From 703847e27ea3b0b66db3345432155c1c8c3b3590 Mon Sep 17 00:00:00 2001
From: Scott Koranda <skoranda@gmail.com>
Date: Tue, 2 Jan 2018 14:29:55 -0600
Subject: [PATCH] First commit of comanage-registry-shibboleth-sp-base

---
 .../000-site-behind-proxy.conf                |  44 +++++
 .../000-site.conf                             |  62 ++++++
 .../Dockerfile                                | 187 ++++++++++++++++++
 .../README.md                                 | 122 ++++++++++++
 .../apache2-foreground                        |  40 ++++
 .../docker-apache-entrypoint                  |  93 +++++++++
 .../docker-shibd-entrypoint                   | 137 +++++++++++++
 .../shib2.load                                |  20 ++
 .../shibboleth2.xml.template                  |  51 +++++
 .../supervisord.conf                          |  36 ++++
 10 files changed, 792 insertions(+)
 create mode 100644 comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf
 create mode 100644 comanage-registry-shibboleth-sp-base/000-site.conf
 create mode 100644 comanage-registry-shibboleth-sp-base/Dockerfile
 create mode 100644 comanage-registry-shibboleth-sp-base/README.md
 create mode 100755 comanage-registry-shibboleth-sp-base/apache2-foreground
 create mode 100755 comanage-registry-shibboleth-sp-base/docker-apache-entrypoint
 create mode 100755 comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint
 create mode 100644 comanage-registry-shibboleth-sp-base/shib2.load
 create mode 100644 comanage-registry-shibboleth-sp-base/shibboleth2.xml.template
 create mode 100644 comanage-registry-shibboleth-sp-base/supervisord.conf

diff --git a/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf b/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf
new file mode 100644
index 0000000..497ecde
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/000-site-behind-proxy.conf
@@ -0,0 +1,44 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+<VirtualHost *:80>
+  ServerName https://%%SERVER_NAME%%:80
+  UseCanonicalName On
+
+  DocumentRoot /var/www/html
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+  LogLevel warn
+
+  <Location "/Shibboleth.sso">
+    SetHandler shib
+  </Location>
+
+  <Location />
+    AuthType shibboleth
+    Require shibboleth
+  </Location>
+
+  RewriteEngine On
+  RewriteCond %{QUERY_STRING} !after_redirect
+  RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>
diff --git a/comanage-registry-shibboleth-sp-base/000-site.conf b/comanage-registry-shibboleth-sp-base/000-site.conf
new file mode 100644
index 0000000..1377e62
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/000-site.conf
@@ -0,0 +1,62 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+<VirtualHost *:80>
+  ServerName http://%%SERVER_NAME%%:80
+  UseCanonicalName On
+  RewriteEngine On
+  RewriteCond %{HTTPS} off
+  RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName https://%%SERVER_NAME%%:443
+  UseCanonicalName On
+
+  DocumentRoot /var/www/html
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+  LogLevel warn
+
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+  SSLEngine on
+  SSLProtocol all -SSLv2 -SSLv3
+  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile /etc/apache2/cert.pem
+  SSLCertificateKeyFile /etc/apache2/privkey.pem
+  
+  <Location "/Shibboleth.sso">
+    SetHandler shib
+  </Location>
+
+  <Location />
+    AuthType shibboleth
+    Require shibboleth
+  </Location>
+
+  RewriteEngine On
+  RewriteCond %{QUERY_STRING} !after_redirect
+  RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+
+</VirtualHost>
diff --git a/comanage-registry-shibboleth-sp-base/Dockerfile b/comanage-registry-shibboleth-sp-base/Dockerfile
new file mode 100644
index 0000000..c5fa417
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/Dockerfile
@@ -0,0 +1,187 @@
+# Dockerfile for Shibboleth SP for COmanage Registry
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM debian:9
+
+RUN apt-get update \
+      && apt-get install -y --no-install-recommends \
+            apache2 \
+            apache2-dev \
+            file \
+            gcc \
+            g++ \
+            libboost-dev \
+            libcurl4-openssl-dev \
+            libssl1.0-dev \
+            libssl1.0.2 \
+            make \
+            wget \
+            zlib1g-dev
+
+ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz
+
+RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \
+      && mkdir -p src \
+      && tar -zxf log4shib.tar.gz -C src --strip-components=1 \
+      && rm -f log4shib.tar.gz \
+      && cd src \
+      && LD_FLAGS=-lpthread CXXFLAGS="-fPIC -std=gnu++98" ./configure --disable-static \
+            --disable-doxygen \ 
+            --prefix=/opt/shibboleth-sp \
+            --build=x86_64 \
+      && LD_FLAGS=-lpthread make \
+      && make -j 2 install \
+      && cd .. \
+      && rm -r src 
+
+ARG XERCESC_URL=http://ftp.wayne.edu/apache//xerces/c/3/sources/xerces-c-3.2.0.tar.gz
+
+RUN wget -O xerces.tar.gz "${XERCESC_URL}" \
+      && mkdir -p src \
+      && tar -zxf xerces.tar.gz -C src --strip-components=1 \
+      && rm -f xerces.tar.gz \
+      && cd src \
+      && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+      && make -j 2 \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-1.7.3.tar.gz
+
+RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \
+      && mkdir -p src \
+      && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \
+      && rm -f xmlsecc.tar.gz \
+      && cd src \
+      && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+            --with-xerces=/opt/shibboleth-sp \
+            --with-openssl=/usr \
+            --disable-static \
+            --without-xalan \
+      && make -j 2 \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.6.2.tar.gz
+
+RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \
+      && mkdir -p src \
+      && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \
+      && rm -f xmltooling.tar.gz \
+      && cd src \
+      && CXXFLAGS="-fPIC -std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            -C \
+      && make -j 2 \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.6.1.tar.gz
+
+RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \
+      && mkdir -p src \
+      && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \
+      && rm -f opensamlc.tar.gz \
+      && cd src \
+      && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            -C \
+      && make -j 2 \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.6.1.tar.gz
+
+RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \
+      && mkdir -p src \
+      && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \
+      && rm -f shibboleth-sp.tar.gz \
+      && cd src \
+      && CXXFLAGS="-std=gnu++98" ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            --with-saml=/opt/shibboleth-sp \
+            --with-xerces=/opt/shibboleth-sp \
+            --with-xmlsec=/opt/shibboleth-sp \
+            --with-xmltooling=/opt/shibboleth-sp \
+            --enable-apache-24 \
+            --with-apxs24=/usr/bin/apxs \
+            --disable-adfs \
+            --disable-obc \
+      && make -j 2 \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+COPY shib2.load /etc/apache2/mods-available
+
+RUN /usr/sbin/useradd --system _shibd \
+      && mkdir -p /var/run/shibboleth \
+      && chown _shibd:_shibd /var/run/shibboleth \
+      && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+      && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+      && rm -f /etc/shibboleth/shibboleth2.xml \
+      && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+      && cd /opt/shibboleth-sp/etc \
+      && rm -rf shibboleth \
+      && ln -s /etc/shibboleth shibboleth \
+      && a2enmod shib2 \
+      && apt-get install -y --no-install-recommends supervisor \
+      && mkdir -p /var/log/supervisor
+
+RUN apt-get update && apt-get install -y \
+      && apt-get purge -y \
+         apache2-dev \
+         file \
+         gcc \
+         g++ \
+         libboost-dev \
+         libcurl4-openssl-dev \
+         libssl-dev \
+         make \
+      && apt-get clean
+
+COPY 000-site.conf /etc/apache2/sites-available/000-site.conf
+COPY 000-site-behind-proxy.conf /etc/apache2/sites-available/000-site-behind-proxy.conf
+
+RUN a2enmod headers \
+      && a2enmod ssl \
+      && a2enmod rewrite \
+      && a2dissite 000-default.conf \
+      && a2ensite 000-site.conf \
+      && a2disconf other-vhosts-access-log \
+      && cd /etc/apache2 \
+      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
+      && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem
+
+COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+
+COPY docker-apache-entrypoint /usr/local/bin/
+COPY docker-shibd-entrypoint /usr/local/bin/
+COPY apache2-foreground /usr/local/bin/
+
+WORKDIR /var/www
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]
diff --git a/comanage-registry-shibboleth-sp-base/README.md b/comanage-registry-shibboleth-sp-base/README.md
new file mode 100644
index 0000000..a3a06dd
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/README.md
@@ -0,0 +1,122 @@
+<!--
+COmanage Registry Docker documentation
+
+Portions licensed to the University Corporation for Advanced Internet
+Development, Inc. ("UCAID") under one or more contributor license agreements.
