From 275a374d5aba62138be6b541c82e302b4dca2c9d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:26:55 +0000 Subject: [PATCH 1/5] Initial plan From 0d10e148a7e051466f5ae0f23ecf639ecb81473c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:31:20 +0000 Subject: [PATCH 2/5] Add Shibboleth sample configuration to SSO documentation Co-authored-by: sandhose <1549952+sandhose@users.noreply.github.com> --- docs/setup/sso.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/docs/setup/sso.md b/docs/setup/sso.md index 3442d06bd..1d993242d 100644 --- a/docs/setup/sso.md +++ b/docs/setup/sso.md @@ -601,3 +601,51 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo "id_token_signed_response_alg": "RS256" } ``` + + +### Shibboleth + +[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions. +It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP). + +These instructions assume you have a running Shibboleth instance with the OIDC plugin configured. + +Register MAS as a relying party in Shibboleth: + +1. Add a metadata file to `%{idp.home}/metadata/` (see the [Shibboleth documentation](https://shibboleth.atlassian.net/wiki/spaces/SC/pages/1912406916/OAuthRPMetadataProfile) for the template). + + Adjust the following in the metadata file: + - Client ID: `entityID=""` + - Client Secret: `` + - Redirect URI: `Location="https:///upstream/callback/"` + - Scope: `scopes="openid profile email"` + +2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services. + +Authentication service configuration: + +```yaml +upstream_oauth2: + providers: + - id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT + human_name: Shibboleth + issuer: "https:///" # TO BE FILLED + client_id: "" # TO BE FILLED + client_secret: "" # TO BE FILLED + token_endpoint_auth_method: client_secret_basic + scope: "openid profile email" + discovery_mode: insecure + fetch_userinfo: true + userinfo_endpoint: "https:///idp/profile/oidc/userinfo" # TO BE FILLED, check your /.well-known/openid-configuration + claims_imports: + localpart: + action: require + template: "{{ user.preferred_username }}" + displayname: + action: suggest + template: "{{ user.name }}" + email: + action: suggest + template: "{{ user.email }}" + set_email_verification: always +``` From fc7e2e3f5779f63a04458f5b55ebb26aba3c125d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:38:21 +0000 Subject: [PATCH 3/5] Remove unnecessary userinfo_endpoint from Shibboleth config Co-authored-by: sandhose <1549952+sandhose@users.noreply.github.com> --- docs/setup/sso.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/setup/sso.md b/docs/setup/sso.md index 1d993242d..ba1474f50 100644 --- a/docs/setup/sso.md +++ b/docs/setup/sso.md @@ -636,7 +636,6 @@ upstream_oauth2: scope: "openid profile email" discovery_mode: insecure fetch_userinfo: true - userinfo_endpoint: "https:///idp/profile/oidc/userinfo" # TO BE FILLED, check your /.well-known/openid-configuration claims_imports: localpart: action: require From af157671354e17fa00c28aeed33b084e6416af3a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:47:37 +0000 Subject: [PATCH 4/5] Remove deprecated set_email_verification option from docs Co-authored-by: sandhose <1549952+sandhose@users.noreply.github.com> --- docs/reference/configuration.md | 9 --------- docs/setup/sso.md | 6 ------ 2 files changed, 15 deletions(-) diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md index f614791dd..58637f2d8 100644 --- a/docs/reference/configuration.md +++ b/docs/reference/configuration.md @@ -794,15 +794,6 @@ upstream_oauth2: #action: suggest #template: "{{ user.email }}" - # Whether the email address must be marked as verified. - # Possible values are: - # - `import`: mark the email address as verified if the upstream provider - # has marked it as verified, using the `email_verified` claim. - # This is the default. - # - `always`: mark the email address as verified - # - `never`: mark the email address as not verified - #set_email_verification: import - # An account name, for display purposes only # This helps end user identify what account they are using account_name: diff --git a/docs/setup/sso.md b/docs/setup/sso.md index ba1474f50..02a1a71af 100644 --- a/docs/setup/sso.md +++ b/docs/setup/sso.md @@ -213,7 +213,6 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always ``` @@ -250,7 +249,6 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always ``` @@ -291,7 +289,6 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always account_name: template: "{{ user.name }}" ``` @@ -462,7 +459,6 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always ``` @@ -499,7 +495,6 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always account_name: template: "{{ user.preferred_username }}" ``` @@ -646,5 +641,4 @@ upstream_oauth2: email: action: suggest template: "{{ user.email }}" - set_email_verification: always ``` From b2fb289c37a6be767bd007970286d5be8943e8ac Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 27 Nov 2025 16:48:00 +0000 Subject: [PATCH 5/5] Add complete Shibboleth metadata file example Co-authored-by: sandhose <1549952+sandhose@users.noreply.github.com> --- docs/setup/sso.md | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/docs/setup/sso.md b/docs/setup/sso.md index 02a1a71af..3b1d624e4 100644 --- a/docs/setup/sso.md +++ b/docs/setup/sso.md @@ -607,13 +607,34 @@ These instructions assume you have a running Shibboleth instance with the OIDC p Register MAS as a relying party in Shibboleth: -1. Add a metadata file to `%{idp.home}/metadata/` (see the [Shibboleth documentation](https://shibboleth.atlassian.net/wiki/spaces/SC/pages/1912406916/OAuthRPMetadataProfile) for the template). - - Adjust the following in the metadata file: - - Client ID: `entityID=""` - - Client Secret: `` - - Redirect URI: `Location="https:///upstream/callback/"` - - Scope: `scopes="openid profile email"` +1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content: + + ```xml + + + + + + + + + + + authorization_code + code + + + + + + ``` + + Replace ``, ``, ``, and `` with your values. 2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.