Add sample for Shibboleth as SSO upstream provider #5189
Description
Is your feature request related to a problem? Please describe.
Many universities use Shibboleth as a SSO provider. Its based on SAML but also supports OIDC via Plugin.
Currently there is no Sample Configuration on how to configure it as an upstream SSO provider with MAS.
We have a working config and suggest adding it to the mentioned sample page to help out other Matrix-/Shibboleth-Admins.
Describe the solution you'd like
I'm suggesting the following doc (might not be universally applicable exactly this way but this is working for us; feel free to adjust...):
Assuming you have a running Shibboleth instance with OIDC-Plugin configured (out of scope of this doc).
Register MAS as relying party in Shibboleth:
Adjust the following in the metadata file:
Client ID -> entityID="<client-id>"
Client Secret -> <oidcmd:ClientSecret><my-client-secret></oidcmd:ClientSecret>
Redirect URI -> Location="https://<mas-fqdn>/upstream/callback/<id>"
Scope -> scopes="openid profile email"
- Reference metadata file in
%{idp.home}/conf/metadata-providers.xmland reload services
Authentication service configuration:
upstream_oauth2:
providers:
- id: "<id>" # same as in Shibboleth metadata file
issuer: "https://<shibboleth-fqdn>/"
human_name: "Shibboleth Login"
token_endpoint_auth_method: "client_secret_basic"
client_id: "<client-id>" # same as in Shibboleth metadata file
client_secret: "<my-client-secret>" # same as in Shibboleth metadata file
scope: "openid profile email"
fetch_userinfo: true
userinfo_endpoint: "https://<shibboleth-fqdn>/idp/profile/oidc/userinfo" # check URL in https://<shibboleth-fqdn>/.well-known/openid-configuration
discovery_mode: insecure
claims_imports:
subject:
template: "{{ user.sub }}"
localpart:
action: require
template: "{{ user.preferred_username }}"
on_conflict: add
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always