Merge branch 'shib-auth' into 'staging'

Shib auth See merge request !34

Merge branch 'shib-auth' into 'staging'
ea5cf519 · Lubomir Dolezal · 0104046a · c9a8be2c · ea5cf519 · ea5cf519
Commit ea5cf519 authored 4 years ago by Lubomir Dolezal
--- a/README.md
+++ b/README.md
@@ -53,6 +53,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels

+### shibauth
+
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth SP3 image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
+
 ### database

 * based on external postgis:10 image
@@ -226,6 +233,18 @@ docker secret create BASIC_AUTH_USERS_AUTH auth_list.txt
 docker secret create BASIC_AUTH_USERS_APIAUTH auth_list_api.txt
 ```

+In case **shibauth** service will be used, for production deployment, two more secrets need to be created for each stack, where **shibauth** is deployed. These ensure that the SP is recognized and its identity confirmed by the IDP. They are configured as **stack-name-capitalized_SHIB_KEY** and **stack-name-capitalized_SHIB_CERT**. In order to create them, use the attached **keygen.sh** command-line tool in */config* folder. 
+```bash
+SPURL="https://emg.pass.copernicus.eu" # service initial access point made accessible by traefik
+./config/keygen.sh -h $SPURL -y 20 -e https://$SPURL/shibboleth -n sp-signing -f
+docker secret create EMG_SHIB_CERT sp-signing-cert.pem 
+docker secret create EMG_SHIB_KEY sp-signing-key.pem 
+```
+Additionally a docker config `idp-metadata` containing the metadata of the used IDP needs to be added:
+```bash
+docker config create idp_metadata idp-metadata-received.xml 
+```
+
 Deploy the stack in dev environment:
 ```
 docker stack deploy -c docker-compose.vhr18.yml -c docker-compose.vhr18.dev.yml -c docker-compose.logging.yml -c docker-compose.logging.dev.yml vhr18-pvs  # start VHR_IMAGE_2018 stack in dev mode, for example to use local sources

--- a/config/shibboleth/attribute-map.xml
+++ b/config/shibboleth/attribute-map.xml
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-signed-tcs" id="spField1"/>
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-user-category" id="spField2"/>
+</Attributes>
--- a/config/shibboleth/dem-ac-cache.xml
+++ b/config/shibboleth/dem-ac-cache.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services Public_Auth Int_Org_NGO
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/dem-ac.xml
+++ b/config/shibboleth/dem-ac.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/dem-shibboleth2.xml
+++ b/config/shibboleth/dem-shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
--- a/config/shibboleth/emg-ac-cache.xml
+++ b/config/shibboleth/emg-ac-cache.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/emg-ac.xml
+++ b/config/shibboleth/emg-ac.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/emg-shibboleth2.xml
+++ b/config/shibboleth/emg-shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
--- a/config/shibboleth/index.html
+++ b/config/shibboleth/index.html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Authentication Success</title>
+</head>
+<body>
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
+</body>
+</html>
--- a/config/shibboleth/keygen.sh
+++ b/config/shibboleth/keygen.sh
+#! /bin/sh
+
+while getopts n:h:u:g:o:e:y:bf c
+     do
+         case $c in
+           u)         USER=$OPTARG;;
+           g)         GROUP=$OPTARG;;
+           o)         OUT=$OPTARG;;
+           b)         BATCH=1;;
+           f)         FORCE=1;;
+           h)         FQDN=$OPTARG;;
+           e)         ENTITYID=$OPTARG;;
+           y)         YEARS=$OPTARG;;
+		   n)         PREFIX=$OPTARG;;
+		   \?)        echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]"
+                      exit 1;;
+         esac
+     done
+     
+if [ -z "$OUT" ] ; then
+    OUT=.
+fi
+
+if [ -z "$PREFIX" ]; then
+	PREFIX="sp"
+fi
+
+if [ -n "$FORCE" ] ; then
+    rm $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
+fi
+
+if  [ -s $OUT/${PREFIX}-key.pem -o -s $OUT/${PREFIX}-cert.pem ] ; then
+    if [ -z "$BATCH" ] ; then  
+        echo The files $OUT/${PREFIX}-key.pem and/or $OUT/${PREFIX}-cert.pem already exist!
