Updated the repo with the last version of files

.env

+SSPHP_ADMIN_PASSWORD="FW8n-KWl"
+SSPHP_API_TOKEN="HnsVj=9NU*IG"
+DOMAIN_NAME=conformanceidp.example.net
+CERTBOT_EMAIL=admin@example.net
\ No newline at end of file

README.md

 # Conformance IdP deployment
 
-To easily run the conformance IdP, you can use docker compose:
+To easily run the conformance IdP, you can use docker compose, but before that, a valid DNS record needs to be created in your DNS zone so that certbot could automatically generate TLS certificates for your Conformance IdP instance.
+After having DNS record created, please edit the .env file and replace variables as per your need. 
+
+* `SSPHP_ADMIN_PASSWORD` - SimplesamlPHP portal administrative password
+* `SSPHP_API_TOKEN` - SimplesamlPHP administrative API token
+* `DOMAIN_NAME` - A valid FQDN your instance will be available at.
+* `CERTBOT_EMAIL` - an email you'll be receiving notifications from Letsencrypt to. The domain part of the email must be valid.
+
+We strongly recommend replacing dfault credentials with new, complex ones.
+
+After .env file variables are defined, you can build docker containers as follows:
 
 ```shell
 cd docker
 docker compose up -d --build
+docker exec conformance_idp php /var/simplesamlphp/bin/initMDSPdo.php
+docker exec conformance_idp php /var/simplesamlphp/modules/conformance/bin/install.php
 ```
 
-This will start SimpleSAMLphp at `http://localhost/simplesaml/module.php/admin` with the conformance module installed,
+This will start SimpleSAMLphp at `http://DOMAIN_NAME/simplesaml/module.php/admin` with the conformance module installed,
 mariaDB database and nginx as a reverse proxy.
 
-You need to mount configuration and metadata folders, see `docker-compose.yml`, and add HTTPS (e.g. Let's encrypt).
+You need to mount configuration and metadata folders, see `docker-compose.yml`.
+
+If you need your SimplesamlPHP instance to be running on HTTPS, then check the content of the "./certbot/conf/live/DOMAIN_NAME" directory, it sould contain the certificates and the key file. There should be the following files: cert.pem  chain.pem  fullchain.pem  privkey.pem, otherwise please check the certbot container logs as follows:
+
+```shell
+docker logs certbot
+```
+
+After making sure that the certificates have been generated, the script ./apply_https.sh will help to configure reverseproxy container.
+
+Make the script executable and run it:
+
+```shell
+chmod ug+x ./apply_https.sh
+./apply_https.sh
+```
+
+After this you should be able to access your SimplesamlPHP instance on HTTPS, as follows: https://DOMAIN_NAME/simplesaml/module.php/admin

apply_https.sh

+#!/bin/bash
+
+# Read the .env file and extract the DOMAIN_NAME variable
+while IFS= read -r line; do
+    if [[ "$line" == "DOMAIN_NAME="* ]]; then
+        domain_name="${line#*=}"
+        break
+    fi
+done < .env
+
+# Define the directory path
+directory_path="./certbot/conf/live/$domain_name/"
+
+# Define the list of required files
+required_files=("cert.pem" "chain.pem" "fullchain.pem" "privkey.pem")
+
+# Check if all required files exist in the directory
+missing_files=0
+for file in "${required_files[@]}"; do
+    file_path="$directory_path$file"
+    if [[ ! -f "$file_path" ]]; then
+        echo "Error: $file does not exist in $directory_path"
+        missing_files=1
+    fi
+done
+
+# If any files are missing, exit with an error
+if [[ $missing_files -eq 1 ]];
+    then
+	exit 1
+    else
+	# Replace "#server_name ;" with the DOMAIN_NAME in conformance_idp.conf
+	sed -i "s/#server_name ;/server_name $domain_name;/" conformance_idp.conf
+
+	# Replace "#server_name ;" with the DOMAIN_NAME in conformance_idp_ssl.conf
+	sed -i "s/#server_name ;/server_name $domain_name;/" conformance_idp_ssl.conf
+
+	# Define SSL certificate and key configurations
+	cert_config="ssl_certificate /opt/bitnami/nginx/ssl/live/$domain_name/cert.pem;"
+	key_config="ssl_certificate_key /opt/bitnami/nginx/ssl/live/$domain_name/privkey.pem;"
+
+	# Replace "#ssl_certificate ;" with the actual certificate configuration
+	sed -i "s|#ssl_certificate ;|$cert_config|" conformance_idp_ssl.conf
+
+	# Replace "#ssl_certificate_key ;" with the actual key configuration
+	sed -i "s|#ssl_certificate_key ;|$key_config|" conformance_idp_ssl.conf
+	
+	cat conformance_idp_ssl.conf >> conformance_idp.conf
+	chmod -R go+rx ./certbot/conf
+	docker restart reverseproxy
+	echo "please check https://$domain_name/simplesaml/module.php/admin in few minutes"
+fi

conformance_idp.conf

 server {
     listen 80;
     http2 on;
+    server_tokens off;
+    #server_name ;
 
