The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdP OpenID Configuration


The OpenID extension needs access to the Shibboleth's Velocity Engine, which is accomplished by modifying service.xml. Find the Service with the id "shibboleth.ServiceServletContextAttributeExporter" (it's probably at the bottom of the file). The depends-on attribute of this Service element contains a space separated list of service IDs. Add the ID "shibboleth.VelocityEngine" to this list.

Relying Party configuration

In relying-party.xml, add the appropriate XML namespace declaration for OpenID. Add the following attribute to the root <RelyingPartyGroup> element alongside the other namespace declarations:


Add the following schema location declaration in the xsi:schemaLocation attribute of the same element:

urn:mace:shibboleth:2.0:relying-party:openid classpath:/schema/shibboleth-2.0-relying-party-openid.xsd

OpenID protocol support is handled in the same way as any other protocol in Shibboleth, it is configured per relying party. Add the following ProfileConfiguration to the appropriate relying party configurations:

<ProfileConfiguration xsi:type="openid:OpenIDAuthProfile" />

This profile configuration supports two optional attributes:

  • directedIdentifiers - boolean value that turns on the use of directed identifiers for the relying party. Defaults to 'false'
  • directedIdentifierSalt - salt value that is used to generated directed identifiers, when enabled.


Relying party whitelisting is supported by using a special profile of SAML Metadata to identify the parties. A rather minimal OpenID metadata file identifying a single relying party might look like:

<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" Name="urn:mace:shibboleth:openid">

    <EntityDescriptor entityID="">
        <SPSSODescriptor protocolSupportEnumeration="" />
            <AssertionConsumerService Binding="" 
                Location="" />



PAPE policy URLs are configured the same way as authentication methods. Add the desired URL to the appropriate LoginHandler in handler.xml inside of an AuthenticationMethod element.


If you wish to enable more verbose logging for OpenID, the package name is "edu.internet2.middleware.openid".