ucam-shib-proxy: allow IdP metadata to be configured

Add the ability to use a different IdP than the default shib.raven.cam.ac.uk. This is useful to quickly spin up an SP pointing to a test instance of Shibboleth. Closes #19

ucam-shib-proxy: allow IdP metadata to be configured
c76918bf · Dr Rich Wareham · 6460c98d · c76918bf · c76918bf · c76918bf
Commit c76918bf authored 6 years ago by Dr Rich Wareham
--- a/ucam-shib-proxy/Dockerfile
+++ b/ucam-shib-proxy/Dockerfile
@@ -19,6 +19,8 @@ ENV APACHE_LOG_DIR /var/log/apache2
 ENV APACHE_LOCK_DIR /var/lock/apache2
 ENV APACHE_PID_FILE /var/run/apache2/apache2.pid

+ENV IDP_METADATA_URL https://shib.raven.cam.ac.uk/shibboleth
+
 EXPOSE 80

 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
--- a/ucam-shib-proxy/README.md
+++ b/ucam-shib-proxy/README.md
@@ -45,6 +45,7 @@ The following environment variables are used for configuration:
    ensure that the user is on the "canonical" site.
 * SITE_ADMIN_EMAIL (required) - The email address that will be included in any error messages
 * LOOKUP_GROUP_ID (optional) - Lookup group ID to further restrict valid users.
+* IDP_METADATA_URL (optional) - Override the metadata URL for the IdP. See blow.

 ## Replicated deployment

@@ -74,3 +75,21 @@ Once the container is running for the first time visit http://yourhost.cam.ac.uk
 The container is available on Docker hub but may be built explicitly via the
 usual ``docker build -t uisautomation/ucam-shib-proxy .`` command issued in
 the root of the repository.
+
+## Using a different IdP
+
+The container is configured by default to use
+https://shib.raven.cam.ac.uk/shibboleth as the metadata URL for the IdP. To use,
+for example, the test instance:
+
+```bash
+$ docker run --rm -it \
+    -e IDP_METADATA_URL=https://shib3-test.raven.cam.ac.uk/shibboleth \
+    -e SERVER_NAME=localhost \
+    -e BACKEND_URL=http://www.example.com/ \
+    -e SITE_ADMIN_EMAIL=example@cam.ac.uk \
+    -v shib-keys:/etc/shibboleth/keys \
+    -e LOOKUP_GROUP_ID=101611 \
+    -p 8080:80 \
+    uisautomation/ucam-shib-proxy
+```
--- a/ucam-shib-proxy/shib/shibboleth2.xml.template
+++ b/ucam-shib-proxy/shib/shibboleth2.xml.template
@@ -42,7 +42,7 @@
            <!--
            Configures SSO for a default IdP. 
            -->
-            <SSO entityID="https://shib.raven.cam.ac.uk/shibboleth">
+            <SSO entityID="${IDP_METADATA_URL}">
              SAML2 SAML1
            </SSO>

@@ -74,7 +74,7 @@
      
        <!-- Metadata provider -->   
        <MetadataProvider type="XML"
-            uri="https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml"
+            uri="${IDP_METADATA_URL}"
            backingFilePath="ucamfederation-idp2-metadata.xml"
            reloadInterval="14400">
        </MetadataProvider>
@@ -99,4 +99,4 @@
    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

-</SPConfig>
\ No newline at end of file
+</SPConfig>