The OIDC OP plugin is the successor to the original GEANT-funded add-on to Shibboleth and is now available as an offically-supported plugin for IdP V4.1 and above. It provides conformant OIDC OP functionality alongside the SAML and CAS support previously native to the IdP software.

This is the first release with code packages, XML namespaces, and other configuration elements native to the Shibboleth Project and with a "stable" configuration that will be supported in accordance with our versioning policy. It leverages the plugin extension model introduced in V4.1.

Because of significant changes to the configuration (largely to automate or simplify the overall process of adding or removing this feature), there are a number of manual steps required to move from the older releases of this feature to the new, "stable" version. These differences were unavoidable in the interest of preventing such complications in the future.

Those using the earlier V1.0 or V2.0 releases of this functionality (originally documented in GitHub) should refer to OIDC OP Upgrading for guidance on moving to this new release.

Plugin Installation

PluginPlugin IDModule IDLatest Version
OIDC OP Extensionnet.shibboleth.idp.plugin.oidc.opidp.oidc.OP3.0.1: download


This plugin depends on the Shibboleth OIDC Common plugin, and you must first install OIDCCommon. The installer will prevent installation if this is not in place.

For a detailed guide on how to install plugins, see here.

In summary, use the plugin command that ships with the IdP to install the plugin from either a local file pre-downloaded, from a URL or by pluginId 4.2


C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.idp.plugin.oidc.whatever


$ /opt/shibboleth-idp/bin/plugin.sh -i http://shibboleth.net/downloads/identity-provider/plugins/pluginName/version/URL


$ /opt/shibboleth-idp/bin/plugin.sh -i <plugin.tar.gz>

If installing from a local file, you need to ensure the GPG detached signature (e.g. the .asc file) is placed alongside the main plugin archive on disk.

Listing Installed Plugins

$ /opt/shibboleth-idp/bin/plugin.sh -l


C:>\opt\shibboleth-idp\bin\plugin.bat -l

Enabling the Module

For a detailed guide on configuring modules, see the ModuleConfiguration topic. Once the plugin has been installed, its module should be enabled automatically for you:

Check Module Is Enabled
/%{idp.home}/bin$ ./module.sh -l

Module: idp.oidc.OP [ENABLED]

However, if you need to enable it you can using the module command:

Enable the module
/%{idp.home}/bin$ ./module.sh -e idp.oidc.OP

When enabled, a number of new configuration files will be created for further customization.

Systems upgraded to V4.1 are also likely to require adding the idp.searchForProperties=true property to their idp.properties file, or else an explicit reference would have to be added to the new property file added by the module. It's best to clean up the property situation prior to using plugins that add their own.

Initial Setup

Because this plugin is considerably more extensive than most, there are more touchpoints to the rest of the IdP configuration and a larger-than-usual set of initial setup steps needed before it can be used. The IdP may not even startup properly until many of them are completed.


Please refer to the topics below for more detailed information on different aspects of the extension.