+        echo Use -f option to force recreation of keypair.
+        exit 2
+    fi
+    exit 0
+fi
+
+if [ -z "$FQDN" ] ; then
+    FQDN=`hostname`
+fi
+
+if [ -z "$YEARS" ] ; then
+    YEARS=10
+fi
+
+DAYS=`expr $YEARS \* 365`
+
+if [ -z "$ENTITYID" ] ; then
+    ALTNAME=DNS:$FQDN
+else
+    ALTNAME=DNS:$FQDN,URI:$ENTITYID
+fi
+
+SSLCNF=$OUT/${PREFIX}-cert.cnf
+cat >$SSLCNF <<EOF
+# OpenSSL configuration file for creating keypair
+[req]
+prompt=no
+default_bits=3072
+encrypt_key=no
+default_md=sha256
+distinguished_name=dn
+# PrintableStrings only
+string_mask=MASK:0002
+x509_extensions=ext
+[dn]
+CN=$FQDN
+[ext]
+subjectAltName=$ALTNAME
+subjectKeyIdentifier=hash
+EOF
+
+touch $OUT/${PREFIX}-key.pem
+chmod 600 $OUT/${PREFIX}-key.pem
+if [ -z "$BATCH" ] ; then
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem
+else
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem 2> /dev/null
+fi
+rm $SSLCNF
+
+if  [ -s $OUT/${PREFIX}-key.pem -a -n "$USER" ] ; then
+    chown $USER $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
+fi
+
+if  [ -s $OUT/${PREFIX}-key.pem -a -n "$GROUP" ] ; then
+    chgrp $GROUP $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
+fi
--- a/config/shibboleth/native.logger
+++ b/config/shibboleth/native.logger
+# set overall behavior
+log4j.rootCategory=INFO, native_log
+
+# fairly verbose for DEBUG, so generally leave at WARN/INFO
+log4j.category.XMLTooling.XMLObject=WARN
+log4j.category.XMLTooling.KeyInfoResolver=WARN
+log4j.category.Shibboleth.IPRange=WARN
+log4j.category.Shibboleth.PropertySet=WARN
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=WARN
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+log4j.appender.native_log.fileName=/dev/stdout
+log4j.appender.native_log.maxFileSize=0
+log4j.appender.native_log.maxBackupIndex=0
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=sp-native %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
--- a/config/shibboleth/shib-apache.conf
+++ b/config/shibboleth/shib-apache.conf
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
+ShibCompatValidUser On
+UseCanonicalName On
+DocumentRoot "/var/www/html"
+
+<Location />
+  SetHandler shib
+</Location>
+
+<VirtualHost *:80>
+  PassEnv APACHE_SERVERNAME
+  ServerName "${APACHE_SERVERNAME}"
+  <Location /secure>
+    <If "-n req('Authorization')">
+      Require valid-user
+      AuthType Basic
+      AuthBasicProvider file
+      AuthName "/secure"
+      AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
+    </If>
+    <Else>
+      AuthType shibboleth
+      ShibRequestSetting requireSession 1
+      Require shib-plugin /etc/shibboleth/pass-ac.xml
+    </Else>
+  </Location>
+  <Location /secure-cache>
+    <If "-n req('Authorization')">
+      Require valid-user
+      AuthType Basic
+      AuthBasicProvider file
+      AuthName "/secure"
+      AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
+    </If>
+    <Else>
+      AuthType shibboleth
+      ShibRequestSetting requireSession 1
+      Require shib-plugin /etc/shibboleth/pass-ac-cache.xml
+    </Else>
+  </Location>
+</VirtualHost>
--- a/config/shibboleth/shibd.logger
+++ b/config/shibboleth/shibd.logger
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+log4j.ownAppenders.XMLTooling.Signature.Debugger=true
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+log4j.ownAppenders.Shibboleth-TRANSACTION=true
+
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+log4j.appender.shibd_log.fileName=/dev/stdout
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.maxBackupIndex=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=sp-shibd %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+#log4j.appender.warn_log.maxFileSize=0
+#log4j.appender.warn_log.maxBackupIndex=0
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
+
+log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+log4j.appender.tran_log.fileName=/dev/stdout
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.maxBackupIndex=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=sp-transaction %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/dev/stdout
+log4j.appender.sig_log.maxFileSize=0
+log4j.appender.sig_log.maxBackupIndex=0
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=sp-signature %m
+
--- a/config/shibboleth/vhr18-ac-cache.xml
+++ b/config/shibboleth/vhr18-ac-cache.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth Int_Org_NGO Public
