cleanup, separate shibboleth2.xml for collections

README.md

@@ -47,6 +47,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels
 
+### shibauth
+
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
+
 ### database
 
 * based on external postgis:10 image

config/shibboleth/shibboleth2.xml → config/shibboleth/dem-shibboleth2.xml

@@ -4,7 +4,7 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-    <ApplicationDefaults entityID="https://emg.pdas.prism.eox.at/shibboleth"
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
@@ -23,7 +23,7 @@
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+        <CredentialResolver type="File" key="/run/secrets/DEM_SHIB_KEY" certificate="/run/secrets/DEM_SHIB_CERT"/>
     </ApplicationDefaults>
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

config/shibboleth/emg-shibboleth2.xml

+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/EMG_SHIB_KEY" certificate="/run/secrets/EMG_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file

config/shibboleth/index.html

@@ -2,9 +2,10 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>APACHE TEST</title>
+    <title>Authentication Success</title>
 </head>
 <body>
-    <h1>TESTING APACHE</h1>   
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
 </body>
 </html>

config/shibboleth/native.logger

 # set overall behavior
-log4j.rootCategory=DEBUG, native_log
+log4j.rootCategory=INFO, native_log
 
 # fairly verbose for DEBUG, so generally leave at WARN/INFO
 log4j.category.XMLTooling.XMLObject=WARN

config/shibboleth/shibd.logger

 # set overall behavior
-log4j.rootCategory=DEBUG, shibd_log, warn_log
+log4j.rootCategory=INFO, shibd_log, warn_log
 
 # fairly verbose for DEBUG, so generally leave at INFO
 log4j.category.XMLTooling.XMLObject=INFO

config/shibboleth/vhr18-shibboleth2.xml

+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/VHR18_SHIB_KEY" certificate="/run/secrets/VHR18_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file

docker-compose.dem.ops.yml

@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - DEM_SHIB_CERT
+      - DEM_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/dem_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/dem_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/dem-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  DEM_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  DEM_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true

docker-compose.emg.ops.yml

@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - EMG_SHIB_CERT
+      - EMG_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/emg_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/emg_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/emg-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  EMG_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  EMG_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true

docker-compose.vhr18.ops.yml

@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - VHR18_SHIB_CERT
+      - VHR18_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/vhr18_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/vhr18_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/vhr18-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   shib-idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  VHR18_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  VHR18_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true

traefik.yml

@@ -19,7 +19,7 @@ providers:
 api:
   dashboard: true
 log:
-  level: DEBUG
+  level: INFO
 accessLog: {}
 certificatesResolvers:
   default: