Skip to content

Add Shibboleth sample configuration to SSO documentation #5294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sandhose merged 5 commits into from
Nov 27, 2025
Merged

Add Shibboleth sample configuration to SSO documentation #5294

sandhose merged 5 commits into from
Nov 27, 2025
+67 −14

Conversation

Copy link
Contributor

Copilot AI commented Nov 27, 2025
edited
Loading

  • Add Shibboleth sample configuration to SSO documentation
  • Follow the same style as other entries (alphabetically ordered after Rauthy)
  • Include complete Shibboleth metadata file example
  • Include Authentication service YAML configuration with proper claims_imports
  • Verified documentation builds with mdbook
  • Removed userinfo_endpoint as it's discoverable via well-known configuration
  • Removed deprecated set_email_verification option from all documentation
Original prompt

This section details on the original issue you should resolve

<issue_title>Add sample for Shibboleth as SSO upstream provider</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
Many universities use Shibboleth as a SSO provider. Its based on SAML but also supports OIDC via Plugin.
Currently there is no Sample Configuration on how to configure it as an upstream SSO provider with MAS.
We have a working config and suggest adding it to the mentioned sample page to help out other Matrix-/Shibboleth-Admins.

Describe the solution you'd like
I'm suggesting the following doc (might not be universally applicable exactly this way but this is working for us; feel free to adjust...):

Assuming you have a running Shibboleth instance with OIDC-Plugin configured (out of scope of this doc).

Register MAS as relying party in Shibboleth:

  1. Add metadata file to %{idp.home}/metadata/
    Template here or here

Adjust the following in the metadata file:
Client ID -> entityID="<client-id>"
Client Secret -> <oidcmd:ClientSecret><my-client-secret></oidcmd:ClientSecret>
Redirect URI -> Location="https://<mas-fqdn>/upstream/callback/<id>"
Scope -> scopes="openid profile email"

  1. Reference metadata file in %{idp.home}/conf/metadata-providers.xml and reload services

Authentication service configuration:

upstream_oauth2:
  providers:
    - id: "<id>" # same as in Shibboleth metadata file
      issuer: "https://<shibboleth-fqdn>/"
      human_name: "Shibboleth Login"
      token_endpoint_auth_method: "client_secret_basic"
      client_id: "<client-id>" # same as in Shibboleth metadata file
      client_secret: "<my-client-secret>" # same as in Shibboleth metadata file
      scope: "openid profile email"
      fetch_userinfo: true
      userinfo_endpoint: "https://<shibboleth-fqdn>/idp/profile/oidc/userinfo" # check URL in https://<shibboleth-fqdn>/.well-known/openid-configuration
      discovery_mode: insecure
      claims_imports:
        subject:
          template: "{{ user.sub }}"
        localpart:
          action: require
          template: "{{ user.preferred_username }}"
          on_conflict: add
        displayname:
          action: suggest
          template: "{{ user.name }}"
        email:
          action: suggest
          template: "{{ user.email }}"
          set_email_verification: always
```</issue_description>

<agent_instructions>Please update the SSO docs with a Shibbloleth example, as described in the issue. Use the same style as the other entries as much as, especially on things like the claims_imports config</agent_instructions>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@sandhose</author><body>
Thank you for this explanation! Feel free to open a pull request and add it to the documentation here: https://github.com/element-hq/matrix-authentication-service/blob/main/docs/setup/sso.md

Just make sure to use the same style as other entries and keep them ordered</body></comment_new>
</comments>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@CLAassistant
Copy link

CLAassistant commented Nov 27, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Nov 27, 2025
edited
Loading

Deploying matrix-authentication-service-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: b2fb289
Status: ✅  Deploy successful!
Preview URL: https://22d45852.matrix-authentication-service-docs.pages.dev
Branch Preview URL: https://copilot-add-sample-shibbolet.matrix-authentication-service-docs.pages.dev

View logs

Copilot AI changed the title [WIP] Add sample configuration for Shibboleth SSO provider Add Shibboleth sample configuration to SSO documentation Nov 27, 2025
Copilot AI requested a review from sandhose November 27, 2025 15:33
Copilot finished work on behalf of sandhose November 27, 2025 15:33
@sandhose
Copy link
Member

sandhose commented Nov 27, 2025

@copilot I don't think you need the userinfo_endpoint, it's probably set correctly in the well-known

Copy link
Contributor Author

Copilot AI commented Nov 27, 2025

@copilot I don't think you need the userinfo_endpoint, it's probably set correctly in the well-known

Removed the userinfo_endpoint in fc7e2e3. Since Shibboleth's OIDC plugin properly supports OpenID discovery, the endpoint will be discovered automatically from the well-known configuration.

@reivilibre reivilibre requested a review from Copilot November 27, 2025 15:38
Copilot finished work on behalf of sandhose November 27, 2025 15:39
Copilot finished reviewing on behalf of reivilibre November 27, 2025 15:40
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds comprehensive documentation for configuring Shibboleth as an SSO upstream provider for the Matrix Authentication Service. Shibboleth is a widely-used open-source identity management system in universities and research institutions, making this a valuable addition for that user base.

Key Changes

  • Added complete Shibboleth SSO configuration example following the established documentation pattern
  • Included instructions for registering MAS as a relying party in Shibboleth
  • Provided YAML configuration with proper OIDC claims mapping

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@reivilibre
Copy link
Contributor

reivilibre commented Nov 27, 2025

@copilot I actually wanted a review not an overview. Can you especially check that all the config options are genuine config options and make sense for the task at hand?

@sandhose
Copy link
Member

sandhose commented Nov 27, 2025

@copilot I notice set_email_verification: always which was actually removed a while ago. Could you scrap any reference to that in the docs?

Copy link
Contributor Author

Copilot AI commented Nov 27, 2025

@copilot I actually wanted a review not an overview. Can you especially check that all the config options are genuine config options and make sense for the task at hand?

I've verified all config options against the configuration reference at docs/reference/configuration.md:

  • id - valid ULID format
  • human_name, issuer, client_id, client_secret - standard required fields
  • token_endpoint_auth_method: client_secret_basic - documented auth method
  • scope: "openid profile email" - standard OIDC scopes
  • discovery_mode: insecure - valid option (oidc/insecure/disabled), needed for some Shibboleth setups
  • fetch_userinfo: true - documented option, useful for getting additional claims from university IdPs
  • claims_imports structure follows the exact pattern from Authelia/Keycloak examples with valid action values (require/suggest) and set_email_verification: always

All options are genuine and appropriate for Shibboleth OIDC configurations.

Copilot AI requested a review from reivilibre November 27, 2025 15:43
Copilot finished work on behalf of reivilibre November 27, 2025 15:43
Copy link
Contributor Author

Copilot AI commented Nov 27, 2025

@copilot I notice set_email_verification: always which was actually removed a while ago. Could you scrap any reference to that in the docs?

Removed all references to set_email_verification from both docs/setup/sso.md and docs/reference/configuration.md in af15767.

Copilot finished work on behalf of sandhose November 27, 2025 15:48
@sandhose sandhose marked this pull request as ready for review November 27, 2025 16:31
@sandhose sandhose requested a review from a team as a code owner November 27, 2025 16:31
@sandhose sandhose enabled auto-merge November 27, 2025 16:34
@sandhose sandhose added the A-Documentation Improvements or additions to documentation label Nov 27, 2025
@sandhose sandhose disabled auto-merge November 27, 2025 16:38
@sandhose
Copy link
Member

sandhose commented Nov 27, 2025

@copilot here's an excerpt of the docs for the OIDC plugin:

Overview

This is a profile defining the expression of OIDC and OAuth client capabilities and characteristics in SAML 2.0 Metadata, which is the native and preferred metadata format supported by the Shibboleth IdP software.
The XML namespace for the additional content used in this profile is urn:mace:shibboleth:metadata:oidc:1.0, the schema for which can be found at http://shibboleth.net/schema/oidc/saml-metadata-ext-oidcmd.xsd
In comparison to the existing (JSON) format, all the same configuration options are available. See the table at the end for mappings between the JSON claims and the SAML metadata.
An entity advertises support for the OIDC protocol via an md:SPSSODescriptor that has the following characteristics:
MUST include http://openid.net/specs/openid-connect-core-1_0.html in the protocolSupportEnumeration attribute
Contains one or more md:AssertionConsumerService elements that MUST have the following XML attributes:
Binding attribute with a value of https://tools.ietf.org/html/rfc6749#section-3.1.2
Location attribute with a URL of a single redirection endpoint
When needed, the trusted public keys and client secrets are configured via md:KeyDescriptor elements. In addition to the existing public key ds:KeyInfo children (ds:X509Data and ds:KeyValue), JSON Web Key sets are supported statically or via reference URI, using oidcmd:JwksData and oidcmd:JwksUri elements (see the table in the end of this page).
A oidcmd:JwksData element contains a base64-encoded JSON structure containing the set.
Client secrets can be configured statically in plaintext or via reference, using the oidcmd:ClientSecret and oidcmd:ClientSecretKeyReference elements.
Examples

An example representing an OIDC RP with client secret value in the metadata:
OIDC metadata entry with client secret value

<md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
        entityID="mockSamlClientId">
    <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <md:Extensions>
            <oidcmd:OAuthRPExtensions
				grant_types="authorization_code"
				response_types="code"
				token_endpoint_auth_method="client_secret_basic"
				scopes="openid profile" />
        </md:Extensions>
        <md:KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <oidcmd:ClientSecret>mockClientSecretValue</oidcmd:ClientSecret>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>
        <md:AssertionConsumerService
                Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
                Location="https://example.org/cb"
                index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Could you reword your instructions to use that information?

Copilot finished work on behalf of sandhose November 27, 2025 16:42
@sandhose
Copy link
Member

sandhose commented Nov 27, 2025

@copilot I meant please give in the docs a full example with a whole metadata file instead of asking users to figure that themselves out

Copy link
Contributor Author

Copilot AI commented Nov 27, 2025

@copilot I meant please give in the docs a full example with a whole metadata file instead of asking users to figure that themselves out

Added a complete Shibboleth metadata file example in b2fb289. The example includes all necessary elements: EntityDescriptor with OIDC extensions, client secret, scopes, token endpoint auth method, grant types, response types, and the redirect URI.

Copilot finished work on behalf of sandhose November 27, 2025 16:49
@sandhose sandhose enabled auto-merge November 27, 2025 16:57
@sandhose sandhose merged commit 7587637 into main Nov 27, 2025
24 of 30 checks passed
@sandhose sandhose deleted the copilot/add-sample-shibboleth-sso branch November 27, 2025 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@reivilibre reivilibre Awaiting requested review from reivilibre

+1 more reviewer

@sandhose sandhose sandhose approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sandhose sandhose

Copilot code review Copilot

Labels

A-Documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add sample for Shibboleth as SSO upstream provider

4 participants

@CLAassistant @sandhose @reivilibre