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/vhr18-ac.xml
+++ b/config/shibboleth/vhr18-ac.xml
+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth Int_Org_NGO
+    </Rule>
+  </AND>
+</AccessControl>
--- a/config/shibboleth/vhr18-shibboleth2.xml
+++ b/config/shibboleth/vhr18-shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -20,7 +20,7 @@ services:
    environment:
      HTTP_PROXY: "http://172.30.252.68:3128"
      HTTPS_PROXY: "http://172.30.252.68:3128"
-      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8"
+      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth"
    deploy:
      placement:
        constraints: [node.role == manager]
@@ -47,4 +47,4 @@ secrets:
  BASIC_AUTH_USERS_APIAUTH:
    external: true
  BASIC_AUTH_USERS_AUTH:
-    external: true
+    external: true
\ No newline at end of file
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -14,16 +14,16 @@ services:
      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
    deploy:
      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
-        - "traefik.http.routers.dem-renderer.tls=true"
-        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
-        - "traefik.http.routers.dem-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-renderer-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer-shib.tls=true"
+        - "traefik.http.routers.dem-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect-shib.entrypoints=http"
        # router for referrer based access (https)
        - "traefik.http.routers.dem-renderer_referer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.dem-renderer_referer.middlewares=compress@file,cors@file"
@@ -34,6 +34,16 @@ services:
        - "traefik.http.routers.dem-renderer_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.dem-renderer_referer-redirect.middlewares=redirect@file"
        - "traefik.http.routers.dem-renderer_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.dem-renderer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.dem-renderer.tls=true"
+        - "traefik.http.routers.dem-renderer.tls.certresolver=default"
+        - "traefik.http.routers.dem-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.dem-renderer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.dem-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-renderer-redirect.entrypoints=http"
        # general
        - "traefik.http.services.dem-renderer.loadbalancer.sticky=false"
        - "traefik.http.services.dem-renderer.loadbalancer.server.port=80"
@@ -57,16 +67,16 @@ services:
    deploy:
      labels:
        - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.dem-cache.tls=true"
-        - "traefik.http.routers.dem-cache.tls.certresolver=default"
-        - "traefik.http.routers.dem-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-cache-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.dem-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.dem-cache-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-cache-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache-shib.tls=true"
+        - "traefik.http.routers.dem-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-cache-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-cache-redirect-shib.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-cache-redirect-shib.entrypoints=http"
        # router for referrer based access (https)
        - "traefik.http.routers.dem-cache_referer.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.dem-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
@@ -77,6 +87,16 @@ services:
        - "traefik.http.routers.dem-cache_referer-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|dem.pdas.prism.eox.at|dem.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.dem-cache_referer-redirect.middlewares=redirect@file"
        - "traefik.http.routers.dem-cache_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.dem-cache.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.dem-cache.tls=true"
+        - "traefik.http.routers.dem-cache.tls.certresolver=default"
+        - "traefik.http.routers.dem-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.dem-cache-redirect.rule=Host(`dem.pdas.prism.eox.at`, `a.dem.pdas.prism.eox.at`, `b.dem.pdas.prism.eox.at`, `c.dem.pdas.prism.eox.at`, `d.dem.pdas.prism.eox.at`, `e.dem.pdas.prism.eox.at`, `f.dem.pdas.prism.eox.at`, `g.dem.pdas.prism.eox.at`, `h.dem.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.dem-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.dem-cache-redirect.entrypoints=http"