+    location / {
+        alias /var/www/certbot/;
+    }
+    
     location ^~ /simplesaml/ {
         alias /var/simplesamlphp/public/;
-
+	index	index.php;
         include                 fastcgi_params;
         fastcgi_split_path_info ^(.+?\.php)(/.+)$;
         fastcgi_index           index.php;
@@ -14,7 +20,6 @@ server {
         fastcgi_param           HTTP_PROXY "";
         fastcgi_param           SIMPLESAMLPHP_CONFIG_DIR "/var/simplesamlphp/config";
         fastcgi_param           REMOTE_ADDR $remote_addr;
-
         location ~ ^(?<prefix>/simplesaml/)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
             fastcgi_pass            conformance_idp:9000;
         }

conformance_idp/Dockerfile

 ARG PHP_VERSION="8.3"
 ARG COMPOSER_VERSION="2"
 ARG SSP_VERSION="2.1.3"
+ARG GOLANG_VERSION="1.22.2"
 
 FROM mlocati/php-extension-installer AS extension_installer
 FROM composer/composer:${COMPOSER_VERSION} as composer
@@ -8,6 +9,8 @@ FROM composer/composer:${COMPOSER_VERSION} as composer
 FROM php:${PHP_VERSION}${PHP_VERSION:+-}fpm AS base
 
 ARG DEBIAN_FRONTEND=noninteractive
+ARG SSPHP_API_TOKEN
+ARG SSPHP_ADMIN_PASSWORD
 
 # use production php.ini
 RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
@@ -28,7 +31,7 @@ COPY --from=composer /usr/bin/composer /usr/bin/composer
 RUN apt update -y \
     && apt install -y --no-install-recommends git wget zip
 
-# install SimpleSAMLphp
+# install SimpleSAMLphp, prepare config
 RUN cd /var \
     # TODO: git clone your module here etc., adapt as needed
     && wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v${SSP_VERSION}/simplesamlphp-${SSP_VERSION}.tar.gz -O simplesamlphp.tar.gz \
@@ -41,25 +44,56 @@ RUN cd /var \
     && cp metadata/saml20-idp-hosted.php.dist metadata/saml20-idp-hosted.php \
     && cp metadata/saml20-idp-remote.php.dist metadata/saml20-idp-remote.php \
     && cp metadata/saml20-sp-remote.php.dist metadata/saml20-sp-remote.php \
-    && mkdir -p /tmp/cache/simplesamlphp
+    && mkdir -p /tmp/cache/simplesamlphp \
+    && sed -i "s/'session.cookie.secure' => true,/'session.cookie.secure' => false,/g" /var/simplesamlphp/config/config.php \
+    && sed -i "s/'cachedir' => '\/var\/cache\/simplesamlphp',/'cachedir' => '\/tmp\/cache\/simplesamlphp',/g" /var/simplesamlphp/config/config.php \
+    && sed -i "s/'auth.adminpassword' => '123',/'auth.adminpassword' => '$SSPHP_ADMIN_PASSWORD',/g" /var/simplesamlphp/config/config.php \
+    && sed -i "s/script-src 'self'/script-src 'self' 'unsafe-inline'/g" /var/simplesamlphp/config/config.php
 
