Shibboleth SP3, TCPListener's clientAddress & Kubernetes
Sandro Mathys
sandro.mathys at switch.ch
Thu Jan 28 12:56:47 UTC 2021
Hi all,
I'm working on putting a website "secured" with Shibboleth SP3 on Kubernetes, with apache/mod_shibd and shibd running in separate containers and actually separate pods.
For those not familiar with Kubernetes, this is similar to putting apache/mod_shibd on one server and shibd on another server in the same local network.
However, at the time that I'm writing the shibboleth2.xml, I can't be sure about shibd's IP address. What I can rely on however is it's DNS address – that's the Kubernetes way (well, that or using APIs).
But unfortunately, the TCPListener only accepts an "IP address in decimal dotted notation" for the clientAddress, see [1].
The only real workaround is the call shibd from a script in which I first patch shibboleth2.xml, i.e. look up the DNS address (or make a lookup over one of the Kubernetes APIs) and save the IP address to the config file. That may work, but it's far from ideal.
Would it be possible to enhance the TCPListener to accept a DNS address and have shibd do the lookup instead?
Cheers,
Sandro
[1] https://wiki.shibboleth.net/confluence/display/SP3/TCPListener
--
SWITCH
Sandro Mathys, Managed Applications, Software and Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 55
sandro.mathys at switch.ch, www.switch.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210128/2c6b8f08/attachment.htm>
More information about the users
mailing list