Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

comanage-registry-docker/docs/comanage-registry-common-shibboleth-environment-variables.md

Go to file
 
 
Cannot retrieve contributors at this time
Environment Variables Common to Images using Shibboleth SP for Authentication Using Files to Inject Secrets Environment Variables
113 lines (82 sloc) 4.17 KB
Raw Blame
Open in GitHub Desktop

Environment Variables Common to Images using Shibboleth SP for Authentication

The environment variables detailed below apply to all COmanage Registry images in this repository that use the Shibboleth Native SP for Apache HTTP Server (Shibboleth) for authentication.

Using Files to Inject Secrets

The image supports the environment variables below and the _FILE convention:

Environment Variables

SHIBBOLETH_SP_CERT

  • Deprecated: Use SHIBBOLETH_SP_ENCRYPT_CERT.

SHIBBOLETH_SP_ENCRYPT_CERT

  • Description: PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: See note below.
  • Note: [1]

SHIBBOLETH_SP_ENCRYPT_PRIVKEY

  • Description: Private key associated with the PEM encoded X.509 certificate used for encrypting assertions to be sent to and consumed by the SP.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: See note below.
  • Note: [1]

SHIBBOLETH_SP_ENTITY_ID

SHIBBOLETH_SP_METADATA_PROVIDER_XML

  • Description: XML stanza for configuring Shibboleth SP metadata consumption.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: See note below.
  • Note: Due to the complex syntax which makes escaping some characters tedious, most deployers write the configuration into a file and specify the variable SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE. See also [2].

SHIBBOLETH_SP_PRIVKEY

  • Deprecated: Use SHIBBOLETH_SP_ENCRYPT_PRIVKEY.

SHIBBOLETH_SP_SAMLDS_URL

  • Description: URL for SAML IdP discovery service.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: https://login-chooser.my.org
  • Note: [2]

SHIBBOLETH_SP_SIGNING_CERT

  • Description: PEM encoded X.509 certificate used by the SP for signing authentication requests.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: See note below.
  • Note: [1]

SHIBBOLETH_SP_SIGNING_PRIVKEY

  • Description: Private key associated with the PEM encoded X.509 certificate used by the SP for signing authentication requests.
  • Required: Yes
  • Default: Image default, not suitable for production use.
  • Example: See note below.
  • Note: [1]

[1]: Many deployers start a container without specifying the variable and then break into the running container and use the /etc/shibboleth/keygen.sh script to generate the persistent cert and private key pair and copy them out of the container. Later after escrowing the cert and private key they are injected into the container using the variable(s).

[2]: While the image allows some Shibboleth SP configurations to be directly injected using environment variables, most deployers bind mount or COPY the necessary Shibboleth SP configuration files with local deployment details into the directory /etc/shibboleth/. The image includes the standard example and template configuration files experienced Shibboleth SP deployers expect to find.