+See the NOTICE file distributed with this work for additional information
+regarding copyright ownership.
+
+UCAID licenses this file to you under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with the
+License. You may obtain a copy of the License at:
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# COmanage Registry Shibboleth SP Base
+
+## What it is 
+This Dockerfile and associated files are used to build a Shibboleth SP
+for Apache HTTP Server image intended to be used with
+[COmanage Registry](https://spaces.internet2.edu/display/COmanage/Home).
+
+The image built from this Dockerfile is primarily intended to be used
+as a base for building other COmanage Registry images using Dockerfile 
+multi-stage build functionality. 
+
+It may, however, be used by itself and includes functional entrypoint
+scripts for the Apache HTTP Server and Shibboleth shibd daemon. The
+image uses Supervisord for managing the Apache and shibd daemon
+processes.
+
+## How To
+
+* Clone this repository:
+
+```
+git clone https://github.com/Internet2/comanage-registry-docker.git
+cd comanage-registry-docker
+```
+
+* Build a local image:
+
+```
+pushd comanage-registry-basic-shibboleth-sp-base
+docker build -t comanage-registry-shibboleth-sp-base
+popd
+```
+
+* Run:
+
+Without any additional configuration the container will run and the Apache
+and shibd daemons will start, but because the Shibboleth SP requires federation
+with a SAML Identity Provider (IdP) a proper SAML Web SSO flow until the SP
+has been fully configured.
+
+To configure the Shibboleth SP and Apache the following environment variables may 
+bet set at container start time:
+
+| Environment Variable | Description | Default | Example 1 | Example 2 |
+| -------------------- | ----------- | --------- | --------- | ------- |
+| HTTPS_CERT_FILE | path to certificate | self-signed image default | /var/run/secrets/https_cert_file | /cert.pem |
+| HTTPS_PRIVKEY_FILE | path to private key | self-signed image default | /var/run/secrets/https_privkey_file | /key.pem |
+| SERVER_NAME | FQDN | unknown | registry.my.org | comanage.my.org |
+| SHIBBOLETH_SP_ENTITY_ID | SAML entityID | https://comanage.registry/shibboleth | https://registry.my.org/shibboleth | https://comanage.my.org/shibboleth | 
+| SHIBBOLETH_SP_CERT | path to SAML cert | image default | /var/run/secrets/shibboleth_cert_file | /sp-cert.pem |
+| SHIBBOLETH_SP_PRIVKEY | path to SAML private key | image default | /var/run/secrets/shibboleth_privkey_file | /sp-key.pem |
+| SHIBBOLETH_SP_SAMLDS_URL | URL for SAML DS | https://localhost/registry/pages/eds/index | https://registry.my.org/registry/pages/eds/index | https://my.org/disco |
+| SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE | path to Shibboleth SP metadata XML config stanza | none | /var/run/secrets/shibboleth_metadata_config | /metdata.xml |
+
+For more complex Shibboleth SP configurations mount in the necessary
+configuration files into the directory `/etc/shibboleth`
+instead of setting environment variables.
