diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index f614791dd..58637f2d8 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -794,15 +794,6 @@ upstream_oauth2:
#action: suggest
#template: "{{ user.email }}"
- # Whether the email address must be marked as verified.
- # Possible values are:
- # - `import`: mark the email address as verified if the upstream provider
- # has marked it as verified, using the `email_verified` claim.
- # This is the default.
- # - `always`: mark the email address as verified
- # - `never`: mark the email address as not verified
- #set_email_verification: import
-
# An account name, for display purposes only
# This helps end user identify what account they are using
account_name:
diff --git a/docs/setup/sso.md b/docs/setup/sso.md
index 3442d06bd..3b1d624e4 100644
--- a/docs/setup/sso.md
+++ b/docs/setup/sso.md
@@ -213,7 +213,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
- set_email_verification: always
```
@@ -250,7 +249,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
- set_email_verification: always
```
@@ -291,7 +289,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
- set_email_verification: always
account_name:
template: "{{ user.name }}"
```
@@ -462,7 +459,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
- set_email_verification: always
```
@@ -499,7 +495,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
- set_email_verification: always
account_name:
template: "{{ user.preferred_username }}"
```
@@ -601,3 +596,70 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
"id_token_signed_response_alg": "RS256"
}
```
+
+
+### Shibboleth
+
+[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
+It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).
+
+These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.
+
+Register MAS as a relying party in Shibboleth:
+
+1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content:
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+ authorization_code
+ code
+
+
+
+
+
+ ```
+
+ Replace ``, ``, ``, and `` with your values.
+
+2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.
+
+Authentication service configuration:
+
+```yaml
+upstream_oauth2:
+ providers:
+ - id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
+ human_name: Shibboleth
+ issuer: "https:///" # TO BE FILLED
+ client_id: "" # TO BE FILLED
+ client_secret: "" # TO BE FILLED
+ token_endpoint_auth_method: client_secret_basic
+ scope: "openid profile email"
+ discovery_mode: insecure
+ fetch_userinfo: true
+ claims_imports:
+ localpart:
+ action: require
+ template: "{{ user.preferred_username }}"
+ displayname:
+ action: suggest
+ template: "{{ user.name }}"
+ email:
+ action: suggest
+ template: "{{ user.email }}"
+```