☁️.gov Shibboleth ✈️ Concourse Deployment
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bosh
ci
.gitignore
CONTRIBUTING.md
LICENSE.md
README.md

README.md

cg-deploy-shibboleth

This is the Concourse deployment pipeline for shibboleth-boshrelease

Using the UAA database with shibboleth for authentication

For this deployment of shibboleth-boshrelease we're leveraging the UAA database to authenticate against the UAA db user table and a custom table named totp_seed for joining users with TOTP seed tokens and potentially other things in the future.

Schema modifications for UAA database

There are two tables which are created for Shibboleth to work properly for TOTP authentication and multi-zone Shibboleth HA. These tables modify the uaadb directly.

TOTP seed table for multi-factor authentication

The schema for the totp_seed table in the UAA database is here in cg-provision. Three columns are required which are the username and seed columns. This will allow Shibboleth to leverage the 18F/Shibboleth-IdP3-TOTP-Auth fork to read and save TOTP seed tokens to the UAA database.

CREATE TABLE IF NOT EXISTS totp_seed (
    username varchar(255) PRIMARY KEY,
    seed varchar(36),
    backup_code varchar(36)
)

Storage records table for multi-zone Shibboleth HA

The schema for the storagerecords table in the UAA database is here in cg-provision. This table is used to maintain session state between Shibboleth instances across availability zones.

CREATE TABLE storagerecords (
  context varchar(255) NOT NULL,
  id varchar(255) NOT NULL,
  expires bigint DEFAULT NULL,
  value text NOT NULL,
  version bigint NOT NULL,
  PRIMARY KEY (context, id)
)

For more information on this, take a look here.