+
+Here is an example `docker run` to start a container using an X.509
+certificate and private key for HTTPS from Let's Encrypt and a
+previously generated SAML SP certificate and private key:
+
+```
+docker run -d --name comanage-registry-shibboleth-sp-base \
+  -v ${PWD}/fullchain.pem:/tmp/https_cert_file \
+  -v ${PWD}/privkey.pem:/tmp/https_privkey_file \
+  -v ${PWD}/sp-cert.pem:/tmp/sp-cert.pem \
+  -v ${PWD}/sp-key.pem:/tmp/sp-key.pem \
+  -e HTTPS_CERT_FILE=/tmp/https_cert_file \
+  -e HTTPS_PRIVKEY_FILE=/tmp/https_privkey_file \
+  -e SHIBBOLETH_SP_ENTITY_ID=https://registry.my.org/shibboleth \
+  -e SHIBBOLETH_SP_CERT=/tmp/sp-cert.pem \
+  -e SHIBBOLETH_SP_KEY=/tmp/sp-key.pem \
+  -p 80:80 -p 443:443 \
+  comanage-registry-shibboleth-sp-base
+```
+
+Here is an example of how to use the image in a multi-stage build: 
+
+```
+FROM comanage-registry-shibboleth-sp-base as shibboleth-sp
+
+COPY --from=shibboleth-sp /opt/shibboleth-sp /opt/shibboleth-sp/
+COPY --from=shibboleth-sp /etc/shibboleth /etc/shibboleth/
+COPY --from=shibboleth-sp /etc/apache2/mods-available/shib2.load /etc/apache2/mods-available/shib2.load
+COPY --from=shibboleth-sp /usr/local/bin/docker-apache-entrypoint /usr/local/bin/docker-apache-entrypoint
+COPY --from=shibboleth-sp /usr/local/bin/docker-shibd-entrypoint /usr/local/bin/docker-shibd-entrypoint
+COPY --from=shibboleth-sp /usr/local/bin/apache2-foreground /usr/local/bin/apache2-foreground
+
+RUN /usr/sbin/useradd --system _shibd \
+      && mkdir -p /var/run/shibboleth \
+      && chown _shibd:_shibd /var/run/shibboleth \
+      && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+      && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+      && mkdir -p /var/log/supervisor
+
+RUN a2enmod shib2 \
+      && a2enmod rewrite \
+```
+
diff --git a/comanage-registry-shibboleth-sp-base/apache2-foreground b/comanage-registry-shibboleth-sp-base/apache2-foreground
new file mode 100755
index 0000000..5fe22e2
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/apache2-foreground
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+# Note: we don't just use "apache2ctl" here because it itself is just a shell-script wrapper around apache2 which provides extra functionality like "apache2ctl start" for launching apache2 in the background.
