This page will give you guidance on using the MIRACL Trust SSO Docker image. To get the
miracl/sso image that is referenced in the following section, please contact MIRACL.
These instructions assume that you already followed the Installation / Quick Start instructions and learned how to successfully configure your SSO with a Service Provider.
The following environment variables are available when using Docker:
MIRACLSSO_CONFIGPATH - sets the configuration file to start the service with MIRACLSSO_LOGLEVEL - sets the Log level to be one of EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO or DEBUG MIRACLSSO_DUMP - if set to JSON or YAML, outputs the full configuration, if set to SCHEMA - outputs the JSON schema
Docker quick guide
What follows is a quick step-by-step guide to getting a test Docker container running, which should give you an understanding of the necessary components and what command line options need to be passed in order to run the MIRACL Trust SSO docker image.
By default MIRACL Trust SSO service works with internal session storage and doesn't have any dependencies but if you want to use Redis as an external session storage, you could run it on your host machine by:
sudo apt update && sudo apt install redis-server
sudo service redis-server start
Assuming that you have your config files stored in a local directory such as
/home/user/miracl-sso-test/ (as explained in the Installation / Quick Start instructions) you can now run:
docker run --name=sso --network host -v /home/user/miracl-sso-test/:/etc/miracl-sso miracl/sso:latest -c /etc/miracl-sso/config.yaml
As it is running on the host network, the service will be accessible at port 8000, unless you have changed the default port in the config. It will also access the Redis server on port 6379 if setup to be used (see session storage).
So you should now be able to access and test your running service at
Running Docker with Consul for config management
The steps below make use of a local config.yaml file to run a Docker container which references a set of config files stored in Consul. The local config.yaml has only one include which points to the Consul config url, while Consul stores config files just as described in the Overview and Installation / Quick Start instructions
Run consul in a docker container:
docker run -d --name=consul -p 8300:8300 -p 8500:8500 --net=host gliderlabs/consul-server -bootstrap -advertise=127.0.0.1
Note that the option –net=host means that it is connected to your host network and so will be accessible to the miracl-sso docker container.
http://127.0.0.1:8500 and set up the necessary config files in key/value, including config.yaml to list the includes, core.yaml to store the server details, client id and secret; plus server certificates. As well as the relevant Service Provider config in the service_providers sub-folder:
Then run the miracl-sso container, assuming that you have your config file stored in a local directory such as
docker run --network host -v /home/user/miracl-sso-consul/config.yaml:/etc/config.yaml miracl/sso:latest -c /etc/config.yaml
The –net=host option means that the miracl/sso container will be able to talk to both redis and the consul container running on your host network.
/home/user/miracl-sso-consul/config.yaml should contain the correct consul url as an include:
includes: - http://127.0.0.1:8500/v1/kv/config/miracl-sso/config.yaml?raw
Note that ?raw needs to be specified to access the contents of the file stored on consul
Notes on Docker usage
Setting log level
If the log parameter is included in any of your config files and the network parameter is set to ‘local’, for example:
log: level: ERROR network: local address: 127.0.0.1:514
then the running Docker container will attempt to connect to the local machine's syslog.
You can connect to the local machine's syslog either by setting the above network parameter and following with a command such as:
docker run --name=sso --network host -v /run/systemd/journal/syslog:/dev/log -v /home/user/miracl-sso-dockertest/:/etc/miracl-sso miracl/sso:latest -c /etc/miracl-sso/config.yaml
Or you can use the docker syslog driver. For this you do not need to supply the network parameter as it is managed entirely by docker e.g.:
docker run --name=sso --network host --log-driver=syslog --log-opt syslog-address=unixgram:///run/systemd/journal/syslog -v /home/user/miracl-sso-dockertest/config.yaml:/etc/config.yaml miracl/sso:latest -c /etc/config.yaml
More information on Docker syslog settings can be found at https://docs.docker.com/config/containers/logging/syslog/#options