This demo shows how to run midPoint container using SAML2 authentication with Shibboleth IdP.

Note that the bundled SAML2 SP is used in this demo, but midPoint supports using standalone SPs (e.g. Shibboleth SP) too. In that case you need to pass username to midPoint in HTTP header and configure httpHeader module instead of SAML2 in flexible authentication. See following page for details: https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration#FlexibleAuthenticationConfiguration-ModulehttpHeader

Starting

$ cd demo/shibboleth
$ docker-compose up

After docker-compose up command successfully finishes you should see something like this on the console:

midpoint_server_1  | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,191 [] [main] INFO (org.springframework.boot.web.embedded.tomcat.TomcatWebServer): Tomcat started on port(s): 8080 (http) 9090 (http) with context path '/midpoint'
midpoint_server_1  | midpoint;midpoint.log;demo;;2018-09-20 16:25:22,209 [] [main] INFO (com.evolveum.midpoint.web.boot.MidPointSpringApplication): Started MidPointSpringApplication in 60.512 seconds (JVM running for 61.688)

Now you can log into midPoint using https://localhost:8443/midpoint URL. This will redirect you to the Shibboleth login page where you will enter the user name of administrator and a password of password.

After entering that you will get into midPoint.

midPoint > Shibboleth demo > image2018-10-3_18-12-28.png

Containers

The demo/shibboleth composition contains the following containers:

Container name	Description
`shibboleth_midpoint_server_1`	This is the standard container providing midPoint functionality. It contains standalone Tomcat running midPoint application, reverse Apache proxy (providing Shibboleth authentication, if needed), and TIER Beacon.
`shibboleth_midpoint_data_1`	This container hosts midPoint repository. It contains the MariaDB database created from the TIER MariaDB image.
`shibboleth_idp_1`	Shibboleth identity provider
`shibboleth_directory_1`	LDAP directory used by the Shibboleth IdP as a user registry. (Currently it is not managed by midPoint, although of course it could be.)

Communication

The containers publish the following TCP ports. (Port mapped to localhost denotes the mapping of container port to the host port where it can be reached from the outside.)

Container	Port number	Port mapped to localhost	Description
`shibboleth_midpoint_server_1`	443	8443	HTTPS port to be used to connect to midPoint application
	80	-	HTTP port to be used to connect to midPoint application
	9090	-	Tomcat AJP port used for Apache httpd ↔ Tomcat communication
`shibboleth_midpoint_data_1`	3306	3306	Port used to connect to the default MariaDB repository
`shibboleth_idp_1`	443	443	HTTPS port to be used for Shibboleth Idp
`shibboleth_directory_1`	389	389	Port used for LDAP communication

Docker volumes

The following volumes are created to persist data and other relevant files.

Volume name	Description	Used by container
`shibboleth_midpoint_home`	The midPoint home directory. Contains schema extensions, logs, custom libraries, custom ConnId connectors, and so on.	`shibboleth_midpoint_server_1`
`shibboleth_midpoint_data`	Volume hosting MariaDB database used by midPoint.	`shibboleth_midpoint_data_1`
`shibboleth_midpoint_mysql`	Volume hosting `/var/lib/mysql` directory.	`shibboleth_midpoint_data_1`
`shibboleth_ldap`	Volume hosting `/var/lib/dirsrv` directory.	`shibboleth_directory_1`

Configuring the composition

The following configuration properties are supported. Please refer to the main documentation page for their explanation.

Property	Default value
`ENV`	`demo`
`USERTOKEN`
`REPO_DATABASE_TYPE`	`mariadb`
`REPO_JDBC_URL`	`default`
`REPO_HOST`	`midpoint_data`
`REPO_PORT`	`default`
`REPO_DATABASE`	`registry`
`REPO_USER`	`registry_user`
`REPO_MISSING_SCHEMA_ACTION`	`create`
`REPO_UPGRADEABLE_SCHEMA_ACTION`	`stop`
`REPO_SCHEMA_VERSION_IF_MISSING`
`REPO_SCHEMA_VARIANT`
`MP_MEM_MAX`	`2048m`
`MP_MEM_INIT`	`1024m`
`MP_JAVA_OPTS`
`TIER_BEACON_OPT_OUT`
`TIMEZONE`	`UTC`

You can tailor these to your needs.

The following Docker secrets are used:

Secret	Location
`mp_database_password.txt`	`configs-and-secrets/midpoint/application/database_password.txt`
`mp_keystore_password.txt`	`configs-and-secrets/midpoint/application/keystore_password.txt`
`mp_host-key.pem`	`configs-and-secrets/midpoint/httpd/host-key.pem`
`mp_sp-key.pem`	`configs-and-secrets/midpoint/shibboleth/sp-key.pem`

The following configuration files are used:

Target file	Source location
`/etc/pki/tls/certs/host-cert.pem`	`configs-and-secrets/midpoint/httpd/host-cert.pem`
`/etc/pki/tls/certs/cachain.pem`	`configs-and-secrets/midpoint/httpd/host-cert.pem`
`/etc/shibboleth/idp-metadata.xml`	`configs-and-secrets/midpoint/shibboleth/idp-metadata.xml`
`/etc/shibboleth/shibboleth2.xml`	`configs-and-secrets/midpoint/shibboleth/shibboleth2.xml`
`/etc/shibboleth/sp-cert.pem`	`configs-and-secrets/midpoint/shibboleth/sp-cert.pem`

You can modify or replace these files as needed.

Login without Shibboleth authentication

You can log into midPoint using the usual https://localhost:8443/midpoint/auth/emergency URL that will point you to midPoint login page (instead of Shibboleth one). Then you will use administrator as a user name and 5ecr3t as a password.

midPoint > Shibboleth demo > image2018-10-3_18-41-38.png

Login using bundled SAML2 SP

Midpoint contains bundled SAML2 SP, which can be used instead of Shibboleth SP. To use this SP use https://localhost:8443/midpoint/auth/saml-internal/ URL for accessing midPoint. You will be redirected to the same IdP as it's used in the default settings. Use login "administrator" and password "password" to sign in.

Change authentication to login form

You can change midPoint authentication to internal login form, when you rewrite name of authentication module for sequence admin-gui-default in Default Security Policy. You have to find:

<sequence>
    <name>admin-gui-default</name>
    <description>
        Default GUI authentication sequence.
    </description>
    <channel>
        <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
        <default>true</default>
        <urlSuffix>gui-default</urlSuffix>
    </channel>
    <module>
        <name>mySamlSso</name>
        <order>30</order>
        <necessity>sufficient</necessity>
    </module>
</sequence>

And change <name>mySamlSso</name> to <name>internalLoginForm</name>. After saving of security policy you have to logout. Then you will use administrator as a user name and 5ecr3t as a password to login.

Implementation

Shibboleth authentication is implemented by using Apache httpd as a reverse proxy for midPoint. Clients connect to Apache listening on port 443 (redirected to localhost:8443). It authenticates the requests using Shibboleth SP (if configured to do so) and forwards them to midPoint on port 9090 (AJP).

This mode of authentication makes use of the following auxiliary environment variables within midPoint container (besides the ones mentioned in the documentation):

Environment variable	Meaning	Default value
AJP_ENABLED	enable / disable the endpoint for AJP protocol	`true`
AJP_PORT	port of endpoint for AJP protocol	`9090`

Notes

The default configuration of Shibboleth provided in this demo is that it authenticates users against LDAP. So, before a user can log into midPoint, he has to have an LDAP account created, with uid matching his name (user.name) in midPoint.

The relevant httpd configuration file for Shibboleth authentication is midpoint.conf.auth.shibboleth.