From fa74d5bdc5716ec12c62c51f529c9cea2714adeb Mon Sep 17 00:00:00 2001
From: Fly <3713548+flyinghuman@users.noreply.github.com>
Date: Mon, 20 Feb 2023 16:14:16 +0100
Subject: [PATCH 1/6] Add Shibboleth with OIDC Plugin Documentation

---
 docs/openid.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/docs/openid.md b/docs/openid.md
index 6ee8c83ec0a2..a0980f413fac 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -549,6 +549,46 @@ oidc_providers:
         display_name_template: "{{ user.preferred_username|capitalize }}"
 ```
 
+### Shibboleth with OIDC Plugin
+
+[Shibboleth](https://www.shibboleth.net/) is an open Standard IdP solution widely used by Universities.
+
+1. Shibboleth needs the [OIDC Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) installed and working correctly.
+2. Create a new config for the new endpoint on IDP Side:
+```yaml
+{
+        "client_id": "SOME-CLIENT-ID",
+        "client_secret": "SOME-SUPER-SECRET-SECRET",
+        "response_types": ["code"],
+        "grant_types": ["authorization_code"],
+        "scope": "openid profile email",
+        "redirect_uris": ["https://[synapse public baseurl]/_synapse/client/oidc/callback"]
+}
+```
+
+Synapse config:
+```yaml
+oidc_providers:
+  # Shibboleth IDP
+  #
+  - idp_id: shibboleth
+    idp_name: "Shibboleth Login"
+    discover: true
+    issuer: "https://YOUR-IDP-URL.TLD"
+    client_id: "YOUR_CLIENT_ID" #Note: not an URL because of Secial Chars
+    client_secret: "YOUR-CLIENT-SECRECT-FROM-YOUR-IDP"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_profile_method: "userinfo_endpoint"
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{ user.sub.split('@')[0] }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+```
+
+
 ### Mastodon
 
 [Mastodon](https://docs.joinmastodon.org/) instances provide an [OAuth API](https://docs.joinmastodon.org/spec/oauth/), allowing those instances to be used as a single sign-on provider for Synapse.

From a0fc3b0ec54a048c5a08cbef5cd33ee1de57619b Mon Sep 17 00:00:00 2001
From: Fly <3713548+flyinghuman@users.noreply.github.com>
Date: Wed, 22 Feb 2023 20:52:38 +0100
Subject: [PATCH 2/6] Update docs/openid.md

Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
---
 docs/openid.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/docs/openid.md b/docs/openid.md
index a0980f413fac..00dede189f2f 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -555,16 +555,15 @@ oidc_providers:
 
 1. Shibboleth needs the [OIDC Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) installed and working correctly.
 2. Create a new config for the new endpoint on IDP Side:
-```yaml
+```json
 {
-        "client_id": "SOME-CLIENT-ID",
-        "client_secret": "SOME-SUPER-SECRET-SECRET",
-        "response_types": ["code"],
-        "grant_types": ["authorization_code"],
-        "scope": "openid profile email",
-        "redirect_uris": ["https://[synapse public baseurl]/_synapse/client/oidc/callback"]
+    "client_id": "SOME-CLIENT-ID",
+    "client_secret": "SOME-SUPER-SECRET-SECRET",
+    "response_types": ["code"],
+    "grant_types": ["authorization_code"],
+    "scope": "openid profile email",
+    "redirect_uris": ["https://[synapse public baseurl]/_synapse/client/oidc/callback"]
 }
-```
 
 Synapse config:
 ```yaml

From 38686eb15087d7a95bddde3cad802eccaa5c6831 Mon Sep 17 00:00:00 2001
From: Fly <3713548+flyinghuman@users.noreply.github.com>
Date: Wed, 22 Feb 2023 21:01:06 +0100
Subject: [PATCH 3/6] Ordered Alphabetically

