diff --git a/Dockerfile b/Dockerfile
index 434ebb10608956065e7b50c9ed99d83760f66ace..6179de75e6ab6988eb558b99b37df2f2cf91e4d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,9 +4,12 @@ LABEL name="LIGO GraceDB Django application" \
date="20181206"
ARG SETTINGS_MODULE="config.settings.container.dev"
+COPY docker/SWITCHaai-swdistrib.gpg /etc/apt/trusted.gpg.d
+RUN echo 'deb http://pkg.switch.ch/switchaai/debian stretch main' > /etc/apt/sources.list.d/shibboleth.list
RUN curl -sL https://deb.nodesource.com/setup_8.x | bash -
-RUN apt-get update
-RUN apt-get install --no-install-recommends --assume-yes \
+# the previous command executes apt-get update; if it is removed
+# one must add RUN apt-get update
+RUN apt-get install --install-recommends --assume-yes \
apache2 \
gcc \
git \
@@ -34,6 +37,9 @@ RUN apt-get install --no-install-recommends --assume-yes \
COPY docker/supervisord.conf /etc/supervisor/supervisord.conf
COPY docker/supervisord-apache2.conf /etc/supervisor/conf.d/apache2.conf
COPY docker/apache-config /etc/apache2/sites-available/gracedb.conf
+COPY docker/login.ligo.org.cert.LIGOCA.pem /etc/shibboleth/login.ligo.org.cert.LIGOCA.pem
+COPY docker/inc-md-cert.pem /etc/shibboleth/inc-md-cert.pem
+
RUN a2dissite 000-default.conf && \
a2ensite gracedb.conf && \
a2enmod headers proxy proxy_http rewrite xsendfile
diff --git a/docker/SWITCHaai-swdistrib.gpg b/docker/SWITCHaai-swdistrib.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..ea3938c46f3170a3007cff8b7f99b64c9946557c
Binary files /dev/null and b/docker/SWITCHaai-swdistrib.gpg differ
diff --git a/docker/inc-md-cert.pem b/docker/inc-md-cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..5ec4ec64e9df9eb79b7fa938f6a4508aba96ee48
--- /dev/null
+++ b/docker/inc-md-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJAJRJzvdpkmNaMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQKDAxJbkNvbW1vbiBMTEMxMTAvBgNVBAMMKEluQ29tbW9u
+IEZlZGVyYXRpb24gTWV0YWRhdGEgU2lnbmluZyBLZXkwHhcNMTMxMjE2MTkzNDU1
+WhcNMzcxMjE4MTkzNDU1WjBXMQswCQYDVQQGEwJVUzEVMBMGA1UECgwMSW5Db21t
+b24gTExDMTEwLwYDVQQDDChJbkNvbW1vbiBGZWRlcmF0aW9uIE1ldGFkYXRhIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Chdkrn+
+dG5Zj5L3UIw+xeWgNzm8ajw7/FyqRQ1SjD4Lfg2WCdlfjOrYGNnVZMCTfItoXTSp
+g4rXxHQsykeNiYRu2+02uMS+1pnBqWjzdPJE0od+q8EbdvE6ShimjyNn0yQfGyQK
+CNdYuc+75MIHsaIOAEtDZUST9Sd4oeU1zRjV2sGvUd+JFHveUAhRc0b+JEZfIEuq
+/LIU9qxm/+gFaawlmojZPyOWZ1JlswbrrJYYyn10qgnJvjh9gZWXKjmPxqvHKJcA
+TPhAh2gWGabWTXBJCckMe1hrHCl/vbDLCmz0/oYuoaSDzP6zE9YSA/xCplaHA0mo
