diff --git a/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf b/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf
new file mode 100644
index 0000000..497ecde
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf
@@ -0,0 +1,44 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+ ServerName https://%%SERVER_NAME%%:80
+ UseCanonicalName On
+
+ DocumentRoot /var/www/html
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ LogLevel warn
+
+
+ SetHandler shib
+
+
+
+ AuthType shibboleth
+ Require shibboleth
+
+
+ RewriteEngine On
+ RewriteCond %{QUERY_STRING} !after_redirect
+ RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+
diff --git a/comanage-registry-shibboleth-sp-base/000-site.conf b/comanage-registry-shibboleth-sp-base/000-site.conf
new file mode 100644
index 0000000..1377e62
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/000-site.conf
@@ -0,0 +1,62 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+ ServerName http://%%SERVER_NAME%%:80
+ UseCanonicalName On
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+
+
+
+ ServerName https://%%SERVER_NAME%%:443
+ UseCanonicalName On
+
+ DocumentRoot /var/www/html
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ LogLevel warn
+
+ Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+ SSLEngine on
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+ SSLHonorCipherOrder on
+
+ SSLCertificateFile /etc/apache2/cert.pem
+ SSLCertificateKeyFile /etc/apache2/privkey.pem
+
+
+ SetHandler shib
+
+
+
+ AuthType shibboleth
+ Require shibboleth
+
+
+ RewriteEngine On
+ RewriteCond %{QUERY_STRING} !after_redirect
+ RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+
diff --git a/comanage-registry-shibboleth-sp-base/Dockerfile b/comanage-registry-shibboleth-sp-base/Dockerfile
new file mode 100644
index 0000000..c5fa417
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/Dockerfile
@@ -0,0 +1,187 @@
+# Dockerfile for Shibboleth SP for COmanage Registry
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM debian:9
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+ apache2 \
+ apache2-dev \
+ file \
+ gcc \
+ g++ \
+ libboost-dev \
+ libcurl4-openssl-dev \
+ libssl1.0-dev \
+ libssl1.0.2 \
+ make \
+ wget \
+ zlib1g-dev
+
+ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz
+
+RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \
+ && mkdir -p src \
+ && tar -zxf log4shib.tar.gz -C src --strip-components=1 \
+ && rm -f log4shib.tar.gz \
+ && cd src \
+ && LD_FLAGS=-lpthread CXXFLAGS="-fPIC -std=gnu++98" ./configure --disable-static \
+ --disable-doxygen \
+ --prefix=/opt/shibboleth-sp \
+ --build=x86_64 \
+ && LD_FLAGS=-lpthread make \
+ && make -j 2 install \
+ && cd .. \
+ && rm -r src
+
+ARG XERCESC_URL=http://ftp.wayne.edu/apache//xerces/c/3/sources/xerces-c-3.2.0.tar.gz
+
+RUN wget -O xerces.tar.gz "${XERCESC_URL}" \
+ && mkdir -p src \
+ && tar -zxf xerces.tar.gz -C src --strip-components=1 \
+ && rm -f xerces.tar.gz \
+ && cd src \
+ && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+ && make -j 2 \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-1.7.3.tar.gz
+
+RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \
+ && mkdir -p src \
+ && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \
+ && rm -f xmlsecc.tar.gz \
+ && cd src \
+ && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+ --with-xerces=/opt/shibboleth-sp \
+ --with-openssl=/usr \
+ --disable-static \
+ --without-xalan \
+ && make -j 2 \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.6.2.tar.gz
+
+RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \
+ && mkdir -p src \
+ && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \
+ && rm -f xmltooling.tar.gz \
+ && cd src \
+ && CXXFLAGS="-fPIC -std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ -C \
+ && make -j 2 \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.6.1.tar.gz
+
+RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \
+ && mkdir -p src \
+ && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \
+ && rm -f opensamlc.tar.gz \
+ && cd src \
+ && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ -C \
+ && make -j 2 \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.6.1.tar.gz
+
+RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \
+ && mkdir -p src \
+ && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \
+ && rm -f shibboleth-sp.tar.gz \
+ && cd src \
+ && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+ --with-log4shib=/opt/shibboleth-sp \
+ --with-saml=/opt/shibboleth-sp \
+ --with-xerces=/opt/shibboleth-sp \
+ --with-xmlsec=/opt/shibboleth-sp \
+ --with-xmltooling=/opt/shibboleth-sp \
+ --enable-apache-24 \