-# install conformance module
+# install and enable conformance module
 RUN cd /var/simplesamlphp \
     && composer config minimum-stability dev \
     && composer config repositories.0 git https://github.com/cicnavi/simplesamlphp-module-conformance.git \
-    && composer require --no-progress cicnavi/simplesamlphp-module-conformance:dev-wip
-
-# modify config
-RUN sed -i "s/'session.cookie.secure' => true,/'session.cookie.secure' => false,/g" /var/simplesamlphp/config/config.php \
-    && sed -i "s/'cachedir' => '\/var\/cache\/simplesamlphp',/'cachedir' => '\/tmp\/cache\/simplesamlphp',/g" /var/simplesamlphp/config/config.php \
-    && sed -i "s/'auth.adminpassword' => '123',/'auth.adminpassword' => 'admin',/g" /var/simplesamlphp/config/config.php
+    && composer require --no-progress cicnavi/simplesamlphp-module-conformance:dev-main \
+    && sed -i "s/'saml' => true/&,/" /var/simplesamlphp/config/config.php \
+    && sed -i "/'saml' => true,/a \ \ \ \ \ \ \ \ \'conformance' => true" /var/simplesamlphp/config/config.php \
+    && cp /var/simplesamlphp/modules/conformance/config-templates/module_conformance.php /var/simplesamlphp/config/ \
+    && sed -i "s/'database.dsn' => 'mysql:host=localhost;dbname=saml',/'database.dsn' => 'mysql:host=mariadb;dbname=saml',/" /var/simplesamlphp/config/config.php \
+    && sed -i "s/'database.username' => 'simplesamlphp',/'database.username' => 'root',/" /var/simplesamlphp/config/config.php \
+    && sed -i "s/'database.password' => 'secret',/'database.password' => '',/" /var/simplesamlphp/config/config.php \
+    && sed -i '/99 => .*core:LanguageAdaptor.*/a \        1000 => '\''conformance:Conformance'\'',' /var/simplesamlphp/config/config.php \
+    && sed -i "/\['type' => 'flatfile'\],/a \        \['type' => 'pdo'\]," /var/simplesamlphp/config/config.php \
+    && sed -i "s|ModuleConfiguration::OPTION_LOCAL_TEST_RUNNER_TOKEN => null,|ModuleConfiguration::OPTION_LOCAL_TEST_RUNNER_TOKEN => '$SSPHP_API_TOKEN',|g" /var/simplesamlphp/config/module_conformance.php
 
 # finalize
 
 FROM base
 
-COPY --from=ssp_builder /var/simplesamlphp/ /var/simplesamlphp/
+ARG GOLANG_VERSION
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+COPY --from=ssp_builder --chown=www-data:www-data /var/simplesamlphp/ /var/simplesamlphp/
 
 EXPOSE 9000
 
+# Install GO
+# GO version to download and install. Refer to https://go.dev/dl/
+ENV GO_VERSION=go${GOLANG_VERSION}.linux-amd64.tar.gz GOROOT=/usr/local/go GOPATH=$HOME/go
+ENV PATH=$PATH:$GOROOT/bin:$GOPATH/bin
+ADD https://go.dev/dl/$GO_VERSION /usr/local/
+RUN tar xf /usr/local/$GO_VERSION -C /usr/local/ \
+    && rm /usr/local/$GO_VERSION
+
+# Install Nuclei and Chromium to enable headless browser support
+# Create html symlink pointing to SSP public dir
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends --fix-missing chromium postfix \
+    && go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest \
+    && go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest \
+    && cd /var/www \
+    && rm -rf html \
+    && ln -s conformance-idp/public html \
+    && chown www-data:www-data /var/www
+
 WORKDIR /var/simplesamlphp

conformance_idp_ssl.conf

+server {
+    listen       443 http2 ssl;
+    http2 on;
+    server_tokens off;
+    #server_name ;
+    #ssl_certificate ;
+    #ssl_certificate_key ;
+    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_session_cache shared:SSL:10m;
+    ssl_ecdh_curve secp384r1;
+    ssl_session_tickets off;
+
+    location / {
+        alias /var/www/certbot/;
+    }
+    
+    location ^~ /simplesaml/ {
+        alias /var/simplesamlphp/public/;
+	index	index.php;
+        include                 fastcgi_params;
+        fastcgi_split_path_info ^(.+?\.php)(/.+)$;
+        fastcgi_index           index.php;
+        fastcgi_param           SCRIPT_FILENAME $document_root$phpfile;
+        fastcgi_param           SCRIPT_NAME $prefix$phpfile;
+        fastcgi_param           PATH_INFO $fastcgi_path_info;
+        fastcgi_param           HTTP_PROXY "";
+        fastcgi_param           SIMPLESAMLPHP_CONFIG_DIR "/var/simplesamlphp/config";
+        fastcgi_param           REMOTE_ADDR $remote_addr;
+        location ~ ^(?<prefix>/simplesaml/)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+            fastcgi_pass            conformance_idp:9000;
+        }
+    }
+}

