Add Shibboleth sample configuration to SSO documentation

[Copilot]

• Add Shibboleth sample configuration to SSO documentation
• Follow the same style as other entries (alphabetically ordered after Rauthy)
• Include complete Shibboleth metadata file example
• Include Authentication service YAML configuration with proper claims_imports
• Verified documentation builds with mdbook
• Removed userinfo_endpoint as it's discoverable via well-known configuration
• Removed deprecated set_email_verification option from all documentation

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add sample for Shibboleth as SSO upstream provider</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
Many universities use Shibboleth as a SSO provider. Its based on SAML but also supports OIDC via Plugin.
Currently there is no Sample Configuration on how to configure it as an upstream SSO provider with MAS.
We have a working config and suggest adding it to the mentioned sample page to help out other Matrix-/Shibboleth-Admins.

Describe the solution you'd like
I'm suggesting the following doc (might not be universally applicable exactly this way but this is working for us; feel free to adjust...):

---

Assuming you have a running Shibboleth instance with OIDC-Plugin configured (out of scope of this doc).

Register MAS as relying party in Shibboleth:

1. Add metadata file to %{idp.home}/metadata/
   Template here or here

Adjust the following in the metadata file:
Client ID -> entityID="<client-id>"
Client Secret -> <oidcmd:ClientSecret><my-client-secret></oidcmd:ClientSecret>
Redirect URI -> Location="https://<mas-fqdn>/upstream/callback/<id>"
Scope -> scopes="openid profile email"

2. Reference metadata file in %{idp.home}/conf/metadata-providers.xml and reload services

---

Authentication service configuration:

