All of the plugins documented here require V4.1 and above and will not work in older versions. The latest versions of many of them require V5.0+; this will be noted during upgrades (or blocked if an attempt to install onto older versions is made).

If you get errors, this is generally due to “forcing” the install of a specific plugin version (usually via a tarball). Simply put: don’t do that. Installing based on the plugin ID will automatically locate the “best” plugin version for a given IdP version and that isn’t always going to be the latest version released.

The Shibboleth IdP software, as of V4.1 and above, supports the concept of Plugins, add-on packages that add functionality and optionally expose Modules with individual features that can be enabled or disabled. Most new software features will be packaged as plugins to the core software to reduce the frequency of upgrades solely to deliver new features and to minimize the impact of security vulnerabilities.

The following table provides a summary of known plugins available (both first- and third-party) along with links to the appropriate documentation. See below for any security advisories published.



Release Notes



Release Notes


OIDC OP support (requires install of OIDC/OAuth Config)



OIDC RP support (proxy authentication via OIDC) (requires install of OIDC/OAuth Config)


OIDC/OAuth Config

Identity Provider OIDC/OAuth Shared Configuration (requires install of OIDCCommon)



Implementation of reusable Java components related to OpenID Connect and OAuth features


Duo Universal Prompt

Duo UniversalPrompt OIDC-based login support (requires install of OIDCCommon)



Generic TOTP OATH token login support



Implementation of the Nashorn ECMAscript language (provided for JDK versions >=15)



Implementation of the Rhino ECMAscript language common prior to Java 8



A command-line tool to generate metadata based on shallow introspection of the IdP configuration properties



A Storage Service which is backed by a database. Replaces the JPAStorageService


Security Advisories

Third-Party Vulnerabilities

This is a summary of any known vulnerabilities in libraries shipped with any plugins, and our assessment of them.

All OIDC Plugins (including the Duo Nimbus plugin)

  • json-smart

    • CVE-2023-1370

      • This is a denial of service issue so not serious even if exploitable. It will be updated for the next release of the OIDC Commons plugin on which all the functional plugins depend.