+ --with-apxs24=/usr/bin/apxs \
+ --disable-adfs \
+ --disable-obc \
+ && make -j 2 \
+ && make install \
+ && cd .. \
+ && rm -r src
+
+COPY shib2.load /etc/apache2/mods-available
+
+RUN /usr/sbin/useradd --system _shibd \
+ && mkdir -p /var/run/shibboleth \
+ && chown _shibd:_shibd /var/run/shibboleth \
+ && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+ && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+ && rm -f /etc/shibboleth/shibboleth2.xml \
+ && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+ && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+ && cd /opt/shibboleth-sp/etc \
+ && rm -rf shibboleth \
+ && ln -s /etc/shibboleth shibboleth \
+ && a2enmod shib2 \
+ && apt-get install -y --no-install-recommends supervisor \
+ && mkdir -p /var/log/supervisor
+
+RUN apt-get update && apt-get install -y \
+ && apt-get purge -y \
+ apache2-dev \
+ file \
+ gcc \
+ g++ \
+ libboost-dev \
+ libcurl4-openssl-dev \
+ libssl-dev \
+ make \
+ && apt-get clean
+
+COPY 000-site.conf /etc/apache2/sites-available/000-site.conf
+COPY 000-site-behind-proxy.conf /etc/apache2/sites-available/000-site-behind-proxy.conf
+
+RUN a2enmod headers \
+ && a2enmod ssl \
+ && a2enmod rewrite \
+ && a2dissite 000-default.conf \
+ && a2ensite 000-site.conf \
+ && a2disconf other-vhosts-access-log \
+ && cd /etc/apache2 \
+ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
+ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem
+
+COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+
+COPY docker-apache-entrypoint /usr/local/bin/
+COPY docker-shibd-entrypoint /usr/local/bin/
+COPY apache2-foreground /usr/local/bin/
+
+WORKDIR /var/www
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]
diff --git a/comanage-registry-shibboleth-sp-base/README.md b/comanage-registry-shibboleth-sp-base/README.md
new file mode 100644
index 0000000..a3a06dd
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/README.md
@@ -0,0 +1,122 @@
+
+
+# COmanage Registry Shibboleth SP Base
+
+## What it is
+This Dockerfile and associated files are used to build a Shibboleth SP
+for Apache HTTP Server image intended to be used with
+[COmanage Registry](https://spaces.internet2.edu/display/COmanage/Home).
+
+The image built from this Dockerfile is primarily intended to be used
+as a base for building other COmanage Registry images using Dockerfile
+multi-stage build functionality.
+
+It may, however, be used by itself and includes functional entrypoint
+scripts for the Apache HTTP Server and Shibboleth shibd daemon. The
+image uses Supervisord for managing the Apache and shibd daemon
+processes.
+
+## How To
+
+* Clone this repository:
+
+```
+git clone https://github.com/Internet2/comanage-registry-docker.git
+cd comanage-registry-docker
+```
+
+* Build a local image:
+
+```
+pushd comanage-registry-basic-shibboleth-sp-base
+docker build -t comanage-registry-shibboleth-sp-base
+popd
+```
+
+* Run:
+
+Without any additional configuration the container will run and the Apache
+and shibd daemons will start, but because the Shibboleth SP requires federation
+with a SAML Identity Provider (IdP) a proper SAML Web SSO flow until the SP
+has been fully configured.
+
+To configure the Shibboleth SP and Apache the following environment variables may
+bet set at container start time:
+
+| Environment Variable | Description | Default | Example 1 | Example 2 |
+| -------------------- | ----------- | --------- | --------- | ------- |
+| HTTPS_CERT_FILE | path to certificate | self-signed image default | /var/run/secrets/https_cert_file | /cert.pem |
+| HTTPS_PRIVKEY_FILE | path to private key | self-signed image default | /var/run/secrets/https_privkey_file | /key.pem |
+| SERVER_NAME | FQDN | unknown | registry.my.org | comanage.my.org |
+| SHIBBOLETH_SP_ENTITY_ID | SAML entityID | https://comanage.registry/shibboleth | https://registry.my.org/shibboleth | https://comanage.my.org/shibboleth |
+| SHIBBOLETH_SP_CERT | path to SAML cert | image default | /var/run/secrets/shibboleth_cert_file | /sp-cert.pem |
+| SHIBBOLETH_SP_PRIVKEY | path to SAML private key | image default | /var/run/secrets/shibboleth_privkey_file | /sp-key.pem |
+| SHIBBOLETH_SP_SAMLDS_URL | URL for SAML DS | https://localhost/registry/pages/eds/index | https://registry.my.org/registry/pages/eds/index | https://my.org/disco |
+| SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE | path to Shibboleth SP metadata XML config stanza | none | /var/run/secrets/shibboleth_metadata_config | /metdata.xml |
+
+For more complex Shibboleth SP configurations mount in the necessary
+configuration files into the directory `/etc/shibboleth`
+instead of setting environment variables.
