The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.


Shibboleth 2 Contributions and Extensions

Identity Provider Extensions

The following extensions are software components that may be installed into the Shibboleth 2 Identity Provider.


Supported IdP Versions

Maintainer Contact Info.




Extension that enables users to consent to the release of attributes.

uApprove JP2.xGakuNinForked version of uApprove (above), which allows users to select attributes to be released.

GridShib for Shib2


Enables the IdP to issue Holder-of-Key SAML assertions.

X.509 Login Handler


The x509-login-handler implements an authentication handler for the Shibboleth IdP and will set the authentication context class urn:oasis:names:tc:SAML:2.0:ac:classes:X509.

IdP Audit Log Analysis Tool

2.x, 3.x (subscription required)

Provides IdP usage statistics by analyzing audit log files.



IdP monitoring script for graphing Shibboleth usage


2.x (subscription required)

Provides ECP support. Note ECP support was rolled in to the main IdP distribution in version 2.3, do not attempt to use this plugin with that, or future, versions.

RESTful webservice connector


Provides an attribute data connector to a RESTful webservice.

Dynamic Metadata Provider


Provides a dynamic metadata provider which is based on the newest HTTP metadata provider.

Web Service Data Connector


Provides a connector that can be used to extract attributes from a web service. (And the web service, in turn, can obtain those attributes from almost anywhere.)

Multi Factor Login Handler

2.?, 2.4.x

This is a JAAS-based login handler for Multi Factor authentication (one, two or more factors).

MongoDB connector


Provides an attribute data and persistent ID connector for MongoDB.

OrientDB Connector


Provides an attribute data connector for OrientDB.

Memcached StorageService


Provides an easy way to connect your Shibboleth IdP to a memcached server, in order to create a stateful cluster. It is intended to be a lightweight alternative to using the Terracotta software.

Ohio State Custom Login Handler

2.2+ (subscription required)

Ohio State extensions, primarily a custom login module for SSO with stateless clustering, and workflow-like login handler with Velocity-based UI and post-login notification hooks.

German ID card Login Handler


Provides support authentication with the German ID card (nPA).

Kerberos Login Handler


The Kerberos Login Handler uses the kerberos protocol to implement an SSO (Single Sing On) authentication mechanism.

User Agent Based Attributes


An extension to the username/password login handler and a new data connector that allows for the creation of new attributes based on the IP address of the user agent at authentication time.

Facebook Login Servlet


Facebook Login Servlet (FLS) provides three way integration among Identity Provider, Facebook and SQL database. With its help, user can perform quick authentication, based on credentials retrieved from Facebook Graph and data received from SQL database.
Connection with a SQL database is completely optional and FLS can use Facebook as a data provider and forward User Fields from Facebook as attributes to Service Provider. In this case FLS evolves into Facebook "Data Connector".

Duo Two-Factor Authentication Login Handler


The Duo Two-Factor Authentication Login Handler for Shibboleth adds Duo Security two-factor authentication to an existing JAAS user authentication for Shibboleth identity providers. It is based on the Shibboleth UsernamePassword login handler.

Infinispan Storage Service

2.3+ (subscription required)

A replacement storage service for Shibboleth IdP v2 that uses Infinispan to provide cluster support.

SSO-CAS Login Handler2.xfed-contact@listes.renater.frThe SSO-CAS Login Handler allows the use of forced authentication while using a SSO-CAS server to authenticate the user.

Munin plugins to graph IdP requests and logins per relying party.  Requires the IdP Audit Log Analysis Tool to parse the log files.

Shibboleth-CAS Authenticator2.3+dkopylenko@unicon.netA Shibboleth IdP external authentication plugin that delegates the authentication to the CAS. Supports the ability to utilize a full range of native CAS protocol features such as renew and gateway
Status Servlet with Terracotta support2.3+beall@usc.eduA servlet to for better status monitoring of an IdP node which is using Terracotta.
Changing IdP Signature Method Algorithm2.3+users@shibboleth.netInstructions and template code for writing a Java Spring bean that can be used to change the IdP signature method algorithm from SHA1 to other algorithms.
Multi-Context Broker2.3+users@shibboleth.netThe Multi-Context Broker login handler implements the InCommon Assurance requirements.
Database Backed Storage Service2.3+users@shibboleth.netThe Database Backed Storage Service is a replacement storage service for Shibboleth that uses a RDMS for session persistence.
Match functors for MDRPI elements2.4

Enables the identity provider to include a requesting entity's registrationAuthority attribute in attribute release policies.
NIIF SLO plugin2.4+haim@hrz.uni-marburg.deSingle Logout (SLO) implementation by the Hungarian NIIF institute, but rewritten as plugin for a default Shibboleth IdP 2.4

Service Provider Extensions

The following extensions are software components that may be installed into the Shibboleth 2 Service Provider.


Supported SP Versions

Maintainer Contact Info.


