Docker images for pyFF

Docker is the best thing since sliced bread and of course pyFF runs on docker. Here is a simple setup for running a metadata aggregator using docker. Below we assume you have a docker setup installed and working. Please refer to the docker documentation for getting started with docker.

A simple registry

This creates a simple manual SAML metadata registry - a process which signs and publishes locally sourced SAML metadata. This is very useful if you have a bunch of SPs or IdPs that you need to publish towards external SAML metadata consumers. If you want a UI in front of this, take a look at PEER from Terena that interfaces nicely with this setup:

# docker pull leifj/pyff
# mkdir -p /opt/pyff/metadata

Next create the following yaml file as /opt/pyff/mdx.fd:

- when update:
    - load:
        - /opt/pyff/metadata
    - break
- when request:
    - select
    - pipe:
        - when accept application/xml:
             - xslt:
                 stylesheet: tidy.xsl
             - first
             - finalize:
                cacheDuration: PT10D
                validUntil: PT5H
             - sign:
                 key: default.key
                 cert: default.crt
             - emit application/xml
             - break
        - when accept application/json:
             - xslt:
                 stylesheet: discojson.xsl
             - emit application/json:
             - break

Now drop some SAML metadata in /opt/pyff/metadata - as individual files with an .xml extension - and finally start the pyff container:

# docker run -e DATADIR=/opt/pyff -v /opt/pyff:/opt/pyff -p 8080:8080

Now you should be able to point your browser at localhost:8080 and you should see your metadata rendered nicely in HTML. If you're missing anything, look for syntax errors in localhost:8080/about. When you're satisfied with the result, point your browser at localhost:8080/role/sp.xml to get a signed SAML aggregate metadata.

Production Considerations

In production you could just expose pyFF on port 80 but it is much better to deploy a varnish cache frontend. To do this start pyff without the -p argument and add a varnish frontend:

# docker pull leifj/varnish
# docker run -e DATADIR=/opt/pyff -v /opt/pyff:/opt/pyff -n pyff -d
# docker run -p 80:80 --link pyff:backend leifj/varnish

Now you can point your customers to https://your.site/role/sp.xml and they will get signed and nicely cached metadata. Miller time!