Shibboleth Identity Provider - Docker Deployments on Apple Silicon & ARM

Posted by Misagh Moayyed on January 19, 2023 · 4 mins read ·

This is a review of how to run the Shibboleth Identity Provider on ARM-based machines (i.e. Apple Silicon) via Docker, and ultimately configure the Shibboleth Identity Provider to delegate authentication requests to an external Apereo CAS server.

This tutorial specifically focuses on:


Internet2 publishes multi-arch Docker images that run on Rocky 8. One could use these images as a base image in a Dockerfile:

FROM i2incommon/shib-idp:4.3.0_20230118_rocky8_multiarch

Local artifacts can always be injected and overlaid into the final image. For example, if you have your configuration inside an idp directory, configuration files can be put and burned into the image as such:

COPY idp/web.xml /opt/shibboleth-idp/edit-webapp/WEB-INF
COPY idp/ /opt/shibboleth-idp/conf/authn
COPY idp/logback.xml /opt/shibboleth-idp/conf
COPY idp/metadata-providers.xml /opt/shibboleth-idp/conf
COPY idp/attribute-filter.xml /opt/shibboleth-idp/conf
COPY idp/sp-metadata.xml /opt/shibboleth-idp/metadata

You may also choose to enable certain modules and plugins. In particular, enabling the External Authentication plugin would be required for integrations with an external CAS server:

RUN ls /opt/shibboleth-idp && \
    chmod +x /opt/shibboleth-idp/bin/*.sh && \
    /opt/shibboleth-idp/bin/"/opt/shibboleth-idp" && \
    /opt/shibboleth-idp/bin/ -e idp.authn.External && \

Shib-CAS AuthN

Shib-CAS AuthN is a Shibboleth IdP external authentication plugin that delegates primary authentication to an external Single Sign On Server using the CAS protocol. The advantage of using this component is the ability to utilize a full range of native CAS protocol features such as renew and gateway, plus the ability to share with CAS the EntityID of the relying application.

The plugin takes advantage of and extends the Shibboleth IdP’s external authentication flow, and consists of several JAR artifacts that bridge the gap between Shibboleth and CAS.

Docker images may choose to build the Shibboleth Identity Provider with the Shib-CAS AuthN plugin as such:

COPY shibcasauthn/no-conversation-state.jsp /opt/shibboleth-idp/edit-webapp
COPY shibcasauthn/cas-client-core-3.6.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
COPY shibcasauthn/shib-cas-authenticator-4.3.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

Finally, the configuration of the Shib-CAS AuthN as well as instructions for the Shibboleth Identity Provider’s external authentication flow may be defined in as:


idp.authn.flows = External

shibcas.casServerUrlPrefix =
shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

shibcas.serverName = https://localhost:9443

idp.authn.External.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.


I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed