Add Shibboleth sample configuration to SSO documentation (#5294)

sandhose · web-flow · commit 7587637943ff · 2025-11-27T18:02:28.000+01:00
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
@@ -794,15 +794,6 @@ upstream_oauth2:
           #action: suggest
           #template: "{{ user.email }}"
 
-          # Whether the email address must be marked as verified.
-          # Possible values are:
-          #  - `import`: mark the email address as verified if the upstream provider
-          #     has marked it as verified, using the `email_verified` claim.
-          #     This is the default.
-          #   - `always`: mark the email address as verified
-          #   - `never`: mark the email address as not verified
-          #set_email_verification: import
-
         # An account name, for display purposes only
         # This helps end user identify what account they are using
         account_name:
diff --git a/docs/setup/sso.md b/docs/setup/sso.md
@@ -213,7 +213,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -250,7 +249,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -291,7 +289,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
         account_name:
           template: "{{ user.name }}"
 ```
@@ -462,7 +459,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -499,7 +495,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
         account_name:
           template: "{{ user.preferred_username }}"
 ```
@@ -601,3 +596,70 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
   "id_token_signed_response_alg": "RS256"
 }
 ```
+
+
+### Shibboleth
+
+[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
+It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).
+
+These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.
+
+Register MAS as a relying party in Shibboleth:
+
+1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content:
+
+   ```xml
+   <?xml version="1.0" encoding="UTF-8"?>
+   <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                     xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
+                     entityID="<client-id>">
+       <Extensions>
+           <oidcmd:ClientInformation>
+               <oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>
+           </oidcmd:ClientInformation>
+       </Extensions>
+       <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+           <Extensions>
+               <oidcmd:OIDCClientInformation scopes="openid profile email"
+                                             token_endpoint_auth_method="client_secret_basic">
+                   <oidcmd:GrantType>authorization_code</oidcmd:GrantType>
+                   <oidcmd:ResponseType>code</oidcmd:ResponseType>
+               </oidcmd:OIDCClientInformation>
+           </Extensions>
+           <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                     Location="https://<auth-service-domain>/upstream/callback/<id>"
+                                     index="1"/>
+       </SPSSODescriptor>
+   </EntityDescriptor>
+   ```
+
+   Replace `<client-id>`, `<client-secret>`, `<auth-service-domain>`, and `<id>` with your values.
+
+2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.
+
+Authentication service configuration:
+
+```yaml
+upstream_oauth2:
+  providers:
+    - id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
+      human_name: Shibboleth
+      issuer: "https://<shibboleth-domain>/" # TO BE FILLED
+      client_id: "<client-id>" # TO BE FILLED
+      client_secret: "<client-secret>" # TO BE FILLED
+      token_endpoint_auth_method: client_secret_basic
+      scope: "openid profile email"
+      discovery_mode: insecure
+      fetch_userinfo: true
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ user.preferred_username }}"
+        displayname:
+          action: suggest
+          template: "{{ user.name }}"
+        email:
+          action: suggest
+          template: "{{ user.email }}"
+```