+C1Vs2H5MOQGlewIDAQABo1AwTjAdBgNVHQ4EFgQU5ij9YLU5zQ6K75kPgVpyQ2N/
+lPswHwYDVR0jBBgwFoAU5ij9YLU5zQ6K75kPgVpyQ2N/lPswDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAaQkEx9xvaLUt0PNLvHMtxXQPedCPw5xQBd2V
+WOsWPYspRAOSNbU1VloY+xUkUKorYTogKUY1q+uh2gDIEazW0uZZaQvWPp8xdxWq
+Dh96n5US06lszEc+Lj3dqdxWkXRRqEbjhBFh/utXaeyeSOtaX65GwD5svDHnJBcl
+AGkzeRIXqxmYG+I2zMm/JYGzEnbwToyC7yF6Q8cQxOr37hEpqz+WN/x3qM2qyBLE
+CQFjmlJrvRLkSL15PCZiu+xFNFd/zx6btDun5DBlfDS9DG+SHCNH6Nq+NfP+ZQ8C
+GzP/3TaZPzMlKPDCjp0XOQfyQqFIXdwjPFTWjEusDBlm4qJAlQ==
+-----END CERTIFICATE-----
diff --git a/docker/login.ligo.org.cert.LIGOCA.pem b/docker/login.ligo.org.cert.LIGOCA.pem
new file mode 100644
index 0000000000000000000000000000000000000000..38fe88b7eeb071ad0958dc468a66d04033f37c2b
--- /dev/null
+++ b/docker/login.ligo.org.cert.LIGOCA.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 40 (0x28)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: DC=org, DC=ligo, O=LIGO, OU=Certificate Authorities, OU=Web Services, CN=LIGO CA 1
+ Validity
+ Not Before: Dec 20 19:42:07 2010 GMT
+ Not After : Dec 19 19:42:07 2020 GMT
+ Subject: DC=org, DC=ligo, O=LIGO, OU=Web Services, CN=login.ligo.org
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:dc:4c:a7:a0:cd:c3:7e:af:94:57:cc:c6:e7:fe:
+ 3d:0b:e2:28:f2:b6:39:fd:0e:46:d8:a9:4a:39:8e:
+ bb:f3:47:e1:3b:0d:4b:a4:9c:72:a8:16:29:d9:ba:
+ ef:75:71:8d:4b:36:b2:68:0e:94:b8:20:dc:b1:d3:
+ 3c:f4:a5:c5:f4:76:1c:f1:59:34:7d:5a:cc:14:41:
+ 89:7a:e3:27:8e:4f:7c:d1:e8:a2:52:d0:4e:a0:97:
+ 6d:46:bf:7b:44:99:40:1a:5f:3d:40:1b:54:a7:27:
+ f4:38:cb:f0:e4:b7:9d:d2:28:b6:3b:b3:ce:f5:ba:
+ fb:e8:3e:16:62:0f:c3:de:da:f5:a7:b3:29:85:7a:
+ de:74:00:4d:37:76:71:d5:6c:ed:fb:15:5f:ad:50:
+ da:25:28:d8:cf:f1:b0:5a:9b:e2:82:72:32:42:fe:
+ 36:84:b4:de:7f:67:14:45:c1:7e:e3:2b:5c:0c:ae:
+ bb:36:1f:b3:01:03:df:8a:8c:10:36:ea:2a:2c:54:
+ f0:fd:6b:13:20:f7:20:aa:35:c8:bf:6b:5b:7a:ca:
+ 31:be:b1:5f:1d:13:c5:5c:7d:ab:1b:e7:c3:a1:9b:
+ 1b:74:75:8e:cf:ec:61:c3:95:84:2f:23:0e:35:76:
+ ef:ef:bc:d6:ab:30:3d:c2:de:1d:21:ec:f1:43:2c:
+ 24:c5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment, Data Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Certificate Policies:
+ Policy: 1.3.6.1.4.1.32070.2.1.2.1
+
+ X509v3 CRL Distribution Points:
+ URI:http://ca.ligo.org/541404c3/541404c3.crl
+
+ X509v3 Authority Key Identifier:
+ keyid:52:6E:DD:7B:AA:6F:85:5C:08:22:D3:97:9F:AD:7F:23:56:1E:6A:D1
+
+ X509v3 Subject Alternative Name:
+ DNS:login.ligo.org:scott.koranda@ligo.org