+
+Here is an example `docker run` to start a container using an X.509
+certificate and private key for HTTPS from Let's Encrypt and a
+previously generated SAML SP certificate and private key:
+
+```
+docker run -d --name comanage-registry-shibboleth-sp-base \
+ -v ${PWD}/fullchain.pem:/tmp/https_cert_file \
+ -v ${PWD}/privkey.pem:/tmp/https_privkey_file \
+ -v ${PWD}/sp-cert.pem:/tmp/sp-cert.pem \
+ -v ${PWD}/sp-key.pem:/tmp/sp-key.pem \
+ -e HTTPS_CERT_FILE=/tmp/https_cert_file \
+ -e HTTPS_PRIVKEY_FILE=/tmp/https_privkey_file \
+ -e SHIBBOLETH_SP_ENTITY_ID=https://registry.my.org/shibboleth \
+ -e SHIBBOLETH_SP_CERT=/tmp/sp-cert.pem \
+ -e SHIBBOLETH_SP_KEY=/tmp/sp-key.pem \
+ -p 80:80 -p 443:443 \
+ comanage-registry-shibboleth-sp-base
+```
+
+Here is an example of how to use the image in a multi-stage build:
+
+```
+FROM comanage-registry-shibboleth-sp-base as shibboleth-sp
+
+COPY --from=shibboleth-sp /opt/shibboleth-sp /opt/shibboleth-sp/
+COPY --from=shibboleth-sp /etc/shibboleth /etc/shibboleth/
+COPY --from=shibboleth-sp /etc/apache2/mods-available/shib2.load /etc/apache2/mods-available/shib2.load
+COPY --from=shibboleth-sp /usr/local/bin/docker-apache-entrypoint /usr/local/bin/docker-apache-entrypoint
+COPY --from=shibboleth-sp /usr/local/bin/docker-shibd-entrypoint /usr/local/bin/docker-shibd-entrypoint
+COPY --from=shibboleth-sp /usr/local/bin/apache2-foreground /usr/local/bin/apache2-foreground
+
+RUN /usr/sbin/useradd --system _shibd \
+ && mkdir -p /var/run/shibboleth \
+ && chown _shibd:_shibd /var/run/shibboleth \
+ && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+ && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+ && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+ && mkdir -p /var/log/supervisor
+
+RUN a2enmod shib2 \
+ && a2enmod rewrite \
+```
+
diff --git a/comanage-registry-shibboleth-sp-base/apache2-foreground b/comanage-registry-shibboleth-sp-base/apache2-foreground
new file mode 100755
index 0000000..5fe22e2
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/apache2-foreground
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+# Note: we don't just use "apache2ctl" here because it itself is just a shell-script wrapper around apache2 which provides extra functionality like "apache2ctl start" for launching apache2 in the background.
+# (also, when run as "apache2ctl ", it does not use "exec", which leaves an undesirable resident shell process)
+
+: "${APACHE_CONFDIR:=/etc/apache2}"
+: "${APACHE_ENVVARS:=$APACHE_CONFDIR/envvars}"
+if test -f "$APACHE_ENVVARS"; then
+ . "$APACHE_ENVVARS"
+fi
+
+# Apache gets grumpy about PID files pre-existing
+: "${APACHE_RUN_DIR:=/var/run/apache2}"
+: "${APACHE_PID_FILE:=$APACHE_RUN_DIR/apache2.pid}"
+rm -f "$APACHE_PID_FILE"
+
+# create missing directories
+# (especially APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR)
+for e in "${!APACHE_@}"; do
+ if [[ "$e" == *_DIR ]] && [[ "${!e}" == /* ]]; then
+ # handle "/var/lock" being a symlink to "/run/lock", but "/run/lock" not existing beforehand, so "/var/lock/something" fails to mkdir
+ # mkdir: cannot create directory '/var/lock': File exists
+ dir="${!e}"
+ while [ "$dir" != "$(dirname "$dir")" ]; do
+ dir="$(dirname "$dir")"
+ if [ -d "$dir" ]; then
+ break
+ fi
+ absDir="$(readlink -f "$dir" 2>/dev/null || :)"
+ if [ -n "$absDir" ]; then
+ mkdir -p "$absDir"
+ fi
+ done
+
+ mkdir -p "${!e}"
+ fi
+done
+
+exec apache2 -DFOREGROUND "$@"
diff --git a/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint b/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint
new file mode 100755
index 0000000..572a53a
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# Apache HTTP Server Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]
+then
+ OUTPUT=/dev/stdout
+else
+ OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+
+injectable_config_vars=(
+ HTTPS_CERT_FILE
+ HTTPS_PRIVKEY_FILE
+ SERVER_NAME
+)
+
+# If the file associated with a configuration variable is present then
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+ eval file_name=\$"${config_var}_FILE";
+
+ if [ -e "$file_name" ]; then
+ declare "${config_var}"=`cat $file_name`
+ fi
+done
+
+# If defined use configured location of Apache HTTP Server
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
+if [ -n "$HTTPS_CERT_FILE" ]; then
+ rm -f /etc/apache2/cert.pem
+ cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
+ chown www-data /etc/apache2/cert.pem
+ chmod 0644 /etc/apache2/cert.pem
+fi
+
+if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
+ rm -f /etc/apache2/privkey.pem
+ cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem
+ chown www-data /etc/apache2/privkey.pem
