diff --git a/x-pack/test/idp-fixture/build.gradle b/x-pack/test/idp-fixture/build.gradle
index 75e152bafae2e..b001125a3e7a5 100644
--- a/x-pack/test/idp-fixture/build.gradle
+++ b/x-pack/test/idp-fixture/build.gradle
@@ -1,5 +1,9 @@
import org.elasticsearch.gradle.VersionProperties
import org.elasticsearch.gradle.Architecture
+import org.elasticsearch.gradle.internal.DockerBase
+import org.elasticsearch.gradle.internal.docker.DockerBuildTask
+import org.elasticsearch.gradle.internal.info.BuildParams
+
import static org.elasticsearch.gradle.internal.distribution.InternalElasticsearchDistributionTypes.DOCKER;
apply plugin: 'elasticsearch.test.fixtures'
@@ -34,9 +38,16 @@ tasks.named("preProcessFixture").configure {
}
tasks.named('composeUp').configure {
- dependsOn "preProcessFixture"
+ dependsOn "preProcessFixture", "buildShibbolethImage"
}
tasks.named('composePull').configure {
enabled = false // this task fails due to docker-compose oddities
}
+
+task buildShibbolethImage(type: Exec) {
+ workingDir "shibboleth-idp"
+ commandLine 'docker', 'buildx', 'build', '-t', 'elastic/shibboleth-idp:test', '.', '--platform', 'linux/amd64' //change to linux/arm64v8 to test
+}
+
+
diff --git a/x-pack/test/idp-fixture/docker-compose.yml b/x-pack/test/idp-fixture/docker-compose.yml
index 753075c0e4506..65ddfc69ef6df 100644
--- a/x-pack/test/idp-fixture/docker-compose.yml
+++ b/x-pack/test/idp-fixture/docker-compose.yml
@@ -144,7 +144,7 @@ services:
- ./openldap/certs:/container/service/slapd/assets/certs
shibboleth-idp:
- image: "unicon/shibboleth-idp:3.4.2"
+ image: "elastic/shibboleth-idp:test"
depends_on:
- openldap
environment:
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/Dockerfile b/x-pack/test/idp-fixture/shibboleth-idp/Dockerfile
new file mode 100644
index 0000000000000..a5d8e63561c03
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/Dockerfile
@@ -0,0 +1,131 @@
+FROM ubuntu:focal as temp
+
+ARG TARGETOS
+ARG TARGETARCH
+
+ENV jetty_version=9.3.27.v20190418 \
+ jetty_hash=7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa \
+ idp_version=3.4.3 \
+ idp_hash=eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db \
+ dta_hash=2f547074b06952b94c35631398f36746820a7697 \
+ slf4j_version=1.7.25 \
+ slf4j_hash=da76ca59f6a57ee3102f8f9bd9cee742973efa8a \
+ logback_version=1.2.3 \
+ logback_classic_hash=7c4f3c474fb2c041d8028740440937705ebb473a \
+ logback_core_hash=864344400c3d4d92dfeb0a305dc87d953677c03c \
+ logback_access_hash=e8a841cb796f6423c7afd8738df6e0e4052bf24a
+
+ENV JETTY_HOME=/opt/jetty-home \
+ JETTY_BASE=/opt/shib-jetty-base \
+ PATH=$PATH:$JRE_HOME/bin
+
+RUN apt-get update \
+ && apt-get install -y wget
+
+RUN echo "Building for $TARGETOS/$TARGETARCH"
+
+# Download Java, verify the hash, and install
+RUN if [ "$TARGETOS" = "linux" -a "$TARGETARCH" = "amd64" ]; then \
+ wget -q https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u345-b01/OpenJDK8U-jre_x64_linux_hotspot_8u345b01.tar.gz \
+ && tar -zxvf OpenJDK8U-jre_x64_linux_hotspot_8u345b01.tar.gz -C /opt \
+ && echo 2422a8831fe414b9dba4c443ee3562431dfcde27577124f0db58ec903afc262a OpenJDK8U-jre_x64_linux_hotspot_8u345b01.tar.gz | sha256sum -c \
+ && mv /opt/jdk8u345-b01-jre /opt/jre-home; \
+ elif [ "$TARGETOS" = "linux" -a "$TARGETARCH" = "arm64v8" ]; then \
+ wget -q https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u345-b01/OpenJDK8U-jre_aarch64_linux_hotspot_8u345b01.tar.gz \
