Skip to content

Add Shibboleth sample configuration to SSO documentation #5294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 27, 2025
+67 −14
Merged

Add Shibboleth sample configuration to SSO documentation #5294

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
275a374
Initial plan
Copilot Nov 27, 2025
0d10e14
Add Shibboleth sample configuration to SSO documentation
Copilot Nov 27, 2025
fc7e2e3
Remove unnecessary userinfo_endpoint from Shibboleth config
Copilot Nov 27, 2025
af15767
Remove deprecated set_email_verification option from docs
Copilot Nov 27, 2025
b2fb289
Add complete Shibboleth metadata file example
Copilot Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 0 additions & 9 deletions docs/reference/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -794,15 +794,6 @@ upstream_oauth2:
#action: suggest
#template: "{{ user.email }}"

# Whether the email address must be marked as verified.
# Possible values are:
# - `import`: mark the email address as verified if the upstream provider
# has marked it as verified, using the `email_verified` claim.
# This is the default.
# - `always`: mark the email address as verified
# - `never`: mark the email address as not verified
#set_email_verification: import

# An account name, for display purposes only
# This helps end user identify what account they are using
account_name:
Expand Down
72 changes: 67 additions & 5 deletions docs/setup/sso.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```


Expand Down Expand Up @@ -250,7 +249,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```


Expand Down Expand Up @@ -291,7 +289,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
account_name:
template: "{{ user.name }}"
```
Expand Down Expand Up @@ -462,7 +459,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```


Expand Down Expand Up @@ -499,7 +495,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
account_name:
template: "{{ user.preferred_username }}"
```
Expand Down Expand Up @@ -601,3 +596,70 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
"id_token_signed_response_alg": "RS256"
}
```


### Shibboleth

[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).

These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.

Register MAS as a relying party in Shibboleth:

1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="<client-id>">
<Extensions>
<oidcmd:ClientInformation>
<oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>
</oidcmd:ClientInformation>
</Extensions>
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<oidcmd:OIDCClientInformation scopes="openid profile email"
token_endpoint_auth_method="client_secret_basic">
<oidcmd:GrantType>authorization_code</oidcmd:GrantType>
<oidcmd:ResponseType>code</oidcmd:ResponseType>
</oidcmd:OIDCClientInformation>
</Extensions>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<auth-service-domain>/upstream/callback/<id>"
index="1"/>
</SPSSODescriptor>
</EntityDescriptor>
```

Replace `<client-id>`, `<client-secret>`, `<auth-service-domain>`, and `<id>` with your values.

2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.

Authentication service configuration:

```yaml
upstream_oauth2:
providers:
- id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
human_name: Shibboleth
issuer: "https://<shibboleth-domain>/" # TO BE FILLED
client_id: "<client-id>" # TO BE FILLED
client_secret: "<client-secret>" # TO BE FILLED
token_endpoint_auth_method: client_secret_basic
scope: "openid profile email"
discovery_mode: insecure
fetch_userinfo: true
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
```
Loading