diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index f29bcc7cd01abe7e88f0e64f5bbed23858b909be..1aecaffaa2db4aad10888082ff256aee27715b11 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -28,6 +28,32 @@ services:
- emg-extnet
- dem-extnet
- logging-extnet
+ - shibauth-extnet
+ shibauth:
+ image: testing-shibboleth
+ deploy:
+ # labels:
+ # # router for basic auth based access (https)
+ # - "traefik.http.routers.shibauth.rule=Host(`shib.pdas.prism.eox.at`)"
+ # - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+ # - "traefik.http.routers.shibauth.tls=true"
+ # - "traefik.http.routers.shibauth.tls.certresolver=default"
+ # - "traefik.http.routers.shibauth.entrypoints=https"
+ # # router for basic auth based access (http)
+ # - "traefik.http.routers.shibauth-redirect.rule=Host(`shib.pdas.prism.eox.at`)"
+ # - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+ # - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+ # # general
+ # - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+ # - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+ # - "traefik.docker.network=shib-extnet"
+ # - "traefik.docker.lbswarm=true"
+ # - "traefik.enable=true"
+ replicas: 1
+ placement:
+ constraints: [node.role == manager]
+ networks:
+ - shibauth-extnet
volumes:
traefik-data:
networks:
@@ -39,3 +65,5 @@ networks:
name: dem-extnet
logging-extnet:
name: logging-extnet
+ shibauth-extnet:
+ name: shibauth-extnet
diff --git a/shibauth/shibboleth-conf/shibd.logger b/shibauth/shibboleth-conf/shibd.logger
deleted file mode 100644
index e9526645c525fb76e77a58cf12ac57732c9f5e6d..0000000000000000000000000000000000000000
--- a/shibauth/shibboleth-conf/shibd.logger
+++ /dev/null
@@ -1,76 +0,0 @@
-# set overall behavior
-log4j.rootCategory=INFO, shibd_log, warn_log
-
-# fairly verbose for DEBUG, so generally leave at INFO
-log4j.category.XMLTooling.XMLObject=INFO
-log4j.category.XMLTooling.KeyInfoResolver=INFO
-log4j.category.Shibboleth.IPRange=INFO
-log4j.category.Shibboleth.PropertySet=INFO
-
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=INFO
-
-# useful categories to tune independently:
-#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
-#log4j.category.XMLTooling.SOAPClient=DEBUG
-# interprocess message remoting
-#log4j.category.Shibboleth.Listener=DEBUG
-# mapping of requests to applicationId
-#log4j.category.Shibboleth.RequestMapper=DEBUG
-# high level session cache operations
-#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
-
-# logs XML being signed or verified if set to DEBUG
-log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
-log4j.additivity.XMLTooling.Signature.Debugger=false
-log4j.ownAppenders.XMLTooling.Signature.Debugger=true
-
-# the tran log blocks the "default" appender(s) at runtime
-# Level should be left at INFO for this category
-log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
-log4j.additivity.Shibboleth-TRANSACTION=false
-log4j.ownAppenders.Shibboleth-TRANSACTION=true
-
-# uncomment to suppress particular event types
-#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
-#log4j.category.Shibboleth-TRANSACTION.Login=WARN
-#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
-
-# define the appenders
-
-log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
-log4j.appender.shibd_log.fileName=/dev/stdout
-log4j.appender.shibd_log.maxFileSize=0
-log4j.appender.shibd_log.maxBackupIndex=0
-log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
-#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
-#log4j.appender.warn_log.maxFileSize=0
-#log4j.appender.warn_log.maxBackupIndex=0
-#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
-#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-#log4j.appender.warn_log.threshold=WARN
-
-log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
-log4j.appender.tran_log.fileName=/dev/stdout
-log4j.appender.tran_log.maxFileSize=0
-log4j.appender.tran_log.maxBackupIndex=0
-log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
-
-log4j.appender.sig_log=org.apache.log4j.FileAppender
-log4j.appender.sig_log.fileName=/dev/stdout
-log4j.appender.sig_log.maxFileSize=0
-log4j.appender.sig_log.maxBackupIndex=0
-log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
-
-
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
deleted file mode 100644
index bfa4da8068e5e5f6d1eef4e83d96fa6ba9abefe4..0000000000000000000000000000000000000000
--- a/shibauth/shibboleth-conf/sp-metadata.xml
+++ /dev/null
@@ -1,141 +0,0 @@
-<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-
- <KeyDescriptor>
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
-MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
-U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
-Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
-MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
-BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
-c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
-GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
-9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
-/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
-lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
-b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
-x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
-rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
-EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
-O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
-rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
-Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
-VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
-HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
-gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
-MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
-L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
-MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
-bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
-eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
-YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
-d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
-NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
-aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
-XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
-4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
-ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
-BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
-rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
-QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
-mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
-oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
-MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
-8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
-2Wfpr7x/2VCKeO7Mfpo=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
- <!--
- This tells IdPs where and how to push assertions through the browser. Mostly
- the SP will tell the IdP what location to use in its request, but this
- is how the IdP validates the location and also figures out which
- SAML version/binding to use.
- -->
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
- <AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
- index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
-
- <!-- This tells IdPs that you only need transient identifiers. -->
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-
- </SPSSODescriptor>
-
- <Organization>
- <OrganizationName xml:lang="en">eox</OrganizationName>
- <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
- </Organization>
-</EntityDescriptor>
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 0291f929147f7b94b4edd3d894708eb1644f68c1..495ef4ebe69d35abf1ee6835c1427a931cf22431 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -22,7 +22,7 @@ http:
- "***REMOVED***"
shibAuth:
forwardAuth:
- address: http://auth/auth
+ address: http://shibauth/secure
trustForwardHeader: true
compress:
compress: {}