Shibboleth 3 Contributions and Extensions

Identity Provider Extensions

The following extensions are software components that may be installed into the Shibboleth 3 Identity Provider.


Supported IdP Versions

Maintainer Contact Info.




A Shibboleth IdP external authentication plugin that delegates the authentication to an external CAS Server. It supports the ability to utilize a full range of native CAS protocol features such as renew and gateway. 

3.1,3.2fox@washington.eduThis data connector retrieves data from a restful web service.  We use this to retrieve group memberships.
Shibboleth-IdP3-TOTP-Auth3.2keijo@kvak.netThis authentication module provides 2-factor authentication with Google Authenticator. It works conjunction with User/Password flow. ATM it retrieves token seeds from external LDAP-server.
shib-mfa-duo-auth3.1-3.2unicon.netDuoSecurity multifactor plugin written by Unicon. Recommended if you need the full multi-context broker experience as described at Replicating Multi-Context Broker Functionality (Duo + Username/Password with user-opt-in forcing Duo).
duo_shibboleth3.1-3.2duosecurity.comDuoSecurity's own plugin, completely independent of and released shortly after Unicon's. Arguably simpler and includes fail-safe/bypass functionality not available in Unicon's. Does not create a new authn context – so SPs cannot demand Duo -- but quick & dirty opt-in-to-Duo functionality can still be achieved by adding code to their
shibboleth-mfa-u2f-auth3.2stefan.wold@unitedid.orgProvides U2F authentication support (2-factor). Works together with the user and password flow. Current version only have support for the Yubico U2F Validation Server as backend. Generic backend support for SQL and MongoDB will be available in August 2016.
shibboleth-oidc3.2.1UChicago/Unicon? (try the issue tracker)"We are working on adding support for the OpenID Connect protocol to the Shibboleth Identity Provider v3."

Build and Configuration Management Resources


Maintainer Contact Info.



A Shibboleth IdP base image ready for a configuration overlay. See a fully working idp example.

Salt formula for ShibbolethMatthew X. EconomouSaltStack formula that installs and configures the Shibboleth IdP, the Shibboleth SP, and the Shibboleth DS; currently tested against CentOS 7 and FreeBSD 10, and intended for use with CentOS/Debian/FreeBSD/RHEL/SUSE/Ubuntu/Windows.

Other Related Contributions

Other software components and/or documentation related to the use of Shibboleth IdP V3.


Maintainer Contact Info.


Sample SP

A sample SP application that is protected by Spring Security SAML.

Shibboleth IdP Maven  Shibboleth Identity Provider packaged and deployed as a Maven overlay.
Shibboleth IdP Template A template for installing the Shibboleth Identity Provider v3.0 which makes available the Shib-CAS-Authenticator plugin for external SSO authentication. The shibboleth installer is preconfigured and decorated with additional tasks that would provide a fully functional identity provider ready for deployment.
Shibboleth Messages Translationlukas.haemmerle@switch.chTranslations of the Shibboleth messages properties in different languages. Maintained by by several contributors.
Shibboleth IdP Gradle Overlaymmoayyed@unicon.netThe Shibboleth Identity Provider web application built using a Gradle overlay.
IdP Heap ManagementJim FoxDiscussion of garbage collection performance and parameters
Persistent Id with local databasesJim FoxDescription of a method of using independent, local postgres databases for persistent id generation and maintenance

A library of command-line tools for managing untrusted metadata using a Shibboleth LocalDynamicMetadataProvider