+ && tar -zxvf OpenJDK8U-jre_aarch64_linux_hotspot_8u345b01.tar.gz -C /opt \
+ && echo 65b8bd74382d6514d2458ff4375468651791a55a186a5bffe0803204801e9c94 OpenJDK8U-jre_aarch64_linux_hotspot_8u345b01.tar.gz | sha256sum -c \
+ && mv /opt/jdk8u345-b01-jre /opt/jre-home; \
+ else \
+ echo "Error: unsupported architecture: $TARGETOS/$TARGETARCH" && exit 1; \
+ fi
+
+# Download Jetty, verify the hash, and install, initialize a new base
+RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
+ && echo "$jetty_hash jetty-distribution-$jetty_version.tar.gz" | sha1sum -c - \
+ && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt \
+ && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home
+
+RUN mkdir -p /opt/shib-jetty-base/modules
+COPY ssl.mod /opt/shib-jetty-base/modules/ssl.mod
+COPY keystore /opt/shib-jetty-base/etc/keystore
+
+# Config Jetty
+RUN mkdir -p /opt/shib-jetty-base/modules /opt/shib-jetty-base/lib/ext /opt/shib-jetty-base/lib/logging /opt/shib-jetty-base/resources \
+ && cd /opt/shib-jetty-base \
+ && touch start.ini \
+ && /opt/jre-home/bin/java -jar ../jetty-home/start.jar --add-to-startd=http,https,deploy,ext,annotations,jstl,rewrite
+
+# Download Shibboleth IdP, verify the hash, and install
+RUN wget -q https://shibboleth.net/downloads/identity-provider/archive/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
+ && echo "$idp_hash shibboleth-identity-provider-$idp_version.tar.gz" | sha256sum -c - \
+ && tar -zxvf shibboleth-identity-provider-$idp_version.tar.gz -C /opt \
+ && ln -s /opt/shibboleth-identity-provider-$idp_version/ /opt/shibboleth-idp
+
+# Download the library to allow SOAP Endpoints, verify the hash, and place
+RUN wget -q https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty9/jetty9-dta-ssl/1.0.0/jetty9-dta-ssl-1.0.0.jar \
+ && echo "$dta_hash jetty9-dta-ssl-1.0.0.jar" | sha1sum -c - \
+ && mv jetty9-dta-ssl-1.0.0.jar /opt/shib-jetty-base/lib/ext/
+
+# Download the slf4j library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
+ && echo "$slf4j_hash slf4j-api-$slf4j_version.jar" | sha1sum -c - \
+ && mv slf4j-api-$slf4j_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback_classic library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
+ && echo "$logback_classic_hash logback-classic-$logback_version.jar" | sha1sum -c - \
+ && mv logback-classic-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-core library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
+ && echo "$logback_core_hash logback-core-$logback_version.jar" | sha1sum -c - \
+ && mv logback-core-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-access library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
+ && echo "$logback_access_hash logback-access-$logback_version.jar" | sha1sum -c - \
+ && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Setting owner ownership and permissions on new items in this command
+RUN useradd jetty -U -s /bin/false \
+ && chown -R root:jetty /opt \
+ && chmod -R 640 /opt \
+ && chmod 750 /opt/jre-home/bin/java
+
+COPY opt/shib-jetty-base/ /opt/shib-jetty-base/
+COPY opt/shibboleth-idp/ /opt/shibboleth-idp/
+
+# Setting owner ownership and permissions on new items from the COPY command
+RUN mkdir /opt/shib-jetty-base/logs \
+ && chown -R root:jetty /opt/shib-jetty-base \
+ && chmod -R 640 /opt/shib-jetty-base \
+ && chmod -R 750 /opt/shibboleth-idp/bin
+
+FROM ubuntu:focal
+
