Shibboleth in K8

Had to this for something. Essentially, there is an application which requires SSO and so Shibboleth SP has to be implemented alongside it for authentication. There are two main ways I think this could be done

1. Sidecar: run alongside the proxy
2. Standalone: run in its own container with a running shibd and proxy

Going with the second option feels cleaner (like microservice) but needs some weird routing. I got confused on the routing to be honest...

• Ingress/Route routes /login and auth requests to the standalone container and everything else to the usual server
• Ingress/Route routes everything to the usual server which then routes to the shib container
• Ingress/Route routes to the shib container which handles auth requests and then routes everything else to the usual server

I am pretty sure everything here except for the last one is a bad idea, as we generally want the auth step to be the first step, since it acts like a guard. The last one is pretty good, but my reasoning was at that point you might as well just merge the proxies and go with the sidecar route.

The sidecar container has one less proxy hop which is nice. I am also not sure in what case will we need to scale the shib-sp container separately from the proxy container so having them scale together is probably not a bad idea. If we do scale the container up, Ingress/Route supports sticky sessions so we can just have multiple of these server + shib-sp pods.

References on configuring Shibboleth SP

• https://help.switch.ch/aai/guides/sp/configuration/
• https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072242/SPReverseProxy
• https://alex.pearwin.com/2014/10/setting-up-flask-with-apache-and-shibboleth/
• https://www.iam.harvard.edu/authentication-how-guide-samlshibboleth-integration

Note that when running in two separate containers, you have to share the shibd socket, like below. Note that you mount the volume and not the socket file itself, which will cause the socket to be populated, which then causes shibd to fail.

# snip ...
containers:
  - name: proxy
    volumeMounts:
      - name: shib-socket
        mountPath: /var/run/shibboleth/
initContainers:
  - name: shib-sp
    # Setting restartPolicy: Always makes this a sidecar container.
    restartPolicy: Always
    volumeMounts:
      - name: shib-socket
        mountPath: /var/run/shibboleth/
volumes:
  - name: shib-socket
    emptyDir: {}
# snip ...

Not too bad. Configuring Shibboleth and its millions of files is probably the worst part.

Configuration:

• Shibboleth Attribute Access
• Use https://www.samltool.com/ to decode SAMLREQUEST in requests for debugging purpose
• https://docs.google.com/document/d/17-0O3Tvty9PONL6wu4PiC6ZWramdyntXmOsq1UpD2tE/mobilebasic
• Use shib-config-builder container to build configuration