diff --git a/crates/handlers/src/upstream_oauth2/link.rs b/crates/handlers/src/upstream_oauth2/link.rs
index 3bfdc4d33..08281291f 100644
--- a/crates/handlers/src/upstream_oauth2/link.rs
+++ b/crates/handlers/src/upstream_oauth2/link.rs
@@ -456,7 +456,7 @@ pub(crate) async fn get(
             }
 
             // We do a bunch of checks for the localpart. Instead of using nested ifs all
-            // the way, we use a labelled block, and use `break` for 'exitting' early when
+            // the way, we use a labelled block, and use `break` for 'exiting' early when
             // needed
             let localpart = 'localpart: {
                 if provider.claims_imports.localpart.ignore() {
@@ -942,7 +942,7 @@ pub(crate) async fn post(
             if let Some(ref display_name) = display_name {
                 ctx = ctx.with_display_name(
                     display_name.clone(),
-                    provider.claims_imports.email.is_forced_or_required(),
+                    provider.claims_imports.displayname.is_forced_or_required(),
                 );
             }
 
diff --git a/docs/reference/cli/manage.md b/docs/reference/cli/manage.md
index d633c4108..24f640014 100644
--- a/docs/reference/cli/manage.md
+++ b/docs/reference/cli/manage.md
@@ -78,7 +78,8 @@ Create a new user registration token.
 
 Options:
 - `--token <token>`: Specific token string to use. If not provided, a random token will be generated.
-- `--usage-limit <usage_limit>`: Limit the number of times the token can be used. If not provided, the token can be used an unlimited number of times.
+- `--usage-limit <usage_limit>`: Limit the number of times the token can be used. If not provided, the token can be can be used only once, unless the `--unlimited` flag is set.
+- `--unlimited` Allow the token to be used an unlimited number of times.
 - `--expires-in <expires_in>`: Time in seconds after which the token expires. If not provided, the token never expires.
 
 ```
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index d18e5a44d..5c1572ac1 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -796,15 +796,6 @@ upstream_oauth2:
           #action: suggest
           #template: "{{ user.email }}"
 
-          # Whether the email address must be marked as verified.
-          # Possible values are:
-          #  - `import`: mark the email address as verified if the upstream provider
-          #     has marked it as verified, using the `email_verified` claim.
-          #     This is the default.
-          #   - `always`: mark the email address as verified
-          #   - `never`: mark the email address as not verified
-          #set_email_verification: import
-
         # An account name, for display purposes only
         # This helps end user identify what account they are using
         account_name:
diff --git a/docs/setup/sso.md b/docs/setup/sso.md
index 62835bb77..15d0212d7 100644
--- a/docs/setup/sso.md
+++ b/docs/setup/sso.md
@@ -218,7 +218,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -255,7 +254,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -296,7 +294,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
         account_name:
           template: "{{ user.name }}"
 ```
@@ -467,7 +464,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
 ```
 
 
@@ -504,7 +500,6 @@ upstream_oauth2:
         email:
           action: suggest
           template: "{{ user.email }}"
-          set_email_verification: always
         account_name:
           template: "{{ user.preferred_username }}"
 ```
@@ -606,3 +601,70 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
   "id_token_signed_response_alg": "RS256"
 }
 ```
+
+
+### Shibboleth
+
+[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
+It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).
+
+These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.
+
+Register MAS as a relying party in Shibboleth:
+
+1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content:
+
+   ```xml
+   <?xml version="1.0" encoding="UTF-8"?>
+   <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                     xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
+                     entityID="<client-id>">
+       <Extensions>
+           <oidcmd:ClientInformation>
+               <oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>
+           </oidcmd:ClientInformation>
+       </Extensions>
+       <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+           <Extensions>
+               <oidcmd:OIDCClientInformation scopes="openid profile email"
+                                             token_endpoint_auth_method="client_secret_basic">
+                   <oidcmd:GrantType>authorization_code</oidcmd:GrantType>
+                   <oidcmd:ResponseType>code</oidcmd:ResponseType>
+               </oidcmd:OIDCClientInformation>
+           </Extensions>
+           <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                     Location="https://<auth-service-domain>/upstream/callback/<id>"
+                                     index="1"/>
+       </SPSSODescriptor>
+   </EntityDescriptor>
+   ```
+
+   Replace `<client-id>`, `<client-secret>`, `<auth-service-domain>`, and `<id>` with your values.
+
+2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.
+
+Authentication service configuration:
+
+```yaml
+upstream_oauth2:
+  providers:
+    - id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
+      human_name: Shibboleth
+      issuer: "https://<shibboleth-domain>/" # TO BE FILLED
+      client_id: "<client-id>" # TO BE FILLED
+      client_secret: "<client-secret>" # TO BE FILLED
+      token_endpoint_auth_method: client_secret_basic
+      scope: "openid profile email"
+      discovery_mode: insecure
+      fetch_userinfo: true
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ user.preferred_username }}"
+        displayname:
+          action: suggest
+          template: "{{ user.name }}"
+        email:
+          action: suggest
+          template: "{{ user.email }}"
+```