+# (also, when run as "apache2ctl <apache args>", it does not use "exec", which leaves an undesirable resident shell process)
+
+: "${APACHE_CONFDIR:=/etc/apache2}"
+: "${APACHE_ENVVARS:=$APACHE_CONFDIR/envvars}"
+if test -f "$APACHE_ENVVARS"; then
+	. "$APACHE_ENVVARS"
+fi
+
+# Apache gets grumpy about PID files pre-existing
+: "${APACHE_RUN_DIR:=/var/run/apache2}"
+: "${APACHE_PID_FILE:=$APACHE_RUN_DIR/apache2.pid}"
+rm -f "$APACHE_PID_FILE"
+
+# create missing directories
+# (especially APACHE_RUN_DIR, APACHE_LOCK_DIR, and APACHE_LOG_DIR)
+for e in "${!APACHE_@}"; do
+	if [[ "$e" == *_DIR ]] && [[ "${!e}" == /* ]]; then
+		# handle "/var/lock" being a symlink to "/run/lock", but "/run/lock" not existing beforehand, so "/var/lock/something" fails to mkdir
+		#   mkdir: cannot create directory '/var/lock': File exists
+		dir="${!e}"
+		while [ "$dir" != "$(dirname "$dir")" ]; do
+			dir="$(dirname "$dir")"
+			if [ -d "$dir" ]; then
+				break
+			fi
+			absDir="$(readlink -f "$dir" 2>/dev/null || :)"
+			if [ -n "$absDir" ]; then
+				mkdir -p "$absDir"
+			fi
+		done
+
+		mkdir -p "${!e}"
+	fi
+done
+
+exec apache2 -DFOREGROUND "$@"
diff --git a/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint b/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint
new file mode 100755
index 0000000..572a53a
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/docker-apache-entrypoint
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# Apache HTTP Server Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]
+then
+    OUTPUT=/dev/stdout
+else
+    OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+
+injectable_config_vars=( 
+    HTTPS_CERT_FILE
+    HTTPS_PRIVKEY_FILE
+    SERVER_NAME
+)
+
+# If the file associated with a configuration variable is present then 
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+    eval file_name=\$"${config_var}_FILE";
+
+    if [ -e "$file_name" ]; then
+        declare "${config_var}"=`cat $file_name`
+    fi
+done
+
+# If defined use configured location of Apache HTTP Server 
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
+if [ -n "$HTTPS_CERT_FILE" ]; then
+    rm -f /etc/apache2/cert.pem
+    cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
+    chown www-data /etc/apache2/cert.pem
+    chmod 0644 /etc/apache2/cert.pem
+fi
+
+if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
+    rm -f /etc/apache2/privkey.pem
+    cp "$HTTPS_PRIVKEY_FILE" /etc/apache2/privkey.pem
+    chown www-data /etc/apache2/privkey.pem
+    chmod 0600 /etc/apache2/privkey.pem
+fi
+
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+    SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+    if [ -z "$SERVER_NAME" ]; then
+        SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+    fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/apache2/sites-available/000-site.conf
+
+cat > /etc/apache2/conf-available/server-name.conf <<EOF
+ServerName ${SERVER_NAME:-unknown}
+EOF
+
+a2enconf server-name.conf > "$OUTPUT" 2>&1
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+    set -- apache2-foreground "$@"
+fi
+
+exec "$@"
diff --git a/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint b/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint
new file mode 100755
index 0000000..374d93f
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/docker-shibd-entrypoint
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+# Shibboleth SP Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -n "$DEBUG" ]
+then
+    OUTPUT=/dev/stdout
+else
+    OUTPUT=/dev/null
+fi
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+#
+# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the
+# same way but because of the presence of special characters in the
+# XML it is handled differently.
+
+injectable_config_vars=( 
+    SHIBBOLETH_SP_ENTITY_ID
+    SHIBBOLETH_SP_CERT
+    SHIBBOLETH_SP_PRIVKEY
+    SHIBBOLETH_SP_SAMLDS_URL
+)
+
+# If the file associated with a configuration variable is present then 
+# read the value from it into the appropriate variable. So for example
+# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
+# value points to a file on the file system then read the contents
+# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+
+for config_var in "${injectable_config_vars[@]}"
+do
+    eval file_name=\$"${config_var}_FILE";
+
+    if [ -e "$file_name" ]; then
+        payload=`cat $file_name`
+        declare "${config_var}"="${payload}"
+    fi
+done
+
+# If no shibboleth2.xml file is present then create one using 
+# injected information or defaults that are not particularly
+# useful in a federated context but will allow shibd to start.
+if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then
+    cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml
+    sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml
+    sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml
+
+    # The metadata provider injected input most likely contains special characters
+    # so use a sed script instead of simple substitution on the command line.
+
+    if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then
+        xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE"
+    else
+        xml_content_file=`/bin/mktemp`
+        echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file}
+    fi
+
+    sed_script_file=`/bin/mktemp`
+    cat > ${sed_script_file}<<EOF
+/%%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%/ {
+    r ${xml_content_file}
+    d
+}
+EOF
+
+    sed -i -f ${sed_script_file} /etc/shibboleth/shibboleth2.xml
+    
+    chmod 0644 /etc/shibboleth/shibboleth2.xml
+fi
+
+# If defined use configured location of Shibboleth SP SAML certificate and key.
