Home
All of the plugins documented here require V4.1 and above and will not work in older versions. The latest versions of many of them require V5.0+; this will be noted during upgrades (or blocked if an attempt to install onto older versions is made).
If you get errors, this is generally due to “forcing” the install of a specific plugin version (usually via a tarball). Simply put: don’t do that. Installing based on the plugin ID will automatically locate the “best” plugin version for a given IdP version and that isn’t always going to be the latest version released.
The Shibboleth IdP software, as of V4.1 and above, supports the concept of Plugins, add-on packages that add functionality and optionally expose Modules with individual features that can be enabled or disabled. Most new software features will be packaged as plugins to the core software to reduce the frequency of upgrades solely to deliver new features and to minimize the impact of security vulnerabilities.
The following table provides a summary of known plugins available (both first- and third-party) along with links to the appropriate documentation. See below for any security advisories published.
Name | Description | Release Notes |
---|---|---|
OIDC OP support (requires install of OIDC/OAuth Config) | https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2776760321 | |
OIDC RP support (proxy authentication via OIDC) (requires install of OIDC/OAuth Config) | https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3239968769 | |
Identity Provider OIDC/OAuth Shared Configuration (requires install of OIDCCommon) |
| |
Implementation of reusable Java components related to OpenID Connect and OAuth features | https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3232137218 | |
Duo UniversalPrompt OIDC-based login support (requires install of OIDCCommon) | https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3114041345 | |
Generic TOTP OATH token login support |
| |
Implementation of the Nashorn ECMAscript language (provided for JDK versions >=15) |
| |
Implementation of the Rhino ECMAscript language common prior to Java 8 |
| |
A command-line tool to generate metadata based on shallow introspection of the IdP configuration properties |
| |
A Storage Service which is backed by a database. Replaces the JPAStorageService |
| |
FIDO2 authentication utilizing the Web Authentication API. | https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3394928781 |
Security Advisories
Plugin | Advisory | Versions Affected |
---|---|---|
OpenID Connect OP plugin allows unchecked use of request_uri feature | < 3.0.4 | |
OpenID Connect OP plugin is missing required checks handling JWTs | < 3.0.3 | |
< 3.4.0 | ||
< 4.2.0 |
Third-Party Vulnerabilities
This is a summary of any known vulnerabilities in libraries shipped with any plugins, and our assessment of them.
All OIDC Plugins (including the Duo Nimbus plugin)
json-smart
CVE-2023-1370
This is a denial of service issue so not serious even if exploitable. It was updated for the OIDC Commons 3.2.0 plugin on which all the functional plugins depend.