Attribute Query2.5 or laterGakuNin Federation/PEOFIAMPAllows making SAML Attribute Queries via /Shibboleth.sso/AttributeQuery?entityID=...&nameId=... and getting back (user) attributes in a JSON data structure. Also includes a Python script to execute in a terminal. This extension is faster and more interoperable than using the resolvertest binary that is bundled with the SP.

Discovery Service Extensions

The following extensions are software components that may be installed into the Shibboleth 2 Discovery Service.


Supported DS Versions

Maintainer Contact Info.




Maintainer Contact Info.


SP on openSUSE

Notes on building, configuring, and testing the Shibboleth 2.0 SP on openSUSE 10.3


Setting up the IDP 2.0 on SuSE Linux Enterprise Server (SLES10) (German)

SP on Xserve

Notes on installing and configuring Shibboleth 2.0 SP on Mac OSX 10.5 (Leopard) XServe
(italian language)

Japanese Tutorial

Shibboleth 2 Introduction, Installation, and Configuration

Hosting SP in Azurekool@uw.eduHosting the IIS Shibboleth SP in Azure
Integrating Nginx and a Shibboleth SP with FastCGIDavid BeiteyHow to utilise Nginx as a front-end web server and integrate it with Shibboleth.
Shibbolize a CAS serverFront a CAS server with a Shib-SP and recycle the attributes. (a different cas integration)
Shibboleth IdP ProbeA bash script that probes a sequence of Shibboleth IdPs to determine which are based on the Shibboleth IdP V2 software

Other, Related, Contributions

Other software components or documentation related to the use of Shibboleth 2.


Maintainer Contact Info.


XmlSecTool (subscription required)

Java-based tool for downloading, checking well-formedness, schema validity, and signature of XML documents. Also provides ability to sign XML documents.

Shule Aroon

A discovery service, written in Ruby.


An all-Java SP. A Git patch to configure JBoss such that any standard deployed applications become SAML enabled. From a clean JBoss download do "git apply path-to-patch" to apply the changes. A README is supplied. I based the patch on JBoss-6.0.0.M2, but hopefully it with work with other versions too. If you really can't work with the patch I may be able to provide the complete SP, but the patch is really better since it is not tied so tightly to a single JBoss version and it lets you see what has been done.

Scott Koranda

A simple demonstration ECP client written in bash. It requires bash 4 and the curl and xlstproc command line tools. It has been tested on Debian Jessie against a Shib 2.4.4 and 3.2.1 IdP and Shib 2.5.6 Native SP.

Scott Koranda

A simple demonstration ECP client written in Python. It requires Python 2.6+ and the Python lxml toolkit. It has been tested on Debian Wheezy against a Shib 2.4.4 and 3.1.1 IdP and Shib 2.5.4 Native SP.

PKI enabled Python 3.4 ECP client

Rob EastmanA PKI enabled Python 3.4 ECP client that can take in as arguments a single URL or a "\n" separated file of URLs. Especially helpful for enabling web crawlers to crawl a SAML 2.0 ECP enabled site that requires a PKI certificate at the IdP. Tested with Shibboleth SP 2.5.3 and IdP 2.4.3.

Steve Thorpe and its companion program are meant to help "stress test" a Shibboleth IdP (and SP). I used it to run about successful 150-200 logins per minute, using an IdP running on a VM on older HW, with only 512MB RAM. The code exercises SP -> WAYF -> IdP -> SP end-to-end tests and produces ASCII output. YOU WILL NEED TO READ AND UNDERSTAND THE CODE BEFORE USING THIS, as modifications will be required. Though its only 200-300 lines of code, so hopefully it won't be too difficult to figure that out. To unroll the gzipped tarball, do the following from a Linux command line: gunzip idpLoadTester.tar.gz; tar -xvf idpLoadTester.tar

Joe George

Devise Shibboleth Authenticatable is a Shibboleth based authentication strategy for the Devise authentication framework,

ECP implementation in PHPIvan NovakovFlexible and easily extensible PHP library for creating ECP enabled applications.S
Chef Cookbooks for ShibbolethElliot Kendall

Chef Cookbooks to install and configure the Shibboleth IdP, the Shibboleth SP, and Terracotta as Shibboleth IdP clustering solution.

JAGGER Resource RegistryJanusz UlanowskiWeb-based GUI for managing multiple federations (or webs of trust) and a Shibboleth IdP's metadata providers and attribute policy.
Salt formula for ShibbolethMatthew X. EconomouSaltStack formula that installs and configures the Shibboleth IdP, the Shibboleth SP, and the Shibboleth DS; currently tested against CentOS 7 and FreeBSD 10, and intended for use with CentOS/Debian/FreeBSD/RHEL/SUSE/Ubuntu/Windows.

  File Modified

File idpLoadTester.tar.gz

Oct 25, 2011 by Steve Thorpe

File schema.tgz Hacked XSD schema files for validation of SAML metadata

Jun 08, 2013 by peter


Apr 27, 2015 by Former user

File Tested against IdP 3.2.1

Apr 27, 2016 by

File Tested against IdP 3.2.1

Apr 27, 2016 by