CSC's trainings and events have moved

Find our upcoming trainings and events at

This site is an archive version and is no longer updated.

Go to CSC Customer trainings and Events


GÉANT OIDC-Plugin for Shibboleth IdP
Date: 10.10.2018 09:30 - 10.10.2018 15:00
Location details: The event is organised at the CSC Training Facilities located in the premises of CSC at Keilaranta 14, Espoo, Finland. The best way to reach us is by public transportation; more detailed travel tips are available.
Language: english-language
lecturers: Janne Lauros
Henri Mikkonen
  • free-price-finnish-academics.
  • 280 for-others
The fee covers all materials, lunches as well as morning and afternoon coffees.
The seats are filled in the registration order. If a cancellation is received five (5) business days prior to the course, the course fee will be refunded with the exception of a handling fee of 10 €. For no-shows and cancellations after the cut of date no refunds will be made. Registration can be transferred to someone else from the same organization without additional charge.

Payment can be made with electronic invoicing, credit card, or direct bank transfer. Note that for electronic invoicing you need the operator and e-invoicing address (OVT code) of your organization. Please also note that invoice reference is needed for electronic invoicing in your organization, so please have this available when registering.
Additional Information

The course will be held in Finnish!

During the past few years, OpenID Connect (OIDC) has become a popular choice for implementing single sign-on to Web and native applications via trusted third party. For SAML2 Shibboleth IdP is one of the most deployed open source identity providers in our communities. Within the GEANT 4-2 project's task "Next Generation Trust and Identity Technology Development" we have set one of our goals to be providing a native-like OpenID Connect extension for Shibboleth IdP. Reaching the goal would benefit the numerous existing SAML2 Shibboleth IdP deployments by turning them also into OIDC Providers (OP).

The training is inteded for Shibboleth IdP administrators.

Learning outcome
In the end of the tutorial attendees should have knowledge on how OIDC extension is both installed and configured to existing SAML2 Shibboleth IdP deployment.

Good knowledge of Shibboleth Idp. Own laptop. For the attendees of the tutorial on the OIDC extension, we will provide pre-prepared virtual machines having Shibboleth IdP already installed.


OIDC extension project developer resources:
We first introduce project in general, wiki, support channels and access to source code.

We will perform installation of the OIDC extension on top of standard Shibboleth IdP installation.

Trust Management & OP configuration.
The provided virtual machines have a OIDC Relying Party (RP) that needs to establish trust relationship with Shibboleth OP. We first visit dynamic registration options and configure the OP to accept the dynamic registration requests of RP. Then we disable the dynamic registration and establish trust by adding the RP to local metadata file of the OP. In this section we also cover OP configuration.

Configuring Authentication
We configure one or some of the authentication methods in OP to have OIDC specific principals for selecting authentication method based on requested authentication context class reference (acr). This section covers both essential and nonessential acrs.

Attribute Definitions
We introduce OIDC encoders for attribute definitions. We cover also the cases of different response types and their impact on attribute availability and writing robust resolvers.

Attribute Filtering
We introduce new attribute filtering options to be used with OIDC RPs. How to combine OIDC specific options to existing ones and what can be expected from OIDC filtering options.

Subject Identifier
In this section we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.

We introduce new JWK signing credentials.

Profile Configurations
We familiarize attendees with the provided profile configuration options. Profile configuration options may be used to configure RP specific behaviour for OPs such as token lifetimes.