SAML Certificate and Key with Docker Container

Ian Young ian at
Tue May 5 15:47:47 UTC 2020

> On 2020-05-05, at 16:05, David Wen Riccardi-Zhu <davidwen.riccardizhu at> wrote:
> My Dockerfile installs Apache and Shibboleth, copies over the SAML certificate and key into the container, and finally starts the Shibboleth daemon and httpd service.

I'm not clear exactly what you're doing here. Dockerfiles are normally used to generate images which are then stored in a repository, rather than being used as the way to deploy a service directly. There's a grey area, though, because doing a `docker build` does cause the Dockerfile to run the commands in a container. I guess you _can_ use that as a deployment technique, but it's very unusual. 

> I do this to make sure that the autogenerated keys on installation don't replace the ones currently in use, if the container gets restarted.

This sounds as if you're installing Apache and Shibboleth on container startup: again, the normal process is to do that installation as part of the creation of the image, not on container startup. My apologies if I've misunderstood what you're saying here.

> I'm wondering if I'm missing anything with this approach.

Clarifying the above might help us understand this better.

> I've come across some documentation discussing rollovers, as well as generating a new certificate and key daily. Is that seen as a best practice, or am will my approach work?

Generating a new SAML key every day would not be seen as a best practice. Doing that would require you to perform a key roll-over every day, which requires getting the new metadata to every IdP using the SP every day. Not good.

The usual approach would be to keep one, long-lived key, but acquire it from a secrets store at runtime rather than building it in statically.

Hope that helps,

    -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <>

More information about the users mailing list