Shibboleth integration

Last modified 10 Mar 2021 15:54 +01:00

This container is possible to use with internal Midpoint authentification or Shibboleth SSO authentication. We can easily switch between that two authentications with environment variable. Container uses Apache with modul for Shibboleth SP (Service provider). Shibboleth SP comunicates with Shibboleth IDP (Identity provider), which provide confirmation of users identities. Every user has LDAP account and Shibboleth IDP is connected to LDAP server.

For integration between Midpoint and Shibboleth we need enable AJP protocol in Midpoint and to activate SSO profile. Shibboleth integration is configured by setting the following enviroment variables:

Enviroment variable Meaning Default value


comma-separated list of active profiles (if we want turn on Shibboleth SSO, we set default,sso )



name of header, which contains username of logged user;this username is mapped to (unique identificator)



enable / disable endpoint for AJP protocol



port of endpoint for AJP protocol



absolute logout URL, for example https://localhost/Shibboleth.sso/Logout



Endpoint for Midpoint is https://localhost:4438/midpoint.

Before logging of user, we have to create LDAP account for him, which Shibboleth IDP use for authentication. This user has to have also account in Midpoint with same name ( as is value of uid in his LDAP account.

We can change value of ACTIVE_PROFILE in /midPoint_container/grouper-midpoint/mp-gr/docker-compose.yml.

Httpd in midpoint-server container contains two possible configurations, One for default security profile in Midpoint an one for profile default,sso which uses Shibboleth SSO. This configuration is stored in /midPoint_container/grouper-midpoint/mp-gr/midpoint-server/container_files/httpd/possible-conf.