I'm in the process of moving an application that currently uses Shibboleth authentication from a virtual machine to Kubernetes and I need some advice on the best architecture to implement during this transition. Right now, I have Shibboleth Service Provider and Apache running on a VM, which handles user authentication and then passes the user identity attributes as headers to my backend application running on the same VM. This setup works well, but with the migration to Kubernetes (AKS), I'm trying to figure out how to maintain functionality while ensuring a clean architecture.
My thought process involves keeping the Shibboleth instance on the VM as an authentication gateway that proxies authenticated requests to my Kubernetes application and still sends along the necessary headers. To manage networking, I plan to keep the Shibboleth VM public while keeping the Kubernetes app private, and I'm considering using VNet peering along with an internal LoadBalancer or ingress for secure access.
I have a few questions: 1. Is it a good idea to keep Shibboleth outside of Kubernetes as the auth gateway for a long-term solution? 2. Has anyone successfully implemented a similar pattern with Shibboleth on a VM and a Kubernetes backend? 3. Are there alternative strategies for integrating Shibboleth with Kubernetes, such as running the Service Provider within the cluster or using an auth proxy? I'd really appreciate hearing how others have handled SAML and Shibboleth authentication with their Kubernetes workloads. Thanks!
3 Answers
Your approach to use Apache and Shibboleth on a VM as an auth gateway is pretty common and works well. It's efficient since you’re already comfortable with it. If you decide to transition everything into AKS, think about using a pod with both Shibboleth and Apache in separate containers. Or, you can build a custom image that combines them. Helm can make deployments easier too. Just ensure your service blocks any header injection, as that’s crucial for security.
Running Shibboleth and Apache in Kubernetes is a solid option. You’d get everything containerized, which simplifies management. If you're looking for specific steps, start with creating a pod that includes both Shibboleth Service Provider and Apache. This way, they can easily communicate and handle authentication directly within your AKS environment.
I’ve seen many teams opt to keep the Shibboleth SP on a VM while proxying to Kubernetes, especially since your app already trusts those headers. If your network security is sorted out with VNet peering, this hybrid setup can be stable. In the future, consider moving the SP inside the cluster, or explore using an external auth proxy. For monitoring during migration, tools like CubeAPM with OpenTelemetry help track performance effectively.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox