This demo shows how to run midPoint container using SAML2 authentication with Shibboleth IdP.
Note that the bundled SAML2 SP is used in this demo, but midPoint supports using standalone SPs (e.g. Shibboleth SP) too. In that case you need to pass username to midPoint in HTTP header and configure httpHeader module instead of SAML2 in flexible authentication. See following page for details: https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration#FlexibleAuthenticationConfiguration-ModulehttpHeader
$ cd demo/shibboleth $ docker-compose up |
After docker-compose up
command successfully finishes you should see something like this on the console:
midpoint_server_1 | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,191 [] [main] INFO (org.springframework.boot.web.embedded.tomcat.TomcatWebServer): Tomcat started on port(s): 8080 (http) 9090 (http) with context path '/midpoint' midpoint_server_1 | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,209 [] [main] INFO (com.evolveum.midpoint.web.boot.MidPointSpringApplication): Started MidPointSpringApplication in 60.512 seconds (JVM running for 61.688) |
Now you can log into midPoint using https://localhost:8443/midpoint URL. This will redirect you to the Shibboleth login page where you will enter the user name of administrator
and a password of password
.
After entering that you will get into midPoint.
The demo/shibboleth
composition contains the following containers:
Container name | Description |
---|---|
shibboleth_midpoint_server_1 | This is the standard container providing midPoint functionality. It contains standalone Tomcat running midPoint application, reverse Apache proxy (providing Shibboleth authentication, if needed), and TIER Beacon. |
s | This container hosts midPoint repository. It contains the MariaDB database created from the TIER MariaDB image. |
s | Shibboleth identity provider |
s | LDAP directory used by the Shibboleth IdP as a user registry. (Currently it is not managed by midPoint, although of course it could be.) |
The containers publish the following TCP ports. (Port mapped to localhost denotes the mapping of container port to the host port where it can be reached from the outside.)
Container | Port number | Port mapped to localhost | Description |
---|---|---|---|
shibboleth_midpoint_server_1 | 443 | 8443 | HTTPS port to be used to connect to midPoint application |
80 | - | HTTP port to be used to connect to midPoint application | |
9090 | - | Tomcat AJP port used for Apache httpd ↔ Tomcat communication | |
shibboleth_midpoint_data_1 | 3306 | 3306 | Port used to connect to the default MariaDB repository |
shibboleth_idp_1 | 443 | 443 | HTTPS port to be used for Shibboleth Idp |
shibboleth_directory_1 | 389 | 389 | Port used for LDAP communication |
The following volumes are created to persist data and other relevant files.
Volume name | Description | Used by container |
---|---|---|
shibboleth_midpoint_home | The midPoint home directory. Contains schema extensions, logs, custom libraries, custom ConnId connectors, and so on. | shibboleth_midpoint_server_1 |
shibboleth_midpoint_data | Volume hosting MariaDB database used by midPoint. |
|
shibboleth_midpoint_mysql | Volume hosting /var/lib/mysql directory. |
|
shibboleth_ldap | Volume hosting /var/lib/dirsrv directory. | shibboleth_directory_1 |
The following configuration properties are supported. Please refer to the main documentation page for their explanation.
Property | Default value |
---|---|
ENV | demo |
USERTOKEN | |
REPO_DATABASE_TYPE | mariadb |
REPO_JDBC_URL | default |
REPO_HOST | midpoint_data |
REPO_PORT | default |
REPO_DATABASE | registry |
REPO_USER | registry_user |
REPO_MISSING_SCHEMA_ACTION | create |
REPO_UPGRADEABLE_SCHEMA_ACTION | stop |
REPO_SCHEMA_VERSION_IF_MISSING | |
REPO_SCHEMA_VARIANT | |
MP_MEM_MAX | 2048m |
MP_MEM_INIT | 1024m |
MP_JAVA_OPTS | |
TIER_BEACON_OPT_OUT | |
TIMEZONE | UTC |
You can tailor these to your needs.
The following Docker secrets are used:
Secret | Location |
---|---|
mp_database_password.txt | configs-and-secrets/midpoint/application/database_password.txt |
mp_keystore_password.txt | configs-and-secrets/midpoint/application/keystore_password.txt |
mp_host-key.pem | configs-and-secrets/midpoint/httpd/host-key.pem |
mp_sp-key.pem | configs-and-secrets/midpoint/shibboleth/sp-key.pem |
The following configuration files are used:
Target file | Source location |
---|---|
/etc/pki/tls/certs/host-cert.pem | configs-and-secrets/midpoint/httpd/host-cert.pem |
/etc/pki/tls/certs/cachain.pem | configs-and-secrets/midpoint/httpd/host-cert.pem |
/etc/shibboleth/idp-metadata.xml | configs-and-secrets/midpoint/shibboleth/idp-metadata.xml |
/etc/shibboleth/shibboleth2.xml | configs-and-secrets/midpoint/shibboleth/shibboleth2.xml |
/etc/shibboleth/sp-cert.pem | configs-and-secrets/midpoint/shibboleth/sp-cert.pem |
You can modify or replace these files as needed.
You can log into midPoint using the usual https://localhost:8443/midpoint/auth/emergency URL that will point you to midPoint login page (instead of Shibboleth one). Then you will use administrator
as a user name and 5ecr3t
as a password.
Midpoint contains bundled SAML2 SP, which can be used instead of Shibboleth SP. To use this SP use https://localhost:8443/midpoint/auth/saml-internal/ URL for accessing midPoint. You will be redirected to the same IdP as it's used in the default settings. Use login "administrator" and password "password" to sign in.
You can change midPoint authentication to internal login form, when you rewrite name of authentication module for sequence admin-gui-default
in Default Security Policy.
You have to find:
<sequence> <name>admin-gui-default</name> <description> Default GUI authentication sequence. </description> <channel> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId> <default>true</default> <urlSuffix>gui-default</urlSuffix> </channel> <module> <name>mySamlSso</name> <order>30</order> <necessity>sufficient</necessity> </module> </sequence> |
And change <name>mySamlSso</name>
to <name>internalLoginForm</name>.
After saving of security policy you have to logout. Then you will use administrator
as a user name and 5ecr3t
as a password to login.
Shibboleth authentication is implemented by using Apache httpd as a reverse proxy for midPoint. Clients connect to Apache listening on port 443 (redirected to localhost:8443). It authenticates the requests using Shibboleth SP (if configured to do so) and forwards them to midPoint on port 9090 (AJP).
This mode of authentication makes use of the following auxiliary environment variables within midPoint container (besides the ones mentioned in the documentation):
Environment variable | Meaning | Default value |
---|---|---|
AJP_ENABLED | enable / disable the endpoint for AJP protocol | true |
AJP_PORT | port of endpoint for AJP protocol | 9090 |
The default configuration of Shibboleth provided in this demo is that it authenticates users against LDAP. So, before a user can log into midPoint, he has to have an LDAP account created, with uid
matching his name (user.name
) in midPoint.
The relevant httpd configuration file for Shibboleth authentication is midpoint.conf.auth.shibboleth.