docker-compose.yml

@@ -7,8 +7,19 @@ services:
     environment:
       - ALLOW_EMPTY_PASSWORD=yes
       - MARIADB_SKIP_TEST_DB=yes
+    volumes:
+      - ./saml.sql:/docker-entrypoint-initdb.d/saml.sql
+    # This is needed only for connecting to mysql from the host. Not needed for production
+    # ports:
+    #   - "127.0.0.1:3306:3306"
   conformance_idp:
-    build: ./conformance_idp/.
+    env_file:
+      - ./.env
+    build:
+      context: ./conformance_idp/.
+      args:
+        - SSPHP_ADMIN_PASSWORD=$SSPHP_ADMIN_PASSWORD
+        - SSPHP_API_TOKEN=$SSPHP_API_TOKEN
     container_name: conformance_idp
     restart: always
     depends_on:
@@ -18,19 +29,37 @@ services:
       # TODO: - /path/to/metadata:/var/simplesamlphp/metadata:ro
       - public:/var/simplesamlphp/public
   reverseproxy:
-    image: bitnami/nginx:1.25
+    # image: bitnami/nginx:1.25
     container_name: reverseproxy
+    build: ./reverseproxy/.
     restart: always
     depends_on:
       - conformance_idp
     volumes:
       - ./conformance_idp.conf:/opt/bitnami/nginx/conf/server_blocks/conformance_idp.conf:ro
       - public:/var/simplesamlphp/public:ro
+      - ./certbot/www/:/var/www/certbot/:ro
+      - ./certbot/conf/:/opt/bitnami/nginx/ssl:ro
     ports:
       - "80:80"
-      # TODO: - "443:443"
+      - "443:443"
     environment:
       - NGINX_ENABLE_ABSOLUTE_REDIRECT=yes
+    #Return container status. If nginx is not running yet, or not returning HTTP 403 status code, the container will not be considered as being ready, thus, certbot container will not be executed.
+    healthcheck:
+      test: ["CMD-SHELL", "curl --silent --fail --output /dev/null -w '%{http_code}' http://localhost/ | grep -q '^403$'"]
+      interval: 10s
+      retries: 3
 
+  certbot:
+    image: certbot/certbot:latest
+    container_name: certbot
+    depends_on:
+      reverseproxy:
+        condition: service_healthy
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw
+    command: certonly --webroot --webroot-path /var/www/certbot/ --agree-tos --email ${CERTBOT_EMAIL} --no-eff-email -d ${DOMAIN_NAME}
 volumes:
   public:

reverseproxy/Dockerfile

+FROM bitnami/nginx:1.25
+
+USER root
+RUN install_packages curl
+USER 1001

saml.sql

+-- MySQL dump 10.13  Distrib 8.0.36, for Linux (x86_64)
+--
+-- Host: 127.0.0.1    Database: saml
+-- ------------------------------------------------------
+-- Server version	11.2.3-MariaDB
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!50503 SET NAMES utf8mb4 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Current Database: `saml`
+--
+
+CREATE DATABASE /*!32312 IF NOT EXISTS*/ `saml` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci */;
+
+USE `saml`;
+
+--
+-- Table structure for table `cnfrmnc_migrations`
+--
+
+DROP TABLE IF EXISTS `cnfrmnc_migrations`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!50503 SET character_set_client = utf8mb4 */;
+CREATE TABLE `cnfrmnc_migrations` (
+  `migration` varchar(191) NOT NULL,
+  PRIMARY KEY (`migration`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `cnfrmnc_migrations`
+--
+
+LOCK TABLES `cnfrmnc_migrations` WRITE;
+/*!40000 ALTER TABLE `cnfrmnc_migrations` DISABLE KEYS */;
+INSERT INTO `cnfrmnc_migrations` VALUES ('_1_CreateSpConsentsTable.php'),('_2_CreateSpConsentRequestsTable.php');
+/*!40000 ALTER TABLE `cnfrmnc_migrations` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `cnfrmnc_sp_consent_requests`
+--
+
+DROP TABLE IF EXISTS `cnfrmnc_sp_consent_requests`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!50503 SET character_set_client = utf8mb4 */;
+CREATE TABLE `cnfrmnc_sp_consent_requests` (
+  `entity_id` varchar(255) NOT NULL,
+  `challenge` char(64) NOT NULL,
+  `created_at` bigint(20) unsigned NOT NULL,
+  PRIMARY KEY (`entity_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `cnfrmnc_sp_consent_requests`
+--
+
+LOCK TABLES `cnfrmnc_sp_consent_requests` WRITE;
+/*!40000 ALTER TABLE `cnfrmnc_sp_consent_requests` DISABLE KEYS */;
+/*!40000 ALTER TABLE `cnfrmnc_sp_consent_requests` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `cnfrmnc_sp_consents`
+--
+
+DROP TABLE IF EXISTS `cnfrmnc_sp_consents`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!50503 SET character_set_client = utf8mb4 */;
+CREATE TABLE `cnfrmnc_sp_consents` (
+  `entity_id` varchar(255) NOT NULL,
+  `created_at` bigint(20) unsigned NOT NULL,
+  PRIMARY KEY (`entity_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `cnfrmnc_sp_consents`
+--
+
+LOCK TABLES `cnfrmnc_sp_consents` WRITE;
+/*!40000 ALTER TABLE `cnfrmnc_sp_consents` DISABLE KEYS */;
+/*!40000 ALTER TABLE `cnfrmnc_sp_consents` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2024-03-27 19:47:51