Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • OutOfDate: Still working but a new version is available

  • Unsupported: Out of Support

  • Secadv: Security alerts exist against this plugin

  • Withdrawn

There are no semantics associated with these beyond that only Supported versions are candidates for automatically selected update. The other states are there as (dynamic) guidance from the developer to the deployer of the state of the plugin.

It should be emphasised that the versioning is purely a statement of API compatibility, not support. The fact that a plugin version is “Current” is purely a statement that “This is the best version to run with this version of the IdP”.

The only plugin versions supported by the Shibboleth Project are those which are marked current for a support version of the IdP.

GPG Trust

In order for a plugin to be installed, the distribution must be accompanied by a GPG signature. The installation process checks the correctness of this signature before it does any installation or other potentially dangerous operations. Before it can do this check, the public key needs to be available to the plugin command in a trust store.   By default each plugin has its own trust store. This means that the trust surrounding one plugin cannot be subverted to allow another plugin to be installed. Alternatively the --truststore qualifier to the plugin command can be used to point to a central store (which you are expected to maintain).


These define which operation to perform.







File Or URL

Install the provided qualifier




Update installed plugin




Remove the installed plugin



Enumerate all installed plugins



Give full version details for all installed plugins




List all files installed by the specified plugin



List available plugins (i.e discover plugins which can be downloaded and installed)
Use --updateURL to specify the source for plugins not provided by the Shibboleth Project




Install plugin from its ID. The plugin should be available at the default endpoint (or that specified by --updateURL)


Do not check for compatibility with the current IdP Version


Specify the update URL (for -L, -I or to override the plugin provided value)



Output the license information for the specified plugin

Other Qualifiers

These provide extra/advanced options for the command:






Verbose logging


Quiet logging


a logback file

Specify a file to use to control the logging of the plugin command


Output the version of the plugin command


file list

Any property files that are to be included when parsing a Spring file input (see below)


Use for unattended installs. If specified the install will fail rather than require input.


Path to the (non default) trust store file used during installs and updates. See above.


If set then the war file is not rebuilt after the installation.




Used with the -u qualifier to force the update (or downgrade) to a specific version



Bean ID

Allows specification of an HTTP client bean used to download updates (or perform any related Module operation).

For details on wiring up a client bean, refer to the HttpClientConfiguration topic.



Bean ID

Only used if the plugin installer needs to invoke a module operation, and allows

Allows security customization of the HTTP operation(s).

Optional Parameter

Finally the plugin command can take one additional bare parameter - the path to a file which contains any native Spring bean definitions that may be needed. This is typically only required for the -hc  and -hs qualifiers to perform advanced customization of HTTP operations, and should be rare.