From 197815ae7a4f6acc735bd0100937b96790931941 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 27 Nov 2025 15:31:20 +0000
Subject: [PATCH] Add Shibboleth sample configuration to SSO documentation

Co-authored-by: sandhose <1549952+sandhose@users.noreply.github.com>
---
 docs/setup/sso.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/docs/setup/sso.md b/docs/setup/sso.md
index 3442d06bd..1d993242d 100644
--- a/docs/setup/sso.md
+++ b/docs/setup/sso.md
@@ -601,3 +601,51 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
   "id_token_signed_response_alg": "RS256"
 }
 ```
+
+
+### Shibboleth
+
+[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
+It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).
+
+These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.
+
+Register MAS as a relying party in Shibboleth:
+
+1. Add a metadata file to `%{idp.home}/metadata/` (see the [Shibboleth documentation](https://shibboleth.atlassian.net/wiki/spaces/SC/pages/1912406916/OAuthRPMetadataProfile) for the template).
+   
+   Adjust the following in the metadata file:
+   - Client ID: `entityID="<client-id>"`
+   - Client Secret: `<oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>`
+   - Redirect URI: `Location="https://<auth-service-domain>/upstream/callback/<id>"`
+   - Scope: `scopes="openid profile email"`
+
+2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.
+
+Authentication service configuration:
+
+```yaml
+upstream_oauth2:
+  providers:
+    - id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
+      human_name: Shibboleth
+      issuer: "https://<shibboleth-domain>/" # TO BE FILLED
+      client_id: "<client-id>" # TO BE FILLED
+      client_secret: "<client-secret>" # TO BE FILLED
+      token_endpoint_auth_method: client_secret_basic
+      scope: "openid profile email"
+      discovery_mode: insecure
+      fetch_userinfo: true
+      userinfo_endpoint: "https://<shibboleth-domain>/idp/profile/oidc/userinfo" # TO BE FILLED, check your /.well-known/openid-configuration
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ user.preferred_username }}"
+        displayname:
+          action: suggest
+          template: "{{ user.name }}"
+        email:
+          action: suggest
+          template: "{{ user.email }}"
+          set_email_verification: always
+```