OIDC - Quick questions

Liam Hoekenga liamr at umich.edu
Fri Jul 12 11:43:39 EDT 2019

tldr; use the GEANT extension -

If you are looking to integrate OIDC with the Shibboleth IDP, you should
used the GEANT extension.  The current release is 1.0.2.  University of
Michigan has been using in our production environments since the beginning
of the calendar year (and in non-prod since last summer).

I know of  two OIDC implementations for the Shibboleth IDP...
- https://github.com/uchicago/shibboleth-oidc
- https://github.com/CSCfi/shibboleth-idp-oidc-extension

The UChicago implementation was done by Unicon on behalf of the University
of Chicago (and later the University of Michigan) and it basically embeds
MitreID Connect OIDC server (
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server) into
the Shibboleth IDP.  It's not a tight integration.  MitreID maintains it's
own session store completely independently of the IDP, and we found it
didn't work well with our clustering configuration.  The attributes
available via OIDC are also limited to the standard claims defined in OpenID
Connect Core 1.0
<https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>, and
the mappings between the SAML attributes that are used to populate those
claims are "hard" - they are located in java source code, so to change
them, you'd need to recompile the extension.  If you have a single IDP, and
don't need anything beyond the standard claims, it works ok.

The CSCfi implementation was sponsored by GEANT.  It is a "from the ground
up" implementation.  While it depends on the "Nimbus OAuth 2.0 SDK with
OpenID Connect Extensions
<https://connect2id.com/products/nimbus-oauth-openid-connect-sdk>", this
was written as an extension to the Shibboleth IDP from the very beginning.
It is much more tightly integrated - they use common session storage, new
claims and scopes are easily defined in using the native attribute resolver
and filter mechanisms, and there is an excellent chance that this code will
eventually be adopted as into the Shibboleth IDPv4 distribution.  We've
been very happy using this extension.


On Wed, Jul 10, 2019 at 12:35 PM Joshua Brodie <josbrodie at gmail.com> wrote:

> For the folks using OIDC on IDP:
> - what module do you use?
> - is it considered 'production' ready?
> - would it be better to wait for IDPv4?
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190712/9c10b140/attachment.html>

More information about the users mailing list