Deploy Shibboleth IdP with Docker Compose and mount configuration/certificate volumes. This guide focuses on deploying Shibboleth IDP v5.x in containerized environments.
There are several options for running Shibboleth IDP in Docker:
janssenproject/shibboleth:<version>version: '3.8'
services:
shibboleth-idp:
image: janssenproject/shibboleth:5.1.6
container_name: shibboleth-idp
restart: unless-stopped
environment:
- CN_HOSTNAME=idp.example.com
- CN_AUTH_SERVER_URL=https://auth.example.com
- CN_CONFIG_ADAPTER=consul
- CN_CONSUL_HOST=consul:8500
- CN_SECRET_ADAPTER=vault
- CN_VAULT_URL=http://vault:8200
- SHIBBOLETH_ENTITY_ID=https://idp.example.com/idp/shibboleth
ports:
- "8080:8080"
volumes:
- ./config:/etc/shibboleth:ro
- ./certs:/etc/certs:ro
- ./logs:/opt/shibboleth-idp/logs
depends_on:
- consul
- vault
networks:
- idp-network
# Reverse proxy for TLS termination
nginx:
image: nginx:alpine
container_name: idp-nginx
restart: unless-stopped
ports:
- "443:443"
- "80:80"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./ssl/certs:/etc/ssl/certs:ro
- ./ssl/private:/etc/ssl/private:ro
depends_on:
- shibboleth-idp
networks:
- idp-network
networks:
idp-network:
driver: bridge
volumes:
config:
certs:
logs:
| Variable | Description | Required |
|---|---|---|
| CN_HOSTNAME | IDP hostname (should match SSL certificate) | Yes |
| CN_AUTH_SERVER_URL | Janssen Auth Server URL (if using Janssen image) | Conditional |
| CN_CONFIG_ADAPTER | Configuration adapter (consul/kubernetes) | Yes |
| CN_CONSUL_HOST | Consul server address | If using Consul |
| CN_SECRET_ADAPTER | Secret adapter (vault/kubernetes) | Yes |
| CN_VAULT_URL | Vault server URL | If using Vault |
| SHIBBOLETH_ENTITY_ID | IDP Entity ID (defaults to https://hostname/idp/shibboleth) | No |
| SHIBBOLETH_SCOPE | IDP scope for attributes | No |
./config:/etc/shibboleth - Mount point for Shibboleth configuration files./certs:/etc/certs - Mount point for SSL certificates and private keys./logs:/opt/shibboleth-idp/logs - Mount point for log files (for persistence)latestAfter deployment, verify:
https://your-domain/idp/shibboleth)If used with privacyIDEA, run MFA flow tests after each container update.
Deploying Shibboleth IdP in containers for production? Our consulting covers:
Get expert help: office@linux-server-admin.com | Contact Page