+LABEL maintainer="Elastic"\
+ idp.java.version="8.0.212" \
+ idp.jetty.version="9.3.27.v20190418" \
+ idp.version="3.4.3"
+
+ENV JETTY_HOME=/opt/jetty-home \
+ JETTY_BASE=/opt/shib-jetty-base \
+ JETTY_MAX_HEAP=2048m \
+ JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=changeme \
+ JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=changeme \
+ PATH=$PATH:$JRE_HOME/bin
+
+
+COPY bin/ /usr/local/bin/
+
+RUN useradd jetty -U -s /bin/false \
+ && chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh
+
+COPY --from=temp /opt/ /opt/
+
+RUN chmod +x /opt/jetty-home/bin/jetty.sh
+
+# Opening 4443 (browser TLS), 8443 (mutual auth TLS)
+EXPOSE 4443 8443
+
+CMD ["run-jetty.sh"]
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/LICENSE b/x-pack/test/idp-fixture/shibboleth-idp/LICENSE
new file mode 100644
index 0000000000000..8f71f43fee3f7
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/LICENSE
@@ -0,0 +1,202 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "{}"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright {yyyy} {name of copyright owner}
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/README.md b/x-pack/test/idp-fixture/shibboleth-idp/README.md
new file mode 100644
index 0000000000000..919e623e6d9f6
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/README.md
@@ -0,0 +1,9 @@
+This is forked from https://github.com/Unicon/shibboleth-idp-dockerized with the following changes:
+
+* keystore is pulled from local disk and ssl.mod to match (the original download no longer exists)
+* support amd64 and arm64v8 architectures
+* uses ubuntu as base image
+* fixed broken HTTPS links
+
+
+
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/bin/init-idp.sh b/x-pack/test/idp-fixture/shibboleth-idp/bin/init-idp.sh
new file mode 100644
index 0000000000000..3c5c197074298
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/bin/init-idp.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+export JAVA_HOME=/opt/jre-home
+export PATH=$PATH:$JAVA_HOME/bin
+
+cd /opt/shibboleth-idp/bin
+
+echo "Please complete the following for your IdP environment:"
+./ant.sh -Didp.target.dir=/opt/shibboleth-idp-tmp -Didp.src.dir=/opt/shibboleth-idp/ install
+
+find /opt/shibboleth-idp-tmp/ -type d -exec chmod 750 {} \;
+
+mkdir -p /ext-mount/customized-shibboleth-idp/conf/
+chmod -R 750 /ext-mount/customized-shibboleth-idp/
+
+# Copy the essential and routinely customized config to out Docker mount.
+cd /opt/shibboleth-idp-tmp
+cp -r credentials/ /ext-mount/customized-shibboleth-idp/
+cp -r metadata/ /ext-mount/customized-shibboleth-idp/
+cp conf/{attribute-resolver*.xml,attribute-filter.xml,cas-protocol.xml,idp.properties,ldap.properties,metadata-providers.xml,relying-party.xml,saml-nameid.*} /ext-mount/customized-shibboleth-idp/conf/
+
+# Copy the basic UI components, which are routinely customized
+cp -r views/ /ext-mount/customized-shibboleth-idp/
+mkdir /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/css/ /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/images/ /ext-mount/customized-shibboleth-idp/webapp/
+rm -r /ext-mount/customized-shibboleth-idp/views/user-prefs.js
+
+echo "A basic Shibboleth IdP config and UI has been copied to ./customized-shibboleth-idp/ (assuming the default volume mapping was used)."
+echo "Most files, if not being customized can be removed from what was exported/the local Docker image and baseline files will be used."
