2018 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

TUTORIAL: GÉANT OIDC-Plugin for Shibboleth IdP (Separate Registration Required)

Time 10/15/18 01:00PM-05:00PM

Room Oceana Grand Ballroom 8

Session Abstract

During the past few years, OpenID Connect (OIDC) has become a popular choice for implementing single sign-on to Web and native applications via trusted third party. For SAML2 Shibboleth IdP is one of the most deployed open source identity providers in our communities. Within the GEANT 4-2 project's task "Next Generation Trust and Identity Technology Development" we have set one of our goals to be providing a native-like OpenID Connect extension for Shibboleth IdP. Reaching the goal would benefit the numerous existing SAML2 Shibboleth IdP deployments by turning them also into OIDC Providers (OP).

For the attendees of the tutorial on the OIDC extension, we will provide pre-prepared virtual machines having Shibboleth IdP already installed. The tutorial will be divided to next sections.

OIDC extension project developer resources:
We first introduce project in general, wiki, support channels and access to source code.

We will perform installation of the OIDC extension on top of standard Shibboleth IdP installation.

Trust Management & OP configuration.
The provided virtual machines have a OIDC Relying Party (RP) that needs to establish trust relationship with Shibboleth OP. We first visit dynamic registration options and configure the OP to accept the dynamic registration requests of RP. Then we disable the dynamic registration and establish trust by adding the RP to local metadata file of the OP. In this section we also cover OP configuration.

Configuring Authentication
We configure one or some of the authentication methods in OP to have OIDC specific principals for selecting authentication method based on requested authentication context class reference (acr). This section covers both essential and nonessential acrs.

Attribute Definitions
We introduce OIDC encoders for attribute definitions. We cover also the cases of different response types and their impact on attribute availability and writing robust resolvers.

Attribute Filtering
We introduce new attribute filtering options to be used with OIDC RPs. How to combine OIDC specific options to existing ones and what can be expected from OIDC filtering options.

Subject Identifier
In this section we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.

We introduce new JWK signing credentials.

Profile Configurations
We familiarize attendees with the provided profile configuration options. Profile configuration options may be used to configure RP specific behaviour for OPs such as token lifetimes.

In the end of the tutorial attendees should have knowledge on how OIDC extension is both installed and configured to existing SAML2 Shibboleth IdP deployment.


Speaker Janne Lauros NORDUnet (Nordic Infrastructure for Research and Education)

Speaker Henri Mikkonen NORDUnet (Nordic Infrastructure for Research and Education)

Primary track Trust & Identity

Secondary tracks Information Security

gold Sponsors

silver Sponsors

bronze Sponsors