How to deploy shibboleth service provider in Kubernetes environment?

5/24/2019

I am trying to configure shibboleth service provider in kubernetes environment.

In non-docker environment, apache2 and shibd services runs no the same server and apache2 communicates with shibd using mod_shib apache module (correct me if am wrong)

Is it possible to deploy shibboleth service provider in separate container and apache in separate container? If yes, has anyone done this already? Is there any docs?

As because I already have pods running my environment. One for apache and another one for java spring boot application. Apache acts as a reverse proxy for my java app.

Now I just want to deploy one more container for shibboleth, is it possible?

-- karthikeayan
docker
kubernetes
shibboleth
shibboleth-sp
single-sign-on

1 Answer

5/25/2019

Shibboleth must be installed inside apache itself.

So No, you cannot separate out shibboleth container out of apache container.

Your assumption is right, you apache communicates with mod_shib.

You have three options,

  1. Use readymade docker image for shibboleth - like this one.

Issue with this is, you need to setup everything else related to apache on your own for this one.

  1. Use two separate apache instances , one for proxy pass and other for shibboleth installation.

As you want to install shibboleth SP, you may try to proxy pass the secured location like /secure in reverse proxy apache to shibboleth installed apache.

This way you can separate out reverse proxy and shibboleth SP in separate container, but you may add little overhead for multiple proxies. However, I don't see too much overhead, though.

  1. Build on your own. Use this steps.

Shibboleth in linux is only out of box supported in RPM based distribution. You need to modify shibboleth2.xml. Add some metadata file or URL for IdP. Some certificates too.

You can mix this option with first two too.

-- Akshay
Source: StackOverflow