Home

All of the plugins documented here require V4.1 and above and will not work in older versions. The latest versions of many of them require V5.0+; this will be noted during upgrades (or blocked if an attempt to install onto older versions is made).

If you get errors, this is generally due to “forcing” the install of a specific plugin version (usually via a tarball). Simply put: don’t do that. Installing based on the plugin ID will automatically locate the “best” plugin version for a given IdP version and that isn’t always going to be the latest version released.

The Shibboleth IdP software, as of V4.1 and above, supports the concept of Plugins, add-on packages that add functionality and optionally expose Modules with individual features that can be enabled or disabled. Most new software features will be packaged as plugins to the core software to reduce the frequency of upgrades solely to deliver new features and to minimize the impact of security vulnerabilities.

The following table provides a summary of known plugins available (both first- and third-party) along with links to the appropriate documentation. See below for any security advisories published.

Name	Description	Release Notes

Name	Description	Release Notes
OIDC OP	OIDC OP support (requires install of OIDC/OAuth Config)	https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2776760321
OIDC RP	OIDC RP support (proxy authentication via OIDC) (requires install of OIDC/OAuth Config)	https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3239968769
OIDC/OAuth Config	Identity Provider OIDC/OAuth Shared Configuration (requires install of OIDCCommon)
OIDCCommon	Implementation of reusable Java components related to OpenID Connect and OAuth features	https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3232137218
Duo Universal Prompt	Duo UniversalPrompt OIDC-based login support (requires install of OIDCCommon)	https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3114041345
TOTP	Generic TOTP OATH token login support
Nashorn	Implementation of the Nashorn ECMAscript language (provided for JDK versions >=15)
Rhino	Implementation of the Rhino ECMAscript language common prior to Java 8
Metadatagen	A command-line tool to generate metadata based on shallow introspection of the IdP configuration properties
JDBCStorageService	A Storage Service which is backed by a database. Replaces the JPAStorageService
WebAuthn	FIDO2 authentication utilizing the Web Authentication API.	https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3394928781

Security Advisories

Plugin	Advisory	Versions Affected

Plugin	Advisory	Versions Affected
OIDC OP	OpenID Connect OP plugin allows unchecked use of request_uri feature	< 3.0.4
OIDC OP	OpenID Connect OP plugin is missing required checks handling JWTs	< 3.0.3
OIDC OP	OpenID Connect OP plugin contains multiple race conditions	< 3.4.0
OIDC OP	OpenID Connect OP plugin contains two race conditions	< 4.2.0

Third-Party Vulnerabilities

This is a summary of any known vulnerabilities in libraries shipped with any plugins, and our assessment of them.

All OIDC Plugins (including the Duo Nimbus plugin)

json-smart
- CVE-2023-1370, CVE-2024-57699
  - This is a denial of service issue so not serious even if exploitable. We will update the OIDC Commons plugin (which carries this dependency) at a future opportunity.