You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> Effective immediately [2025-07-18], Intel will no longer provide security patches, updates, or maintenance for Clear Linux OS, and the Clear Linux OS GitHub repository will be archived in read-only mode. So, if you’re currently using Clear Linux OS, we strongly recommend planning your migration to another actively maintained Linux distribution as soon as possible to ensure ongoing security and stability.
Copy file name to clipboardExpand all lines: satosa/README.md
+7-15Lines changed: 7 additions & 15 deletions
Original file line number
Diff line number
Diff line change
@@ -14,10 +14,6 @@ WARNING:
14
14
15
15
-->
16
16
17
-
# **DEPRECATION NOTICE**
18
-
19
-
This image is deprecated due to maintainer inactivity (last updated Dec 2023; [docker-library/official-images#15964](https://github.com/docker-library/official-images/pull/15964)).
20
-
21
17
# Quick reference
22
18
23
19
-**Maintained by**:
@@ -67,9 +63,7 @@ SATOSA is a configurable proxy for translating between different authentication
The entrypoint script outputs SAML2 metadata to the container log at start time. This metadata refers to the instance's base URL, e.g., `https://example.com`. Browsers must be able to access the instance over HTTPS.
87
81
88
-
# How to extend this image
89
-
90
82
## Configuration files
91
83
92
84
The `satosa` image stores its configuration in /etc/satosa. This configuration must persist among instances, particularly the SAML2 entity ID (derived from the proxy's base URL by default) and related keying material. [Use volumes, bind mounts, or custom images](https://docs.docker.com/storage/) to maintain this configuration.
The entrypoint script uses environment variables to generate the initial configuration, which sets SATOSA up as a SAML2 proxy between the free [SAMLtest.ID](https://samltest.id/) test service provider and test identity provider. All of the environment variables are optional.
106
+
The entrypoint script uses environment variables to generate the initial configuration, which requires customization. All of the environment variables are **OPTIONAL**.
115
107
116
-
The environment variables' values can be read from [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). Append `_FILE` to the variable name (e.g., `STATE_ENCRYPTION_KEY_FILE`), and set it to the pathname of the corresponding secret (e.g., `/run/secrets/state_encryption_key`).
108
+
Environment variables' values can be read from [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). Append `_FILE` to the variable name (e.g., `STATE_ENCRYPTION_KEY_FILE`), and set it to the pathname of the corresponding secret (e.g., `/run/secrets/state_encryption_key`).
117
109
118
110
### `BASE_URL`
119
111
120
-
SATOSA must be hosted at the root of the website. This environment variable optionally specifies the website's base URL, which defaults to `http://example.com`. If set, the base URL *must* be a method plus a hostname without any trailing slash or path components, e.g., `https://idproxy.example.com`, not `https://idproxy.example.com/` nor `https://idproxy.example.com/satosa`.
112
+
SATOSA **MUST** be hosted at the root of the website. This environment variable specifies the website's base URL, which defaults to `http://example.com`. If set, the base URL *must* be a method plus a hostname without any trailing slash or path components, e.g., `https://idproxy.example.com`, not `https://idproxy.example.com/` nor `https://idproxy.example.com/satosa`.
121
113
122
114
### `STATE_ENCRYPTION_KEY`
123
115
124
116
SATOSA uses encrypted cookies to track the progress of an authentication flow. This environment variable optionally sets the state cookies' encryption key. If set, the state encryption key *must* be an alphanumeric value, e.g., `12345SameAsMyLuggage`. If not specified, a new random 32-character key will be generated.
125
117
126
118
### `SAML2_BACKEND_DISCO_SRV`
127
119
128
-
When part of a SAML2 multilateral federation, SATOSA will ask the user to choose an identity provider using a SAML discovery service. This environment variable optionally sets the discovery service URL, which defaults to [SeamlessAccess](https://seamlessaccess.org/).
120
+
When part of a SAML trust federation, SATOSA will ask the user to choose an identity provider using a SAML discovery service. This environment variable sets the discovery service URL, which defaults to [SeamlessAccess](https://seamlessaccess.org/).
129
121
130
122
### `SAML2_BACKEND_CERT` and `SAML2_BACKEND_KEY`
131
123
132
-
SATOSA's SAML2 backend acts like a service provider (relying party), requesting authentication by and attributes from the user's identity provider. It uses public key cryptography to sign authentication requests and decrypt responses. These optional environment variables hold the backend's paired public and private keys in [the PEM format](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail). If not specified, a new 2048-bit RSA key-pair will be generated using the hostname part of `BASE_URL`.
124
+
SATOSA's default SAML back-end microservice acts like a service provider (relying party), requesting authentication by and attributes from the user-selected identity provider. The microservice uses public key cryptography to sign authentication requests and decrypt responses. These environment variables provide the requisite keying material in [the PEM format](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail). If not specified, a new 2048-bit RSA key-pair will be generated using the hostname part of `BASE_URL`.
133
125
134
126
### `SAML2_FRONTEND_CERT` and `SAML2_FRONTEND_KEY`
135
127
136
-
SATOSA's SAML2 frontend acts like an identity provider (credential service provider), processing authentication requests from and returning user attributes to trusted websites. It uses public key cryptography to sign authentication responses. These optional environment variables hold the frontend's paired public and private keys, also in the PEM format. If not specified, a new 2048-bit RSA key-pair will be generated using the hostname part of `BASE_URL`.
128
+
SATOSA's default SAML front-end microservice acts like an identity provider (credential service provider), processing authentication requests from and returning user attributes to trusted websites. It uses public key cryptography to sign authentication responses. These environment variables provide the requisite keying material, also in the PEM format. If not specified, a new 2048-bit RSA key-pair will be generated using the hostname part of `BASE_URL`.
0 commit comments