Skip to content

Add Shibboleth sample configuration to SSO documentation #5294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 27, 2025
Merged

Add Shibboleth sample configuration to SSO documentation #5294

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
275a374
Initial plan
Copilot Nov 27, 2025
0d10e14
Add Shibboleth sample configuration to SSO documentation
Copilot Nov 27, 2025
fc7e2e3
Remove unnecessary userinfo_endpoint from Shibboleth config
Copilot Nov 27, 2025
af15767
Remove deprecated set_email_verification option from docs
Copilot Nov 27, 2025
b2fb289
Add complete Shibboleth metadata file example
Copilot Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions docs/setup/sso.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -601,3 +601,50 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
"id_token_signed_response_alg": "RS256"
}
```


### Shibboleth

[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).

These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.

Register MAS as a relying party in Shibboleth:

1. Add a metadata file to `%{idp.home}/metadata/` (see the [Shibboleth documentation](https://shibboleth.atlassian.net/wiki/spaces/SC/pages/1912406916/OAuthRPMetadataProfile) for the template).

Adjust the following in the metadata file:
- Client ID: `entityID="<client-id>"`
- Client Secret: `<oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>`
- Redirect URI: `Location="https://<auth-service-domain>/upstream/callback/<id>"`
- Scope: `scopes="openid profile email"`

2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.

Authentication service configuration:

```yaml
upstream_oauth2:
providers:
- id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
human_name: Shibboleth
issuer: "https://<shibboleth-domain>/" # TO BE FILLED
client_id: "<client-id>" # TO BE FILLED
client_secret: "<client-secret>" # TO BE FILLED
token_endpoint_auth_method: client_secret_basic
scope: "openid profile email"
discovery_mode: insecure
fetch_userinfo: true
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```