website/docs/social-logins: add shibboleth integration guide (#19909)

* docs/social-logins: add shibboleth integration guide

* Update website/docs/users-sources/sources/social-logins/shibboleth/index.md

Co-authored-by: Dewi Roberts <[email protected]>
Signed-off-by: Connor Peshek <[email protected]>

* Update website/docs/users-sources/sources/social-logins/shibboleth/index.md

Co-authored-by: Dewi Roberts <[email protected]>
Signed-off-by: Connor Peshek <[email protected]>

* Update website/docs/users-sources/sources/social-logins/shibboleth/index.md

Co-authored-by: Dewi Roberts <[email protected]>
Signed-off-by: Connor Peshek <[email protected]>

* Update website/docs/users-sources/sources/social-logins/shibboleth/index.md

Co-authored-by: Dewi Roberts <[email protected]>
Signed-off-by: Connor Peshek <[email protected]>

* add to sidebar

* Update website/docs/users-sources/sources/social-logins/shibboleth/index.md

Co-authored-by: Dewi Roberts <[email protected]>
Signed-off-by: Connor Peshek <[email protected]>

* lint

* Apply suggestion from @PeshekDotDev

Signed-off-by: Connor Peshek <[email protected]>

* Apply suggestion from @PeshekDotDev

Signed-off-by: Connor Peshek <[email protected]>

---------

Signed-off-by: Connor Peshek <[email protected]>
Co-authored-by: Dewi Roberts <[email protected]>

Author: PeshekDotDev

website/docs/sidebar.mjs

@@ -617,6 +617,7 @@ const items = [
                             },
                             "users-sources/sources/social-logins/mailcow/index",
                             "users-sources/sources/social-logins/plex/index",
+                            "users-sources/sources/social-logins/shibboleth/index",
                             "users-sources/sources/social-logins/telegram/index",
                             "users-sources/sources/social-logins/twitch/index",
                             "users-sources/sources/social-logins/twitter/index",

website/docs/users-sources/sources/social-logins/shibboleth/index.md

@@ -0,0 +1,73 @@
+---
+title: Shibboleth
+tags:
+    - source
+    - shibboleth
+    - saml
+---
+
+Allows users to authenticate using their [Shibboleth](https://www.shibboleth.net/about-us/the-shibboleth-project/) credentials by configuring Shibboleth as a federated identity provider via SAML.
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+- `shibboleth.company` is the FQDN of the Shibboleth IdP installation.
+- `shibboleth-slug` is the slug you will assign to the SAML source in authentik (e.g., `shibboleth`).
+
+## authentik configuration
+
+To integrate Shibboleth with authentik you will need to create a SAML source in authentik.
+
+### Create a SAML source in authentik
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Directory** > **Federation and Social login** and click **Create**.
+3. Select **SAML Source** and configure the following settings:
+    - Set **Name** to `Shibboleth`.
+    - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata url).
+    - Set **SSO URL** to `https://shibboleth.company/idp/profile/SAML2/Redirect/SSO`.
+    - Set **Binding Type** to `Redirect`.
+    - Set **Issuer** to `https://authentik.company/source/saml/<shibboleth-slug>/metadata/`.
+    - Set **NameID Policy** to `Transient`.
+      :::warning NameID Policy
+      Shibboleth supports the `Transient` NameID by default. You will need to reconfigure Shibboleth to use other NameIDs.
+      :::
+    - Set **Signing Keypair** to an authentik certificate (e.g., the default `authentik Self-signed Certificate`).
+    - Set **Encryption Certificate** to an authentik certificate (e.g., the default `authentik Self-signed Certificate`).
+4. Click **Finish**.
+
+:::info Display new source on login screen
+For instructions on how to display the new source on the authentik login page, refer to the [Add sources to default login page documentation](../../index.md#add-sources-to-default-login-page).
+:::
+
+:::info Embed new source in flow :ak-enterprise
+For instructions on embedding the new source within a flow, such as an authorization flow, refer to the [Source Stage documentation](../../../../../add-secure-apps/flows-stages/stages/source).
+:::
+
+## Shibboleth configuration
+
+To integrate Shibboleth with authentik you will need to add authentik as a service provider in your Shibboleth IdP.
+
+### Add authentik as a Service Provider
+
+1. Edit `/opt/shibboleth-idp/conf/metadata-providers.xml` on the Shibboleth IdP server.
+2. Add the following `MetadataProvider` element before the final closing tag of the existing `MetadataProvider` block:
+
+```xml
+<MetadataProvider id="Authentik"
+                  xsi:type="FileBackedHTTPMetadataProvider"
+                  backingFile="%{idp.home}/metadata/authentik-metadata.xml"
+                  metadataURL="https://authentik.company/source/saml/<shibboleth-slug>/metadata/" />
+```
+
+3. Restart the Shibboleth IdP to apply the changes.
+
+## Source property mappings
+
+Source property mappings allow you to modify or gather extra information from sources. See the [overview](../../property-mappings/index.md) for more information.
+
+## Resources
+
+- [Shibboleth IdP Documentation](https://shibboleth.atlassian.net/wiki/spaces/IDP5/overview)