        # general
        - "traefik.http.services.dem-cache.loadbalancer.sticky=false"
        - "traefik.http.services.dem-cache.loadbalancer.server.port=80"
@@ -109,14 +129,24 @@ services:
        target: /usr/share/nginx/html/index.html
    deploy:
      labels:
+        # router for shib auth based access (https)
+        - "traefik.http.routers.dem-client-shib.rule=Host(`dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-shib.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.dem-client-shib.tls=true"
+        - "traefik.http.routers.dem-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.dem-client-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.dem-client-redirect-shib.rule=Host(`dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.dem-client-redirect-shib.entrypoints=http"
        # router for basic auth based access (https)
-        - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client.rule=Host(`dem.pdas.prism.eox.at`)"
        - "traefik.http.routers.dem-client.middlewares=auth@file,compress@file"
        - "traefik.http.routers.dem-client.tls=true"
        - "traefik.http.routers.dem-client.tls.certresolver=default"
        - "traefik.http.routers.dem-client.entrypoints=https"
        # router for basic auth based access (http)
-        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`, `dem.pass.copernicus.eu`)"
+        - "traefik.http.routers.dem-client-redirect.rule=Host(`dem.pdas.prism.eox.at`)"
        - "traefik.http.routers.dem-client-redirect.middlewares=redirect@file"
        - "traefik.http.routers.dem-client-redirect.entrypoints=http"
        # general
@@ -141,9 +171,89 @@ services:
      placement:
        constraints:
          - node.labels.type == internal
+  shibauth:
+    image: unicon/shibboleth-sp:3.0.4
+    environment:
+      APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
+    secrets:
+      - source: DEM_SHIB_CERT
+        target: SHIB_CERT
+      - source: DEM_SHIB_KEY
+        target: SHIB_KEY
+      - BASIC_AUTH_USERS_AUTH
+    deploy:
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`dem.pass.copernicus.eu`, `a.dem.pass.copernicus.eu`, `b.dem.pass.copernicus.eu`, `c.dem.pass.copernicus.eu`, `d.dem.pass.copernicus.eu`, `e.dem.pass.copernicus.eu`, `f.dem.pass.copernicus.eu`, `g.dem.pass.copernicus.eu`, `h.dem.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=dem-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+    networks:
+      - extnet
+    configs:
+      - source: shib-access-control-conf
+        target: /etc/shibboleth/pass-ac.xml
+      - source: shib-access-control-conf-cache
+        target: /etc/shibboleth/pass-ac-cache.xml
+      - source: shib-shibboleth2
+        target: /etc/shibboleth/shibboleth2.xml
+      - source: shib-apache
+        target: /etc/httpd/conf.d/shib.conf
+      - source: shib-attribute-map
+        target: /etc/shibboleth/attribute-map.xml
+      - source: idp-metadata
+        target: /etc/shibboleth/idp-metadata.xml
+      - source: shib-index
+        target: /var/www/html/secure/index.html
+      - source: shib-index
+        target: /var/www/html/secure-cache/index.html
+      - source: shibd-logger
+        target: /etc/shibboleth/shibd.logger
+      - source: native-logger
+        target: /etc/shibboleth/native.logger
  ingestor:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.2 # bumpversion
 networks:
  extnet:
    name: dem-extnet
    external: true
+configs:
+  shib-access-control-conf:
+    file: ./config/shibboleth/dem-ac.xml
+  shib-access-control-conf-cache:
+    file: ./config/shibboleth/dem-ac-cache.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/dem-shibboleth2.xml
+  shib-apache:
+    file: ./config/shibboleth/shib-apache.conf
+  shib-attribute-map:
+    file: ./config/shibboleth/attribute-map.xml
+  shib-index:
+    file: ./config/shibboleth/index.html
+  native-logger:
+    file: ./config/shibboleth/native.logger
+  shibd-logger:
+    file: ./config/shibboleth/shibd.logger
+  idp-metadata:
+    external: true
+secrets:
+  DEM_SHIB_CERT:
+    external: true
+  DEM_SHIB_KEY:
+    external: true
+  BASIC_AUTH_USERS_AUTH:
+    external: true
--- a/docker-compose.dem.yml
+++ b/docker-compose.dem.yml
@@ -227,4 +227,3 @@ secrets:
    external: true
  DJANGO_PASSWORD:
    external: true
-  