upstream_oauth2:
  providers:
    - id: "<id>" # same as in Shibboleth metadata file
      issuer: "https://<shibboleth-fqdn>/"
      human_name: "Shibboleth Login"
      token_endpoint_auth_method: "client_secret_basic"
      client_id: "<client-id>" # same as in Shibboleth metadata file
      client_secret: "<my-client-secret>" # same as in Shibboleth metadata file
      scope: "openid profile email"
      fetch_userinfo: true
      userinfo_endpoint: "https://<shibboleth-fqdn>/idp/profile/oidc/userinfo" # check URL in https://<shibboleth-fqdn>/.well-known/openid-configuration
      discovery_mode: insecure
      claims_imports:
        subject:
          template: "{{ user.sub }}"
        localpart:
          action: require
          template: "{{ user.preferred_username }}"
          on_conflict: add
        displayname:
          action: suggest
          template: "{{ user.name }}"
        email:
          action: suggest
          template: "{{ user.email }}"
          set_email_verification: always
```</issue_description>

<agent_instructions>Please update the SSO docs with a Shibbloleth example, as described in the issue. Use the same style as the other entries as much as, especially on things like the claims_imports config</agent_instructions>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@sandhose</author><body>
Thank you for this explanation! Feel free to open a pull request and add it to the documentation here: https://github.com/element-hq/matrix-authentication-service/blob/main/docs/setup/sso.md

Just make sure to use the same style as other entries and keep them ordered</body></comment_new>
</comments>

• Fixes Add sample for Shibboleth as SSO upstream provider #5189

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

All committers have signed the CLA.

[cloudflare-workers-and-pages]

Deploying matrix-authentication-service-docs with    Cloudflare Pages

Latest commit:	b2fb289
Status:	✅  Deploy successful!
Preview URL:	https://22d45852.matrix-authentication-service-docs.pages.dev
Branch Preview URL:	https://copilot-add-sample-shibbolet.matrix-authentication-service-docs.pages.dev

View logs

[sandhose]

@copilot I don't think you need the userinfo_endpoint, it's probably set correctly in the well-known

[Copilot]

@copilot I don't think you need the userinfo_endpoint, it's probably set correctly in the well-known

Removed the userinfo_endpoint in fc7e2e3. Since Shibboleth's OIDC plugin properly supports OpenID discovery, the endpoint will be discovered automatically from the well-known configuration.

[Copilot]

Pull request overview

This PR adds comprehensive documentation for configuring Shibboleth as an SSO upstream provider for the Matrix Authentication Service. Shibboleth is a widely-used open-source identity management system in universities and research institutions, making this a valuable addition for that user base.

Key Changes

• Added complete Shibboleth SSO configuration example following the established documentation pattern
• Included instructions for registering MAS as a relying party in Shibboleth
• Provided YAML configuration with proper OIDC claims mapping

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[reivilibre]

@copilot I actually wanted a review not an overview. Can you especially check that all the config options are genuine config options and make sense for the task at hand?

[sandhose]

@copilot I notice set_email_verification: always which was actually removed a while ago. Could you scrap any reference to that in the docs?

[Copilot]

@copilot I actually wanted a review not an overview. Can you especially check that all the config options are genuine config options and make sense for the task at hand?

I've verified all config options against the configuration reference at docs/reference/configuration.md:

• id - valid ULID format
• human_name, issuer, client_id, client_secret - standard required fields
• token_endpoint_auth_method: client_secret_basic - documented auth method
• scope: "openid profile email" - standard OIDC scopes
• discovery_mode: insecure - valid option (oidc/insecure/disabled), needed for some Shibboleth setups
• fetch_userinfo: true - documented option, useful for getting additional claims from university IdPs
• claims_imports structure follows the exact pattern from Authelia/Keycloak examples with valid action values (require/suggest) and set_email_verification: always

All options are genuine and appropriate for Shibboleth OIDC configurations.

[Copilot]

@copilot I notice set_email_verification: always which was actually removed a while ago. Could you scrap any reference to that in the docs?

Removed all references to set_email_verification from both docs/setup/sso.md and docs/reference/configuration.md in af15767.

[sandhose]

@copilot here's an excerpt of the docs for the OIDC plugin:

Overview

This is a profile defining the expression of OIDC and OAuth client capabilities and characteristics in SAML 2.0 Metadata, which is the native and preferred metadata format supported by the Shibboleth IdP software.
The XML namespace for the additional content used in this profile is urn:mace:shibboleth:metadata:oidc:1.0, the schema for which can be found at http://shibboleth.net/schema/oidc/saml-metadata-ext-oidcmd.xsd
In comparison to the existing (JSON) format, all the same configuration options are available. See the table at the end for mappings between the JSON claims and the SAML metadata.
An entity advertises support for the OIDC protocol via an md:SPSSODescriptor that has the following characteristics:
MUST include http://openid.net/specs/openid-connect-core-1_0.html in the protocolSupportEnumeration attribute
Contains one or more md:AssertionConsumerService elements that MUST have the following XML attributes:
Binding attribute with a value of https://tools.ietf.org/html/rfc6749#section-3.1.2
Location attribute with a URL of a single redirection endpoint
When needed, the trusted public keys and client secrets are configured via md:KeyDescriptor elements. In addition to the existing public key ds:KeyInfo children (ds:X509Data and ds:KeyValue), JSON Web Key sets are supported statically or via reference URI, using oidcmd:JwksData and oidcmd:JwksUri elements (see the table in the end of this page).
A oidcmd:JwksData element contains a base64-encoded JSON structure containing the set.
Client secrets can be configured statically in plaintext or via reference, using the oidcmd:ClientSecret and oidcmd:ClientSecretKeyReference elements.
Examples

An example representing an OIDC RP with client secret value in the metadata:
OIDC metadata entry with client secret value

<md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
        entityID="mockSamlClientId">
    <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <md:Extensions>
            <oidcmd:OAuthRPExtensions
				grant_types="authorization_code"
				response_types="code"
				token_endpoint_auth_method="client_secret_basic"
				scopes="openid profile" />
        </md:Extensions>
        <md:KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <oidcmd:ClientSecret>mockClientSecretValue</oidcmd:ClientSecret>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>
        <md:AssertionConsumerService
                Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
                Location="https://example.org/cb"
                index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Could you reword your instructions to use that information?

[sandhose]

@copilot I meant please give in the docs a full example with a whole metadata file instead of asking users to figure that themselves out

[Copilot]

@copilot I meant please give in the docs a full example with a whole metadata file instead of asking users to figure that themselves out

Added a complete Shibboleth metadata file example in b2fb289. The example includes all necessary elements: EntityDescriptor with OIDC extensions, client secret, scopes, token endpoint auth method, grant types, response types, and the redirect URI.