+if [ -n "$SHIBBOLETH_SP_CERT" ]; then
+    cp "$SHIBBOLETH_SP_CERT" /etc/shibboleth/sp-cert.pem
+    chown _shibd /etc/shibboleth/sp-cert.pem
+    chmod 0644 /etc/shibboleth/sp-cert.pem
+fi
+
+if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then
+    cp "$SHIBBOLETH_SP_PRIVKEY" /etc/shibboleth/sp-key.pem
+    chown _shibd /etc/shibboleth/sp-key.pem
+    chmod 0600 /etc/shibboleth/sp-key.pem
+fi
+
+# A deployer may make their own mapping between the _shibd username
+# and the UID, and between the _shibd group and GID, so before starting 
+# make sure files have the correct ownership and group. These are the 
+# files and directories that must be owned by _shibd at runtime.
+chown _shibd:_shibd /etc/shibboleth/sp-cert.pem > /dev/null 2>&1
+chown _shibd:_shibd /etc/shibboleth/sp-key.pem > /dev/null 2>&1
+
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1
+
+# Warn about any files in /etc/shibboleth that the _shibd user cannot read.
+su _shibd -c 'find /etc/shibboleth ! -readable' > /tmp/shibd-not-readable 2>/dev/null
+
+if [ -s /tmp/shibd-not-readable ]; then
+    echo "WARNING: the following files are not readable by _shibd"
+    cat /tmp/shibd-not-readable
+    echo ""
+fi
+
+rm -f /tmp/shibd-not-readable > /dev/null 2>&1
+
+# Start the daemon.
+exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
diff --git a/comanage-registry-shibboleth-sp-base/shib2.load b/comanage-registry-shibboleth-sp-base/shib2.load
new file mode 100644
index 0000000..b518d60
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/shib2.load
@@ -0,0 +1,20 @@
+# COmanage Registry Apache HTTP Server configuration
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
diff --git a/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template
new file mode 100644
index 0000000..dda4d13
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/shibboleth2.xml.template
@@ -0,0 +1,51 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    logger="/etc/shibboleth/console.logger"
+    clockSkew="180">
+
+    <ApplicationDefaults entityID="%%SHIBBOLETH_SP_ENTITY_ID%%"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https" >
+
+           <SSO discoveryProtocol="SAMLDS"
+                discoveryURL="%%SHIBBOLETH_SP_SAMLDS_URL%%" > 
+             SAML2
+           </SSO>
+
+           <Logout>Local</Logout>
+
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        %%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%
+
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+    </ApplicationDefaults>
+    
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/comanage-registry-shibboleth-sp-base/supervisord.conf b/comanage-registry-shibboleth-sp-base/supervisord.conf
new file mode 100644
index 0000000..f39f3b0
--- /dev/null
+++ b/comanage-registry-shibboleth-sp-base/supervisord.conf
@@ -0,0 +1,36 @@
+; COmanage Registry Docker supervisord configuration
+; 
+; Portions licensed to the University Corporation for Advanced Internet
+; Development, Inc. ("UCAID") under one or more contributor license agreements.
+; See the NOTICE file distributed with this work for additional information
+; regarding copyright ownership.
+; 
+; UCAID licenses this file to you under the Apache License, Version 2.0
+; (the "License"); you may not use this file except in compliance with the
+; License. You may obtain a copy of the License at:
+; 
+; http://www.apache.org/licenses/LICENSE-2.0
+; 
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+
+[supervisord]
+nodaemon=true
+user=root
+
+[program:apache2]
+command=/usr/local/bin/docker-apache-entrypoint apache2-foreground
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:shibd]
+command=/usr/local/bin/docker-shibd-entrypoint
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0