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/bin/run-jetty.sh b/x-pack/test/idp-fixture/shibboleth-idp/bin/run-jetty.sh
new file mode 100644
index 0000000000000..31ebe1412b022
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/bin/run-jetty.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+#set -x
+
+export JAVA_HOME=/opt/jre-home
+export PATH=$PATH:$JAVA_HOME/bin
+
+if [ -e "/opt/shibboleth-idp/ext-conf/idp-secrets.properties" ]; then
+ export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty.backchannel.sslContext.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+ export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty\.sslContext\.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+fi
+
+export JETTY_ARGS="jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD jetty.backchannel.sslContext.keyStorePassword=$JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD"
+sed -i "s/^-Xmx.*$/-Xmx$JETTY_MAX_HEAP/g" /opt/shib-jetty-base/start.ini
+
+exec /opt/jetty-home/bin/jetty.sh run
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/keystore b/x-pack/test/idp-fixture/shibboleth-idp/keystore
new file mode 100644
index 0000000000000..d6592f95ee935
Binary files /dev/null and b/x-pack/test/idp-fixture/shibboleth-idp/keystore differ
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-backchannel.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-backchannel.xml
new file mode 100644
index 0000000000000..7b07b5116adfe
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-backchannel.xml
@@ -0,0 +1,90 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ true
+
+
+ - SSL
+ - SSLv2
+ - SSLv3
+
+
+
+
+ - TLS_ECDHE.*
+ - TLS_RSA.*
+
+
+
+
+ - .*NULL.*
+ - .*RC4.*
+ - .*MD5.*
+ - .*DES.*
+ - .*DSS.*
+
+
+
+
+
+ -
+
+ http/1.1
+
+ -
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-logging.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-logging.xml
new file mode 100644
index 0000000000000..2348f9938705f
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-logging.xml
@@ -0,0 +1,33 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-requestlog.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-requestlog.xml
new file mode 100644
index 0000000000000..69d899a533dee
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-requestlog.xml
@@ -0,0 +1,15 @@
+
+
+
+
+
+
+
+
+ /resources/logback-access.xml
+
+
+ [
+
+ ]
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-rewrite.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-rewrite.xml
new file mode 100644
index 0000000000000..6af7394b37266
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-rewrite.xml
@@ -0,0 +1,49 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ - REQUEST
+ - ASYNC
+
+
+
+
+
+
+
+ *
+ Content-Security-Policy
+ frame-ancestors 'none';
+
+
+
+
+
+
+
+ *
+ X-Frame-Options
+ DENY
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-ssl-context.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-ssl-context.xml
new file mode 100644
index 0000000000000..08a72852ab438
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/etc/jetty-ssl-context.xml
@@ -0,0 +1,41 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ - SSL
+ - SSLv2
+ - SSLv3
+
+
+
+
+ - TLS_ECDHE.*
+ - TLS_RSA.*
+
+
+
+
+ - .*NULL.*
+ - .*RC4.*
+ - .*MD5.*
+ - .*DES.*
+ - .*DSS.*
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/modules/backchannel.mod b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/modules/backchannel.mod
new file mode 100644
index 0000000000000..1215b1096aa73
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/modules/backchannel.mod
@@ -0,0 +1,8 @@
+[name]
+backchannel
+
+[depend]
+server
+
+[xml]
+etc/jetty-backchannel.xml
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback-access.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback-access.xml
new file mode 100644
index 0000000000000..6c5c2232e66a7
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback-access.xml
@@ -0,0 +1,10 @@
+
+
+
+
+ combined
+
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback.xml
new file mode 100644
index 0000000000000..641dc41a39879
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/resources/logback.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+ UTF-8
+ %date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/backchannel.ini b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/backchannel.ini
new file mode 100644
index 0000000000000..afa19ed4d4cda
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/backchannel.ini
@@ -0,0 +1,8 @@
+--module=backchannel
+
+jetty.backchannel.port=8443
+jetty.backchannel.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-backchannel.p12
+jetty.backchannel.sslContext.keyStoreType=PKCS12
+
+# specified by $IDP_HOME/ext-conf/idp-secrets.properties or the 'docker run' command line
+# jetty.backchannel.sslContext.keyStorePassword=CHANGEME
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/ssl.ini b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/ssl.ini
new file mode 100644
index 0000000000000..e2a8e1afb88f6
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.d/ssl.ini
@@ -0,0 +1,7 @@
+--module=ssl
+jetty.ssl.port=4443
+jetty.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-browser.p12
+jetty.sslContext.keyStoreType=PKCS12
+
+# specified by $IDP_HOME/ext-conf/idp-secrets.properties or the 'docker run' command line
+# jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.ini b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.ini
new file mode 100644
index 0000000000000..91a674c8820bd
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/start.ini
@@ -0,0 +1,33 @@
+# Required Jetty modules
+--module=server
+--module=deploy
+--module=annotations
+--module=resources
+--module=logging
+--module=requestlog
+--module=servlets
+--module=jsp
+--module=jstl
+--module=ext
+--module=plus
+--module=rewrite
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# Bypass file validation for the SSL module, to work around a bug in Jetty 9.3.X
+--skip-file-validation=ssl
+
+# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
+-Didp.home=/opt/shibboleth-idp
+
+# Alternate garbage collector that reduces memory needed for larger metadata files
+-XX:+UseG1GC
+
+# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
+# for handling larger (> 25M) metadata files but you will need to test on
+# your particular metadata configuration.
