SAML Certificate and Key with Docker Container

David Wen Riccardi-Zhu davidwen.riccardizhu at gooduncle.com
Tue May 5 16:06:48 UTC 2020 

> Generating a new SAML key every day would not be seen as a best practice.
> Doing that would require you to perform a key roll-over every day, which
> requires getting the new metadata to every IdP using the SP every day. Not
> good.
>
> The usual approach would be to keep one, long-lived key, but acquire it
> from a secrets store at runtime rather than building it in statically.
>

Thank you -- this is what I was looking for. The rest is as you surmised --
installation is happening in the Dockerfile, the image that's built from
that is what gets run. We'll be using AWS Secrets Manager to pass things in
-- but in testing now, the main point was to re-use one cert and key,
rather than new ones for every build of the image.



On Tue, May 5, 2020 at 3:48 PM Ian Young <ian at iay.org.uk> wrote:

>
> On 2020-05-05, at 16:05, David Wen Riccardi-Zhu <
> davidwen.riccardizhu at gooduncle.com> wrote:
>
> My Dockerfile installs Apache and Shibboleth, copies over the SAML
> certificate and key into the container, and finally starts the Shibboleth
> daemon and httpd service.
>
>
> I'm not clear exactly what you're doing here. Dockerfiles are normally
> used to generate images which are then stored in a repository, rather than
> being used as the way to deploy a service directly. There's a grey area,
> though, because doing a `docker build` does cause the Dockerfile to run the
> commands in a container. I guess you _can_ use that as a deployment
> technique, but it's very unusual.
>
>
> I do this to make sure that the autogenerated keys on installation don't
> replace the ones currently in use, if the container gets restarted.
>
>
> This sounds as if you're installing Apache and Shibboleth on container
> startup: again, the normal process is to do that installation as part of
> the creation of the image, not on container startup. My apologies if I've
> misunderstood what you're saying here.
>
>
> I'm wondering if I'm missing anything with this approach.
>
>
> Clarifying the above might help us understand this better.
>
>
> I've come across some documentation discussing rollovers, as well as
> generating a new certificate and key daily. Is that seen as a best
> practice, or am will my approach work?
>
>
> Generating a new SAML key every day would not be seen as a best practice.
> Doing that would require you to perform a key roll-over every day, which
> requires getting the new metadata to every IdP using the SP every day. Not
> good.
>
> The usual approach would be to keep one, long-lived key, but acquire it
> from a secrets store at runtime rather than building it in statically.
>
> Hope that helps,
>
>     -- Ian
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200505/d44332b1/attachment.html>

More information about the users mailing list