+ Signature Algorithm: sha1WithRSAEncryption
+ 1e:4b:cb:44:4c:35:7e:0b:19:85:07:b2:82:10:50:04:84:80:
+ c2:84:8d:ab:0d:5c:fb:b8:68:c6:0d:b9:83:a4:02:be:8e:0a:
+ 4b:e6:da:45:f2:19:d0:69:da:d0:c5:e7:30:46:03:05:43:e1:
+ 84:94:92:f9:03:d0:dd:31:ec:18:ad:c9:77:3a:14:8e:12:9f:
+ 2a:ab:1a:5f:8a:eb:3d:ac:9d:c8:ce:74:e2:72:0c:de:1c:6d:
+ 54:67:2d:b9:c9:ac:4d:c1:96:1c:00:92:ac:89:d9:81:c8:83:
+ 9a:73:75:14:91:cf:9b:4f:bf:a3:41:2e:36:42:e6:ec:11:bc:
+ 5c:07:0c:43:ad:bb:9e:fa:b4:1d:0f:d5:f9:00:70:78:e4:be:
+ dc:3d:84:fe:fa:17:43:c1:d6:01:7e:8f:0b:b7:9a:08:ff:0c:
+ be:cf:d0:cd:a4:1e:77:b9:86:80:e2:b1:e2:1c:9a:68:97:a3:
+ 96:06:06:59:19:ad:ca:17:8f:50:f1:44:fa:69:bf:04:06:9b:
+ f3:2c:24:75:c4:79:69:9a:dc:be:3e:25:8e:83:a6:b8:75:91:
+ 9b:86:5f:85:9b:ae:d9:1d:07:97:ec:b1:08:51:93:53:7a:f1:
+ 64:e3:5d:a1:73:e1:95:42:e2:b2:38:7b:d5:56:f4:f2:15:84:
+ d9:e8:72:98
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAz+gAwIBAgIBKDANBgkqhkiG9w0BAQUFADCBhzETMBEGCgmSJomT8ixk
+ARkWA29yZzEUMBIGCgmSJomT8ixkARkWBGxpZ28xDTALBgNVBAoTBExJR08xIDAe
+BgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMRUwEwYDVQQLEwxXZWIgU2Vy
+dmljZXMxEjAQBgNVBAMTCUxJR08gQ0EgMTAeFw0xMDEyMjAxOTQyMDdaFw0yMDEy
+MTkxOTQyMDdaMGoxEzARBgoJkiaJk/IsZAEZFgNvcmcxFDASBgoJkiaJk/IsZAEZ
+FgRsaWdvMQ0wCwYDVQQKEwRMSUdPMRUwEwYDVQQLEwxXZWIgU2VydmljZXMxFzAV
+BgNVBAMTDmxvZ2luLmxpZ28ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA3EynoM3Dfq+UV8zG5/49C+Io8rY5/Q5G2KlKOY6780fhOw1LpJxyqBYp
+2brvdXGNSzayaA6UuCDcsdM89KXF9HYc8Vk0fVrMFEGJeuMnjk980eiiUtBOoJdt
+Rr97RJlAGl89QBtUpyf0OMvw5Led0ii2O7PO9br76D4WYg/D3tr1p7MphXredABN
+N3Zx1Wzt+xVfrVDaJSjYz/GwWpvignIyQv42hLTef2cURcF+4ytcDK67Nh+zAQPf
+iowQNuoqLFTw/WsTIPcgqjXIv2tbesoxvrFfHRPFXH2rG+fDoZsbdHWOz+xhw5WE
+LyMONXbv77zWqzA9wt4dIezxQywkxQIDAQABo4HpMIHmMAwGA1UdEwEB/wQCMAAw
+DgYDVR0PAQH/BAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAZ
+BgNVHSAEEjAQMA4GDCsGAQQBgfpGAgECATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
+Oi8vY2EubGlnby5vcmcvNTQxNDA0YzMvNTQxNDA0YzMuY3JsMB8GA1UdIwQYMBaA
+FFJu3Xuqb4VcCCLTl5+tfyNWHmrRMDAGA1UdEQQpMCeCJWxvZ2luLmxpZ28ub3Jn
+OnNjb3R0LmtvcmFuZGFAbGlnby5vcmcwDQYJKoZIhvcNAQEFBQADggEBAB5Ly0RM
+NX4LGYUHsoIQUASEgMKEjasNXPu4aMYNuYOkAr6OCkvm2kXyGdBp2tDF5zBGAwVD
+4YSUkvkD0N0x7BityXc6FI4SnyqrGl+K6z2sncjOdOJyDN4cbVRnLbnJrE3BlhwA
+kqyJ2YHIg5pzdRSRz5tPv6NBLjZC5uwRvFwHDEOtu576tB0P1fkAcHjkvtw9hP76
+F0PB1gF+jwu3mgj/DL7P0M2kHne5hoDiseIcmmiXo5YGBlkZrcoXj1DxRPppvwQG
+m/MsJHXEeWma3L4+JY6Dprh1kZuGX4WbrtkdB5fssQhRk1N68WTjXaFz4ZVC4rI4
+e9VW9PIVhNnocpg=
+-----END CERTIFICATE-----