties \

 --secret source=ldap.properties,target=/opt/shibboleth-idp/conf/ldap.properties \

 --secret source=idp-signing.key,target=/opt/shibboleth-idp/credentials/idp-signing.key \

 --secret source=idp-signing.crt,target=/opt/shibboleth-idp/credentials/idp-signing.crt \

 --secret source=idp-encryption.key,target=/opt/shibboleth-idp/credentials/idp-encryption.key \

 --secret source=idp-encryption.crt,target=/opt/shibboleth-idp/credentials/idp-encryption.crt \

 --secret source=keystore.jks,target=/opt/certs/keystore.jks \

 --secret source=sealer.jks,target=/opt/shibboleth-idp/credentials/sealer.jks \

 --secret source=sealer.kver,target=/opt/shibboleth-idp/credentials/sealer.kver \

 --secret source=relying-party.xml,target=/opt/shibboleth-idp/conf/relying-party.xml \

 --secret source=attribute-filter.xml,target=/opt/shibboleth-idp/conf/attribute-filter.xml \

 --secret source=attribute-resolver.xml,target=/opt/shibboleth-idp/conf/attribute-resolver.xml \

 --secret source=metadata-providers.xml,target=/opt/shibboleth-idp/conf/metadata-providers.xml \

 --health-interval=4m --health-cmd "curl -k --fail https://127.0.0.1:443/idp/status || exit 1" \

<repo.mycampus.edu>:<port>/shib-idp-tier:<your userID>

 

 

Changing the configuration of an existing service