+ chmod 0600 /etc/apache2/privkey.pem
+fi
+
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+ SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+ if [ -z "$SERVER_NAME" ]; then
+ SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+ fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/apache2/sites-available/000-site.conf
+
+cat > /etc/apache2/conf-available/server-name.conf < "$OUTPUT" 2>&1
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+ set -- apache2-foreground "$@"
+fi
+
+exec "$@"
diff --git a/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint b/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint
new file mode 100755
index 0000000..374d93f
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+# Shibboleth SP Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]
+then
+ OUTPUT=/dev/stdout
+else
+ OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+#
+# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the
+# same way but because of the presence of special characters in the
+# XML it is handled differently.
+
+injectable_config_vars=(
+ SHIBBOLETH_SP_ENTITY_ID
+ SHIBBOLETH_SP_CERT
+ SHIBBOLETH_SP_PRIVKEY
+ SHIBBOLETH_SP_SAMLDS_URL
+)
+
+# If the file associated with a configuration variable is present then
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+ eval file_name=\$"${config_var}_FILE";
+
+ if [ -e "$file_name" ]; then
+ payload=`cat $file_name`
+ declare "${config_var}"="${payload}"
+ fi
+done
+
+# If no shibboleth2.xml file is present then create one using
+# injected information or defaults that are not particularly
+# useful in a federated context but will allow shibd to start.
+if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then
+ cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml
+ sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml
+ sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml
+
+ # The metadata provider injected input most likely contains special characters
+ # so use a sed script instead of simple substitution on the command line.
+
+ if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then
+ xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE"
+ else
+ xml_content_file=`/bin/mktemp`
+ echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file}
+ fi
+
+ sed_script_file=`/bin/mktemp`
+ cat > ${sed_script_file}< /dev/null 2>&1
+chown _shibd:_shibd /etc/shibboleth/sp-key.pem > /dev/null 2>&1
+
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1
+
+# Warn about any files in /etc/shibboleth that the _shibd user cannot read.
+su _shibd -c 'find /etc/shibboleth ! -readable' > /tmp/shibd-not-readable 2>/dev/null
+
+if [ -s /tmp/shibd-not-readable ]; then
+ echo "WARNING: the following files are not readable by _shibd"
+ cat /tmp/shibd-not-readable
+ echo ""
+fi
+
+rm -f /tmp/shibd-not-readable > /dev/null 2>&1
+
+# Start the daemon.
+exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
diff --git a/comanage-registry-shibboleth-sp-base/shib2.load b/comanage-registry-shibboleth-sp-base/shib2.load
new file mode 100644
index 0000000..b518d60
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/shib2.load
@@ -0,0 +1,20 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
diff --git a/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template
new file mode 100644
index 0000000..dda4d13
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template
@@ -0,0 +1,51 @@
+
+
+
+
+
+
+
+ SAML2
+
+
+ Local
+
+
+
+
+
+
+
+
+
+
+
+
+ %%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/comanage-registry-shibboleth-sp-base/supervisord.conf b/comanage-registry-shibboleth-sp-base/supervisord.conf
new file mode 100644
index 0000000..f39f3b0
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/supervisord.conf
@@ -0,0 +1,36 @@
+; COmanage Registry Docker supervisord configuration
+;
+; Portions licensed to the University Corporation for Advanced Internet
+; Development, Inc. ("UCAID") under one or more contributor license agreements.
+; See the NOTICE file distributed with this work for additional information
+; regarding copyright ownership.
+;
+; UCAID licenses this file to you under the Apache License, Version 2.0
+; (the "License"); you may not use this file except in compliance with the
+; License. You may obtain a copy of the License at:
+;
+; http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+
+[supervisord]
+nodaemon=true
+user=root
+
+[program:apache2]
+command=/usr/local/bin/docker-apache-entrypoint apache2-foreground
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:shibd]
+command=/usr/local/bin/docker-shibd-entrypoint
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0