Shibboleth OIDC Extension Tutorial

By the end of the tutorial attendees should have knowledge on how OIDC extension is both installed and configured to existing SAML2 Shibboleth IdP deployment.

Who is it for?

This training event is aimed at Shibboleth IdP administrators and Identity Federation Operator who work with Shibboleth.


Tutorial Programme

The Tutorial is planned over two day, December 11 & 12th, 2018, lunch to lunch:


Dec 11tth, OIDC extension resources & Trusts and Identity Configuration

Start 12:00


Part 1:

  • OIDC extension project developer resources

We first introduce project in general, wiki, support channels and access to source code.

  • Installation

We will perform installation of the OIDC extension on top of standard Shibboleth IdP installation.

Part 2:

  • Trust Management & OP configuration.

The provided virtual machines have a OIDC Relying Party (RP) that needs to establish trust relationship with Shibboleth OP. We first visit dynamic registration options and configure the OP to accept the dynamic registration requests of RP. Then we disable the dynamic registration and establish trust by adding the RP to local metadata file of the OP. In this section we also cover OP configuration.

  • Configuring Authentication

We configure one or some of the authentication methods in OP to have OIDC specific principals for selecting authentication method based on requested authentication context class reference (acr). This section covers both essential and nonessential acrs.



Dec 12th, Attributes & Credentials

Finish 14:00


Part 1

  • Attribute Definitions

We introduce OIDC encoders for attribute definitions. We cover also the cases of different response types and their impact on attribute availability and writing robust resolvers.

  • Attribute Filtering

We introduce new attribute filtering options to be used with OIDC RPs. How to combine OIDC specific options to existing ones and what can be expected from OIDC filtering options

  • Subject Identifier

In this section we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.


Part 2:

  • Credentials

We introduce new JWK signing credentials.

  • Profile Configurations

We familiarize attendees with the provided profile configuration options. Profile configuration options may be used to configure RP specific behaviour for OPs such as token lifetimes.

Course fees

There are no attendance fees


Course attendance and payment approval

GÉANT project participants can claim their expenses against NA1T6.

Read more about the approval and payment process in GN4.2.

Please use this link to access GEANT Privacy Notice (Privacy and Cookies section on ).

The Tutorial will be hosted by GÉANT Amsterdam.

To secure you place please registere here.

Henri Mikkonen

Henri has been working with federated identity technologies since early 2000’s, dealing with technologies like Libery Alliance, SAML, WS-*, PKI, OAuth2 and lately also OpenID Connect. During the past few years, most of his tasks have been related to implementing extensions for Shibboleth Identity Provider 3.0, including OIDC extension as a part of the GÉANT 4-2 project.


Janne Lauros

Janne is an application engineer interested in anything related to OpenID Connect, SAML2, Shibboleth and other SAML2 products, Identity Federations, Authorization, Smart Cards. Using mostly technologies like Java, Spring, Vagrant, Ansible and Vaadin 8. Currently developing Shibboleth IdP 3 extensions.