...
Info |
---|
Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with |
Plugin | Plugin ID | Module(s) |
---|
Depends on | Bug Reporting | |
---|---|---|
OIDC OP Extension | net.shibboleth.idp.plugin.oidc.op | idp.oidc.OP.3 |
idp.oidc. |
config.3 |
Please review the OPReleaseNotes when installing or updating this plugin.
Note |
---|
DependenciesThis plugin depends on the Shibboleth OIDC Common plugin, and you must first install OIDCCommon. The installer will prevent installation if this is not in place. Since version 3.4.0, you must also install OIDCConfig. |
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
...
The additional files created in conf/examples (oidc-attribute-resolver.xml and oidc-attribute-filter.xml) are intended as a source of examples to copy into your own files. The most critical definitions needed are the rules for creating and releasing the "sub" claim, as that as is a required OIDC feature (see OIDC OP#ClaimSetup). If you want to use the example files directly (unlikely), you can copy them elsewhere and make use of them as you see fit.
...
The OIDC "issuer" value needs to be determined, and the OpenID discovery document needs to be made accessiibleaccessible.
The issuer value is set in conf/oidc.properties and must be a URL using the "https" scheme that contains host, and optionally, port number and path components and no query or fragment components. It generally must resolve to the root of the deployment in question. As a result, while it may be the same as one's SAML entityID, it often cannot be, as SAML does not conflate identity and location in this fashion.
...
Code Block | ||
---|---|---|
| ||
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<ref bean="OIDC.SSO" />
<ref bean="OIDC.UserInfo"/>
<ref bean="OAUTH2.Token"/>
<ref bean="OAUTH2.Revocation"/>
<ref bean="OAUTH2.Introspection" />
</list>
</property>
</bean> |
...