{"id":39075724,"url":"https://github.com/cloud-gov/deploy-shibboleth","last_synced_at":"2026-01-17T18:26:31.732Z","repository":{"id":38026447,"uuid":"70742596","full_name":"cloud-gov/deploy-shibboleth","owner":"cloud-gov","description":"cloud.gov deployment for Shibboleth.","archived":false,"fork":false,"pushed_at":"2025-12-01T14:37:03.000Z","size":202,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-12-04T03:33:21.093Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-gov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-10-12T21:20:13.000Z","updated_at":"2025-12-01T14:37:05.000Z","dependencies_parsed_at":"2025-04-01T17:29:39.143Z","dependency_job_id":"97d5c4c4-23fe-4b3b-a849-bd1cae572bcc","html_url":"https://github.com/cloud-gov/deploy-shibboleth","commit_stats":null,"previous_names":["cloud-gov/deploy-shibboleth"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloud-gov/deploy-shibboleth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fdeploy-shibboleth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fdeploy-shibboleth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fdeploy-shibboleth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fdeploy-shibboleth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-gov","download_url":"https://codeload.github.com/cloud-gov/deploy-shibboleth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fdeploy-shibboleth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28515471,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-17T18:26:31.629Z","updated_at":"2026-01-17T18:26:31.697Z","avatar_url":"https://github.com/cloud-gov.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cg-deploy-shibboleth\n\nThis is the Concourse deployment pipeline for\n[shibboleth-boshrelease][eighteenf-shibboleth-boshrelease]\n\n[eighteenf-shibboleth-boshrelease]: https://github.com/18F/shibboleth-boshrelease \"18F Shibboleth Boshrelease\"\n\n## Using the UAA database with shibboleth for authentication\n\nFor this deployment of `shibboleth-boshrelease` we're leveraging the UAA\ndatabase to authenticate against the UAA db `user` table and a custom table\nnamed `totp_seed` for joining users with TOTP seed tokens and potentially other\nthings in the future.\n\n### Schema modifications for UAA database\n\nThere are two tables which are created for Shibboleth to work properly for TOTP\nauthentication and multi-zone Shibboleth HA. These tables modify the `uaadb`\ndirectly.\n\n#### TOTP seed table for multi-factor authentication\n\nThe schema for the `totp_seed` table in the UAA database is [here in\ncg-provision][cg-provision-totpseed]. Three columns are required which are the\n`username` and `seed` columns. This will allow Shibboleth to leverage the\n[18F/Shibboleth-IdP3-TOTP-Auth][cg-plugin-fork] fork to read and save TOTP seed\ntokens to the UAA database.\n\n```sql\nCREATE TABLE IF NOT EXISTS totp_seed (\n    username varchar(255) PRIMARY KEY,\n    seed varchar(36),\n    backup_code varchar(36)\n)\n```\n\n#### Storage records table for multi-zone Shibboleth HA\n\nThe schema for the `storagerecords` table in the UAA database is [here in\ncg-provision][cg-provision-storagerecords]. This table is used to maintain\nsession state between Shibboleth instances across availability zones.\n\n```sql\nCREATE TABLE storagerecords (\n  context varchar(255) NOT NULL,\n  id varchar(255) NOT NULL,\n  expires bigint DEFAULT NULL,\n  value text NOT NULL,\n  version bigint NOT NULL,\n  PRIMARY KEY (context, id)\n)\n```\n\nFor more information on this, take a look\n[here](https://wiki.shibboleth.net/confluence/display/IDP30/StorageConfiguration#StorageConfiguration-JPAStorageService).\n\n[cg-provision-totpseed]: https://github.com/18F/cg-provision/blob/master/ci/scripts/create-and-update-db.sh#L27 \"GitHub 18F/cg-provision file\"\n[cg-provision-storagerecords]: https://github.com/18F/cg-provision/blob/master/ci/scripts/create-and-update-db.sh#L28 \"GitHub 18F/cg-provision file\"\n[cg-plugin-fork]: https://github.com/18F/Shibboleth-IdP3-TOTP-Auth \"GitHub 18F/Shibboleth-IdP3-TOTP-Auth\"\n\n## Rotating signing and encryption certificates for Shibboleth\n\nUse bosh interpolate to generate these certs, e.g. for production:\n\n```\n bosh interpolate --vars-file=bosh/varsfiles/production.yml --vars-store=prod-creds.yml bosh/manifest.yml\n ```\n\nBe sure to add the bosh ca (which is also the default_ca) as either a vars file argument or just copy and paste into the file `bosh/varsfiles/production.yml`.  The new creds will be stored in `prod-creds.yml`.  Remove the `BEGIN` AND `END` lines from the certs; add these certs to the vars store for shibboleth and deploy.  To finish the rotation, also find and replace these certs in the idp metadata xml for the respective CloudFoundry deployment and deploy CF.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fdeploy-shibboleth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-gov%2Fdeploy-shibboleth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fdeploy-shibboleth/lists"}