Skip to content
Shibboleth SSO plugin for The Fascinator
Java Groovy
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

The Fascinator Shibboleth SSO Plugin

This project is a plugin for The Fascinator project: though, typically, it would be used in an institutional build of RedBoX: .

Shibboleth Installation

These instructions explain how to install the plugin and how to configure it, however, additional work is needed in order actually use shibboleth. Please see the following documentation for more information:

For windows users you may need to incorperate elements (and get downloads) from:


To compile the fascinator-shibboleth plugin:

#> mvn install

Institutional Build

To enable Shibboleth in your institutional build (when using ReDBox for example) add the following dependency to your pom.xml:


You will need to add the unpack-shib-conf execution to the maven-dependency-plugin:

       <!-- 1st - Unpack Generic Mint setup -->
                <!-- Shibboleth Resources -->

Enabling the Shibboleth plugin

In the sso section of home/system-config.json, enable the Shibboleth plugin:

"sso": {
    	"plugins": ["Shibboleth"],


Add the Shibboleth configuration section, and configure it according to your connector requirements (see below):

    "use_headers": "false",

Connector Configuration

There are two ways to configure the fascinator-shibboleth plugin:

Shibboleth Configuration Parameters


The use_headers element enables the Shibboleth plugin to process the request HEADERS along with the request ATTRIBUTES for Shibboleth attributes. This is disabled by default because it posses a security issue as clients can spoof the request headers.


The username_attribute element indicates which Shibboleth attribute contains the user's username.


The cn_attribute element indicates which Shibboleth attribute contains the user's common name.


The session_attribute element indicates which Shibboleth attribute contains the Shibboleth session ID.


The idp_attribute element indicates which Shibboleth attribute contains the Shibboleth IDP value.


The attributes element contains a list of Shibboleth attributes that will be extracted from the request and attached to the session for processing by role managers etc.


The delimiter element contains the character or string that will be used to split attributes that have multiple values delimited by the delimiter. eg: the affiliation attribute often contains more than on value:


###rolePlugins the rolePlugins element is a list of SimpleShibbolethRoleManager IDs that will be enabled by this configuration. eg. the config above enables the SimpleShibbolethRoleManager with:



When the SimpleShibbolethRoleManager is enabled it will need to be configured. It expects to find its configuration in the existing Shibboleth block, for example:


The format of the SimpleShibbolethRoleManager block is:

    [                                                       //
        [attribute, operation, rule_value],    //Rule1      // Rule Group  1
        [attribute, operation, rule_value]     //Rule2      //
    ]                                                       //
    [                                                       //
       [attribute, operation, rule_value],    //Rule3       // Rule Group 2
       [attribute, operation, rule_value]     //Rule4       //
    ]                                                       //


  • role is the role that will be applied.
  • attribute is the Shibboleth attribute attached to the session.
  • operation is the ID of the ShibSimpleRoleOperator plugin to use.
  • rule_value is a value passed to the operation along with the value of the attribute retrieved from the session.

Within a role's rule groups, the results of each operation are logically ANDed together. Between a role's rule groups, the rule group's results are logically ORed together. The first Role above would thus be evaluated as:

(Rule1 && Rule2) || (Rule3 && Rul4)


There are currently two types of plugins that can be implemented to extend the functionality of the fascinator-shibboleth plugin:


The ShibbolethRoleManager plugins allow developers to implement there own plugin for assigning roles to users. The ShibSimpleRoleOperator plugins allow developers to extent the functionality of the SimpleShibbolethRoleManager by implementing new operations. Both of these plugins use the standard Fascinator plugin mechanisms.


You can add the following to your server/jetty/resources/logback.groovy file to enable the output of the Shibboleth SSO plugin's debug messages to ${logHome}/logs/shibboleth.log

appender("Shibboleth", RollingFileAppender) {
  file = "${logHome}/logs/shibboleth.log"
  rollingPolicy(TimeBasedRollingPolicy) {
    fileNamePattern = "${logHome}/logs/archives/%d{yyyy-MM}"
    maxHistory = 30
  encoder(PatternLayoutEncoder) {
    pattern = "%d %-8X{name} %-6p %-20.20c{0} %m%n"
logger("", TRACE, ["Shibboleth"])


This project is supported by the Australian National Data Service (ANDS) through the National Collaborative Research Infrastructure Strategy Program and the Education Investment Fund (EIF) Super Science Initiative, as well as through the Queensland Cyber Infrastructure Foundation (QCIF).


All code licensed under GPLv2 - see LICENSE for details.

You can’t perform that action at this time.