+# This value will be replaced at runtime using the env JAVA_MAX_MEMORY setting.
+-XmxJETTY_MAX_HEAP
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/webapps/idp.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/webapps/idp.xml
new file mode 100644
index 0000000000000..ed62630d6dd8a
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shib-jetty-base/webapps/idp.xml
@@ -0,0 +1,7 @@
+
+ /webapp/
+ /idp
+ false
+ false
+ true
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/opt/shibboleth-idp/conf/logback.xml b/x-pack/test/idp-fixture/shibboleth-idp/opt/shibboleth-idp/conf/logback.xml
new file mode 100644
index 0000000000000..e1f38b838308b
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/opt/shibboleth-idp/conf/logback.xml
@@ -0,0 +1,124 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UTF-8
+ %date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}
+
+
+
+
+
+
+ VelocityStatusMatcher
+ ResourceManager : unable to find resource 'status.vm' in any resource loader.
+
+ VelocityStatusMatcher.matches(formattedMessage)
+
+ DENY
+
+
+
+
+
+ 0
+
+
+
+
+ ${idp.fticks.loghost:-localhost}
+ ${idp.fticks.logport:-514}
+ AUTH
+ [%thread] %logger %msg
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/shibboleth-idp/ssl.mod b/x-pack/test/idp-fixture/shibboleth-idp/ssl.mod
new file mode 100644
index 0000000000000..460af556676ca
--- /dev/null
+++ b/x-pack/test/idp-fixture/shibboleth-idp/ssl.mod
@@ -0,0 +1,102 @@
+#
+# SSL Keystore module
+#
+
+[name]
+ssl
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+etc/jetty-ssl-context.xml
+
+[files]
+# keystore originally sourced from https://github.com/eclipse/jetty.project/raw/jetty-9.3.x/jetty-server/src/main/config/etc/keystore
+/opt/shib-jetty-base/etc/keystore
+
+[ini-template]
+### TLS(SSL) Connector Configuration
+
+## Connector host/address to bind to
+# jetty.ssl.host=0.0.0.0
+
+## Connector port to listen on
+# jetty.ssl.port=8443
+
+## Connector idle timeout in milliseconds
+# jetty.ssl.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.ssl.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.ssl.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.ssl.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.ssl.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.ssl.acceptorPriorityDelta=0
+
+## Whether request host names are checked to match any SNI names
+# jetty.ssl.sniHostCheck=true
+
+## max age in seconds for a Strict-Transport-Security response header (default -1)
+# jetty.ssl.stsMaxAgeSeconds=31536000
+
+## include subdomain property in any Strict-Transport-Security header (default false)
+# jetty.ssl.stsIncludeSubdomains=true
+
+### SslContextFactory Configuration
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+
+## Keystore file path (relative to $jetty.base)
+# jetty.sslContext.keyStorePath=etc/keystore
+
+## Truststore file path (relative to $jetty.base)
+# jetty.sslContext.trustStorePath=etc/keystore
+
+## Keystore password
+# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Keystore type and provider
+# jetty.sslContext.keyStoreType=JKS
+# jetty.sslContext.keyStoreProvider=
+
+## KeyManager password
+# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
+
+## Truststore password
+# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Truststore type and provider
+# jetty.sslContext.trustStoreType=JKS
+# jetty.sslContext.trustStoreProvider=
+
+## whether client certificate authentication is required
+# jetty.sslContext.needClientAuth=false
+
+## Whether client certificate authentication is desired
+# jetty.sslContext.wantClientAuth=false
+
+## Whether cipher order is significant (since java 8 only)
+# jetty.sslContext.useCipherSuitesOrder=true
+
+## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
+## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
+
+## Set the size of the SslSession cache
+# jetty.sslContext.sslSessionCacheSize=-1
+
+## Set the timeout (in seconds) of the SslSession cache timeout
+# jetty.sslContext.sslSessionTimeout=-1
+
+## Allow SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=true
+# jetty.sslContext.renegotiationLimit=5