Home

All of the plugins documented here require V4.1 and above and will not work in older versions. The latest versions of many of them require V5.0+; this will be noted during upgrades (or blocked if an attempt to install onto older versions is made).

If you get errors, this is generally due to “forcing” the install of a specific plugin version (usually via a tarball). Simply put: don’t do that. Installing based on the plugin ID will automatically locate the “best” plugin version for a given IdP version and that isn’t always going to be the latest version released.

The Shibboleth IdP software, as of V4.1 and above, supports the concept of Plugins, add-on packages that add functionality and optionally expose Modules with individual features that can be enabled or disabled. Most new software features will be packaged as plugins to the core software to reduce the frequency of upgrades solely to deliver new features and to minimize the impact of security vulnerabilities.

The following table provides a summary of known plugins available (both first- and third-party) along with links to the appropriate documentation. See below for any security advisories published.

Name

Description

Release Notes

Name

Description

Release Notes

OIDC OP

OIDC OP support (requires install of OIDC/OAuth Config)

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2776760321

OIDC RP

OIDC RP support (proxy authentication via OIDC) (requires install of OIDC/OAuth Config)

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3239968769

OIDC/OAuth Config

Identity Provider OIDC/OAuth Shared Configuration (requires install of OIDCCommon)

 

OIDCCommon

Implementation of reusable Java components related to OpenID Connect and OAuth features

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3232137218

Duo Universal Prompt

Duo UniversalPrompt OIDC-based login support (requires install of OIDCCommon)

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3114041345

TOTP

Generic TOTP OATH token login support

 

Nashorn

Implementation of the Nashorn ECMAscript language (provided for JDK versions >=15)

 

Rhino

Implementation of the Rhino ECMAscript language common prior to Java 8

 

Metadatagen

A command-line tool to generate metadata based on shallow introspection of the IdP configuration properties

 

JDBCStorageService

A Storage Service which is backed by a database. Replaces the JPAStorageService

 

WebAuthn

FIDO2 authentication utilizing the Web Authentication API.

https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3394928781

Security Advisories

Third-Party Vulnerabilities

This is a summary of any known vulnerabilities in libraries shipped with any plugins, and our assessment of them.

All OIDC Plugins (including the Duo Nimbus plugin)

  • json-smart

    • CVE-2023-1370

      • This is a denial of service issue so not serious even if exploitable. It was updated for the OIDC Commons 3.2.0 plugin on which all the functional plugins depend.