\ No newline at end of file
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -14,16 +14,16 @@ services:
      INSTANCE_DIR: "/var/www/pvs/ops/pvs_instance/"
    deploy:
      labels:
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
-        - "traefik.http.routers.emg-renderer.tls=true"
-        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
-        - "traefik.http.routers.emg-renderer.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer-shib.tls=true"
+        - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
        # router for referrer based access (https)
        - "traefik.http.routers.emg-renderer_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.emg-renderer_referer.middlewares=compress@file,cors@file"
@@ -34,6 +34,16 @@ services:
        - "traefik.http.routers.emg-renderer_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.emg-renderer_referer-redirect.middlewares=redirect@file"
        - "traefik.http.routers.emg-renderer_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
+        - "traefik.http.routers.emg-renderer.tls=true"
+        - "traefik.http.routers.emg-renderer.tls.certresolver=default"
+        - "traefik.http.routers.emg-renderer.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-renderer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-renderer-redirect.entrypoints=http"
        # general
        - "traefik.http.services.emg-renderer.loadbalancer.sticky=false"
        - "traefik.http.services.emg-renderer.loadbalancer.server.port=80"
@@ -57,16 +67,16 @@ services:
    deploy:
      labels:
        - "traefik.http.middlewares.cache-stripprefix.stripprefix.prefixes=/cache"
-        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
-        - "traefik.http.routers.emg-cache.tls=true"
-        - "traefik.http.routers.emg-cache.tls.certresolver=default"
-        - "traefik.http.routers.emg-cache.entrypoints=https"
-        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
-        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
-        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-shib.middlewares=shibAuthCache@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache-shib.tls=true"
+        - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-cache-redirect-shib.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
        # router for referrer based access (https)
        - "traefik.http.routers.emg-cache_referer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.emg-cache_referer.middlewares=cache-stripprefix,compress@file,cors@file"
@@ -77,6 +87,16 @@ services:
        - "traefik.http.routers.emg-cache_referer-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`Referer`, `(https?://)?(panda.copernicus.eu|panda.cdsv3.eu|panda-demo.ondaprism.eu|panda-demo.copernicus.eu|cdsportal-demo.copernicus.eu|ocqc-demo.copernicus.eu|spdm-intservices.cds.esa.int|spdm-intservices-adm.cds.esa.int|emg.pdas.prism.eox.at|emg.pass.copernicus.eu)/?`)"
        - "traefik.http.routers.emg-cache_referer-redirect.middlewares=redirect@file"
        - "traefik.http.routers.emg-cache_referer-redirect.entrypoints=http"
+        # router for basic auth based access (https)
+        - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache.middlewares=auth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache.tls=true"
+        - "traefik.http.routers.emg-cache.tls.certresolver=default"
+        - "traefik.http.routers.emg-cache.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.emg-cache-redirect.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
+        - "traefik.http.routers.emg-cache-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.emg-cache-redirect.entrypoints=http"
        # general
        - "traefik.http.services.emg-cache.loadbalancer.sticky=false"
        - "traefik.http.services.emg-cache.loadbalancer.server.port=80"
@@ -109,14 +129,24 @@ services:
        target: /usr/share/nginx/html/index.html
    deploy:
      labels:
+        # router for shib auth based access (https)
+        - "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-shib.middlewares=shibAuthCache@file,compress@file"
+        - "traefik.http.routers.emg-client-shib.tls=true"
+        - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
+        - "traefik.http.routers.emg-client-shib.entrypoints=https"
+        # router for shib auth based access (http)
