Shibboleth integration
This container is possible to use with internal Midpoint authentification or Shibboleth SSO authentication. We can easily switch between that two authentications with environment variable. Container uses Apache with modul for Shibboleth SP (Service provider). Shibboleth SP comunicates with Shibboleth IDP (Identity provider), which provide confirmation of users identities. Every user has LDAP account and Shibboleth IDP is connected to LDAP server.
For integration between Midpoint and Shibboleth we need enable AJP protocol in Midpoint and to activate SSO profile. Shibboleth integration is configured by setting the following enviroment variables:
| Enviroment variable | Meaning | Default value |
|---|---|---|
ACTIVE_PROFILE |
comma-separated list of active profiles (if we want turn on Shibboleth SSO, we set |
|
SSO_HEADER |
name of header, which contains username of logged user;this username is mapped to |
|
AJP_ENABLED |
enable / disable endpoint for AJP protocol |
|
AJP_PORT |
port of endpoint for AJP protocol |
|
LOGOUT_URL |
absolute logout URL, for example |
Notes
Endpoint for Midpoint is https://localhost:4438/midpoint.
Before logging of user, we have to create LDAP account for him, which Shibboleth IDP use for authentication.
This user has to have also account in Midpoint with same name (UserType.name) as is value of uid in his LDAP account.
We can change value of ACTIVE_PROFILE in /midPoint_container/grouper-midpoint/mp-gr/docker-compose.yml.
Httpd in midpoint-server container contains two possible configurations, One for default security profile in Midpoint an one for profile default,sso which uses Shibboleth SSO.
This configuration is stored in /midPoint_container/grouper-midpoint/mp-gr/midpoint-server/container_files/httpd/possible-conf.