Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Contributions
Shibboleth 2 Contributions and Extensions
Identity Provider Extensions
The following extensions are software components that may be installed into the Shibboleth 2 Identity Provider.
Extension | Supported IdP Versions | Maintainer Contact Info. | Description |
|---|---|---|---|
2.3 | Extension that enables users to consent to the release of attributes. | ||
| uApprove JP | 2.x | GakuNin | Forked version of uApprove (above), which allows users to select attributes to be released. |
? | Enables the IdP to issue Holder-of-Key SAML assertions. | ||
2.3 | The x509-login-handler implements an authentication handler for the Shibboleth IdP and will set the authentication context class | ||
2.x, 3.x | Provides IdP usage statistics by analyzing audit log files. | ||
2.X | IdP monitoring script for graphing Shibboleth usage | ||
2.x | Provides ECP support. Note ECP support was rolled in to the main IdP distribution in version 2.3, do not attempt to use this plugin with that, or future, versions. | ||
2.x | Provides an attribute data connector to a RESTful webservice. | ||
2.2 | Provides a dynamic metadata provider which is based on the newest HTTP metadata provider. | ||
2.x | Provides a connector that can be used to extract attributes from a web service. (And the web service, in turn, can obtain those attributes from almost anywhere.) | ||
2.?, 2.4.x | This is a JAAS-based login handler for Multi Factor authentication (one, two or more factors). | ||
2.? | Provides an attribute data and persistent ID connector for MongoDB. | ||
2.x | Provides an attribute data connector for OrientDB. | ||
2.3+ | Provides an easy way to connect your Shibboleth IdP to a memcached server, in order to create a stateful cluster. It is intended to be a lightweight alternative to using the Terracotta software. | ||
2.2+ | Ohio State extensions, primarily a custom login module for SSO with stateless clustering, and workflow-like login handler with Velocity-based UI and post-login notification hooks. | ||
2.x | Provides support authentication with the German ID card (nPA). | ||
2.3 | The Kerberos Login Handler uses the kerberos protocol to implement an SSO (Single Sing On) authentication mechanism. | ||
2.3 | An extension to the username/password login handler and a new data connector that allows for the creation of new attributes based on the IP address of the user agent at authentication time. | ||
2.? | Facebook Login Servlet (FLS) provides three way integration among Identity Provider, Facebook and SQL database. With its help, user can perform quick authentication, based on credentials retrieved from Facebook Graph and data received from SQL database. | ||
2.3 | The Duo Two-Factor Authentication Login Handler for Shibboleth adds Duo Security two-factor authentication to an existing JAAS user authentication for Shibboleth identity providers. It is based on the Shibboleth UsernamePassword login handler. | ||
2.3+ | A replacement storage service for Shibboleth IdP v2 that uses Infinispan to provide cluster support. | ||
| SSO-CAS Login Handler | 2.x | fed-contact@listes.renater.fr | The SSO-CAS Login Handler allows the use of forced authentication while using a SSO-CAS server to authenticate the user. |
| Munin plugins | 2.x | sporth@oit.umass.edu | Munin plugins to graph IdP requests and logins per relying party. Requires the IdP Audit Log Analysis Tool to parse the log files. |
| Shibboleth-CAS Authenticator | 2.3+ | dkopylenko@unicon.net | A Shibboleth IdP external authentication plugin that delegates the authentication to the CAS. Supports the ability to utilize a full range of native CAS protocol features such as renew and gateway |
| Status Servlet with Terracotta support | 2.3+ | beall@usc.edu | A servlet to for better status monitoring of an IdP node which is using Terracotta. |
| Changing IdP Signature Method Algorithm | 2.3+ | users@shibboleth.net | Instructions and template code for writing a Java Spring bean that can be used to change the IdP signature method algorithm from SHA1 to other algorithms. |
| Multi-Context Broker | 2.3+ | users@shibboleth.net | The Multi-Context Broker login handler implements the InCommon Assurance requirements. |
| Database Backed Storage Service | 2.3+ | users@shibboleth.net | The Database Backed Storage Service is a replacement storage service for Shibboleth that uses a RDMS for session persistence. |
| Match functors for MDRPI elements | 2.4 | Enables the identity provider to include a requesting entity's registrationAuthority attribute in attribute release policies. | |
| NIIF SLO plugin | 2.4+ | haim@hrz.uni-marburg.de | Single Logout (SLO) implementation by the Hungarian NIIF institute, but rewritten as plugin for a default Shibboleth IdP 2.4 |
Service Provider Extensions
The following extensions are software components that may be installed into the Shibboleth 2 Service Provider.
Extension | Supported SP Versions | Maintainer Contact Info. | Description |
|---|---|---|---|
| Attribute Query | 2.5 or later | GakuNin Federation/PEOFIAMP | Allows making SAML Attribute Queries via /Shibboleth.sso/AttributeQuery?entityID=...&nameId=... and getting back (user) attributes in a JSON data structure. Also includes a Python script attributequery.py to execute in a terminal. This extension is faster and more interoperable than using the resolvertest binary that is bundled with the SP. |
Discovery Service Extensions
The following extensions are software components that may be installed into the Shibboleth 2 Discovery Service.
Extension | Supported DS Versions | Maintainer Contact Info. | Description |
|---|
Documentation
Name | Maintainer Contact Info. | Description |
|---|---|---|
Notes on building, configuring, and testing the Shibboleth 2.0 SP on openSUSE 10.3 | ||
Setting up the IDP 2.0 on SuSE Linux Enterprise Server (SLES10) (German) | ||
Notes on installing and configuring Shibboleth 2.0 SP on Mac OSX 10.5 (Leopard) XServe | ||
Shibboleth 2 Introduction, Installation, and Configuration | ||
| Hosting SP in Azure | kool@uw.edu | Hosting the IIS Shibboleth SP in Azure |
| Integrating Nginx and a Shibboleth SP with FastCGI | David Beitey | How to utilise Nginx as a front-end web server and integrate it with Shibboleth. |
| Shibbolize a CAS server | Front a CAS server with a Shib-SP and recycle the attributes. (a different cas integration) | |
| Shibboleth IdP Probe | A bash script that probes a sequence of Shibboleth IdPs to determine which are based on the Shibboleth IdP V2 software |
Other, Related, Contributions
Other software components or documentation related to the use of Shibboleth 2.
Name | Maintainer Contact Info. | Description |
|---|---|---|
Java-based tool for downloading, checking well-formedness, schema validity, and signature of XML documents. Also provides ability to sign XML documents. | ||
A discovery service, written in Ruby. | ||
An all-Java SP. A Git patch to configure JBoss such that any standard deployed applications become SAML enabled. From a clean JBoss download do "git apply path-to-patch" to apply the changes. A README is supplied. I based the patch on JBoss-6.0.0.M2, but hopefully it with work with other versions too. If you really can't work with the patch I may be able to provide the complete SP, but the patch is really better since it is not tied so tightly to a single JBoss version and it lets you see what has been done. | ||
A simple demonstration ECP client written in bash. It requires bash 4 and the curl and xlstproc command line tools. It has been tested on Debian Jessie against a Shib 2.4.4 and 3.2.1 IdP and Shib 2.5.6 Native SP. | ||
A simple demonstration ECP client written in Python. It requires Python 2.6+ and the Python lxml toolkit. It has been tested on Debian Wheezy against a Shib 2.4.4 and 3.1.1 IdP and Shib 2.5.4 Native SP. | ||
| Rob Eastman | A PKI enabled Python 3.4 ECP client that can take in as arguments a single URL or a "\n" separated file of URLs. Especially helpful for enabling web crawlers to crawl a SAML 2.0 ECP enabled site that requires a PKI certificate at the IdP. Tested with Shibboleth SP 2.5.3 and IdP 2.4.3. | |
stressTest.sh and its companion program check_sp-test.my.org_shib_login.pl are meant to help "stress test" a Shibboleth IdP (and SP). I used it to run about successful 150-200 logins per minute, using an IdP running on a VM on older HW, with only 512MB RAM. The code exercises SP -> WAYF -> IdP -> SP end-to-end tests and produces ASCII output. YOU WILL NEED TO READ AND UNDERSTAND THE CODE BEFORE USING THIS, as modifications will be required. Though its only 200-300 lines of code, so hopefully it won't be too difficult to figure that out. To unroll the gzipped tarball, do the following from a Linux command line: gunzip idpLoadTester.tar.gz; tar -xvf idpLoadTester.tar | ||
Devise Shibboleth Authenticatable is a Shibboleth based authentication strategy for the Devise authentication framework, http://github.com/plataformatec/devise. | ||
| ECP implementation in PHP | Ivan Novakov | Flexible and easily extensible PHP library for creating ECP enabled applications.S |
| Chef Cookbooks for Shibboleth | Elliot Kendall | Chef Cookbooks to install and configure the Shibboleth IdP, the Shibboleth SP, and Terracotta as Shibboleth IdP clustering solution. |
| JAGGER Resource Registry | Janusz Ulanowski | Web-based GUI for managing multiple federations (or webs of trust) and a Shibboleth IdP's metadata providers and attribute policy. |
| Salt formula for Shibboleth | Matthew X. Economou | SaltStack formula that installs and configures the Shibboleth IdP, the Shibboleth SP, and the Shibboleth DS; currently tested against CentOS 7 and FreeBSD 10, and intended for use with CentOS/Debian/FreeBSD/RHEL/SUSE/Ubuntu/Windows. |
, multiple selections available,