+        - "traefik.http.routers.emg-client-redirect-shib.rule=Host(`emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect-shib.middlewares=redirect@file"
+        - "traefik.http.routers.emg-client-redirect-shib.entrypoints=http"
        # router for basic auth based access (https)
-        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client.rule=Host(`emg.pdas.prism.eox.at`)"
        - "traefik.http.routers.emg-client.middlewares=auth@file,compress@file"
        - "traefik.http.routers.emg-client.tls=true"
        - "traefik.http.routers.emg-client.tls.certresolver=default"
        - "traefik.http.routers.emg-client.entrypoints=https"
        # router for basic auth based access (http)
-        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`, `emg.pass.copernicus.eu`)"
+        - "traefik.http.routers.emg-client-redirect.rule=Host(`emg.pdas.prism.eox.at`)"
        - "traefik.http.routers.emg-client-redirect.middlewares=redirect@file"
        - "traefik.http.routers.emg-client-redirect.entrypoints=http"
        # general
@@ -141,9 +171,89 @@ services:
      placement:
        constraints:
          - node.labels.type == internal
+  shibauth:
+    image: unicon/shibboleth-sp:3.0.4
+    environment:
+      APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
+    secrets:
+      - source: EMG_SHIB_CERT
+        target: SHIB_CERT
+      - source: EMG_SHIB_KEY
+        target: SHIB_KEY
+      - BASIC_AUTH_USERS_AUTH
+    deploy:
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
+      labels:
+        # router for basic auth based access (https)
+        - "traefik.http.routers.shibauth.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth.middlewares=compress@file,cors@file"
+        - "traefik.http.routers.shibauth.tls=true"
+        - "traefik.http.routers.shibauth.tls.certresolver=default"
+        - "traefik.http.routers.shibauth.entrypoints=https"
+        # router for basic auth based access (http)
+        - "traefik.http.routers.shibauth-redirect.rule=Host(`emg.pass.copernicus.eu`, `a.emg.pass.copernicus.eu`, `b.emg.pass.copernicus.eu`, `c.emg.pass.copernicus.eu`, `d.emg.pass.copernicus.eu`, `e.emg.pass.copernicus.eu`, `f.emg.pass.copernicus.eu`, `g.emg.pass.copernicus.eu`, `h.emg.pass.copernicus.eu`) && PathPrefix(`/secure`, `/secure-cache`, `/Shibboleth.sso`)"
+        - "traefik.http.routers.shibauth-redirect.middlewares=redirect@file"
+        - "traefik.http.routers.shibauth-redirect.entrypoints=http"
+        # general
+        - "traefik.http.services.shibauth.loadbalancer.sticky=false"
+        - "traefik.http.services.shibauth.loadbalancer.server.port=80"
+        - "traefik.docker.network=emg-extnet"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+    networks:
+      - extnet
+    configs:
+      - source: shib-access-control-conf
+        target: /etc/shibboleth/pass-ac.xml
+      - source: shib-access-control-conf-cache
+        target: /etc/shibboleth/pass-ac-cache.xml
+      - source: shib-shibboleth2
+        target: /etc/shibboleth/shibboleth2.xml
+      - source: shib-apache
+        target: /etc/httpd/conf.d/shib.conf
+      - source: shib-attribute-map
+        target: /etc/shibboleth/attribute-map.xml
+      - source: idp-metadata
+        target: /etc/shibboleth/idp-metadata.xml
+      - source: shib-index
+        target: /var/www/html/secure/index.html
+      - source: shib-index
+        target: /var/www/html/secure-cache/index.html
+      - source: shibd-logger
+        target: /etc/shibboleth/shibd.logger
+      - source: native-logger
+        target: /etc/shibboleth/native.logger
  ingestor:
    image: registry.gitlab.eox.at/esa/prism/vs/pvs_ingestor:release-1.0.0-rc.2 # bumpversion
 networks:
  extnet:
    name: emg-extnet
    external: true
+configs:
+  shib-access-control-conf:
+    file: ./config/shibboleth/emg-ac.xml
+  shib-access-control-conf-cache:
+    file: ./config/shibboleth/emg-ac-cache.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/emg-shibboleth2.xml
+  shib-apache:
+    file: ./config/shibboleth/shib-apache.conf
+  shib-attribute-map:
+    file: ./config/shibboleth/attribute-map.xml
+  shib-index:
+    file: ./config/shibboleth/index.html
+  native-logger:
+    file: ./config/shibboleth/native.logger
+  shibd-logger:
+    file: ./config/shibboleth/shibd.logger
+  idp-metadata:
+    external: true
+secrets:
+  EMG_SHIB_CERT:
+    external: true
+  EMG_SHIB_KEY:
+    external: true
+  BASIC_AUTH_USERS_AUTH:
+    external: true