Running Shibboleth SP in Kubernetes

Simon Lundström simlu at
Fri Sep 2 09:23:16 UTC 2022

Hey Spencer!

We have and while not "cloud native" XD we did follow the best practice
of using "sidecar containers" i.e. the classic one webserver (Apache in
our case) and one SP per application.

We have one container for Apache and one container for the Shibboleth SP
and they share an emptyDir volume for the shibd.sock. This seemed like
the "cloud native way" to do but you can for sure put the webserver and
shibd in the same container.

Our use case (right now) only has the need of one application server (if
it goes down it's OK if Kubernetes just restarts it on another node).

When we'll have multiple application pods we'll probably do the same and
just use sticky sessions in our loadbalancer in Kubernetes (Traefik).
But there's the possibility of using one (or even multiple pairs)
webserver and one sp and loadbalancing over multiple application pods.

How I would like it to work (but ain't nobody got time for that!) is
that you only annotate (or use a CRD which is the popular thing now, but
unneccesary in this case) a deployment or pod with "enable SSO" and an
admission controller adds the apache and shib sp container and
verifies/creates the sp's certs in our Key Management System which is
integrated with Kubernetes Secret Store.

I'm sorry for every ones eye strain injuries (due to excessive eye
rolls when reading this mail) and I hope you all have a great weekend

- Simon


Simon Lundström

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

On Thu, 2022-09-01 at 16:14:24 +0200, Spencer Thomas via users wrote:
> Just wondering if anyone here has deployed the SP into Kubernetes. Right now we are deploying onto a Debian instance in AWS EC2. I guess one option is just to make a fairly heavyweight container that replicates that deployment. But I’m interested to hear if anyone has come up with a more “Kubernetes native” implementation.
> --
> Spencer Thomas
> Technical Architect
> 301 E. Liberty St, Suite 250, Ann Arbor, MI 48104
> Email: Spencer.Thomas at<mailto:Spencer.Thomas at>
> Voicemail: +1-734-887-7004
> [ITHAKA logo]

> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list