---
 docs/openid.md | 81 ++++++++++++++++++++++++++------------------------
 1 file changed, 42 insertions(+), 39 deletions(-)

diff --git a/docs/openid.md b/docs/openid.md
index 00dede189f2f..119987313b7e 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -549,45 +549,6 @@ oidc_providers:
         display_name_template: "{{ user.preferred_username|capitalize }}"
 ```
 
-### Shibboleth with OIDC Plugin
-
-[Shibboleth](https://www.shibboleth.net/) is an open Standard IdP solution widely used by Universities.
-
-1. Shibboleth needs the [OIDC Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) installed and working correctly.
-2. Create a new config for the new endpoint on IDP Side:
-```json
-{
-    "client_id": "SOME-CLIENT-ID",
-    "client_secret": "SOME-SUPER-SECRET-SECRET",
-    "response_types": ["code"],
-    "grant_types": ["authorization_code"],
-    "scope": "openid profile email",
-    "redirect_uris": ["https://[synapse public baseurl]/_synapse/client/oidc/callback"]
-}
-
-Synapse config:
-```yaml
-oidc_providers:
-  # Shibboleth IDP
-  #
-  - idp_id: shibboleth
-    idp_name: "Shibboleth Login"
-    discover: true
-    issuer: "https://YOUR-IDP-URL.TLD"
-    client_id: "YOUR_CLIENT_ID" #Note: not an URL because of Secial Chars
-    client_secret: "YOUR-CLIENT-SECRECT-FROM-YOUR-IDP"
-    scopes: ["openid", "profile", "email"]
-    allow_existing_users: true
-    user_profile_method: "userinfo_endpoint"
-    user_mapping_provider:
-      config:
-        subject_claim: "sub"
-        localpart_template: "{{ user.sub.split('@')[0] }}"
-        display_name_template: "{{ user.name }}"
-        email_template: "{{ user.email }}"
-```
-
-
 ### Mastodon
 
 [Mastodon](https://docs.joinmastodon.org/) instances provide an [OAuth API](https://docs.joinmastodon.org/spec/oauth/), allowing those instances to be used as a single sign-on provider for Synapse.
@@ -629,6 +590,48 @@ oidc_providers:
 
 Note that the fields `client_id` and `client_secret` are taken from the CURL response above.
 
+### Shibboleth with OIDC Plugin
+
+[Shibboleth](https://www.shibboleth.net/) is an open Standard IdP solution widely used by Universities.
+
+1. Shibboleth needs the [OIDC Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) installed and working correctly.
+2. Create a new config for the new endpoint on IDP Side:
+```json
+{
+    "client_id": "SOME-CLIENT-ID",
+    "client_secret": "SOME-SUPER-SECRET-SECRET",
+    "response_types": ["code"],
+    "grant_types": ["authorization_code"],
+    "scope": "openid profile email",
+    "redirect_uris": ["https://[synapse public baseurl]/_synapse/client/oidc/callback"]
+}
+```
+
+Synapse config:
+
+```yaml
+oidc_providers:
+  # Shibboleth IDP
+  #
+  - idp_id: shibboleth
+    idp_name: "Shibboleth Login"
+    discover: true
+    issuer: "https://YOUR-IDP-URL.TLD"
+    client_id: "YOUR_CLIENT_ID"
+    client_secret: "YOUR-CLIENT-SECRECT-FROM-YOUR-IDP"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_profile_method: "userinfo_endpoint"
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{ user.sub.split('@')[0] }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+```
+
+Hint: In my case using a URL like https://myawesomeservice.org as Client_ID lead to an error, so maybe better use something else with fewer special chars.
+
 ### Twitch
 
 1. Setup a developer account on [Twitch](https://dev.twitch.tv/)

From 62b739358eb99c33d8a20aade59c796e5c115332 Mon Sep 17 00:00:00 2001
From: Fly <3713548+flyinghuman@users.noreply.github.com>
Date: Wed, 22 Feb 2023 21:16:53 +0100
Subject: [PATCH 4/6] Update docs/openid.md

Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
---
 docs/openid.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/openid.md b/docs/openid.md
index 119987313b7e..3c14d9d5e65a 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -595,7 +595,8 @@ Note that the fields `client_id` and `client_secret` are taken from the CURL res
 [Shibboleth](https://www.shibboleth.net/) is an open Standard IdP solution widely used by Universities.
 
 1. Shibboleth needs the [OIDC Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP) installed and working correctly.
-2. Create a new config for the new endpoint on IDP Side:
+2. Create a new config on the IdP Side, ensure that the `client_id` and `client_secret`
+   are randomly generated data.
 ```json
 {
     "client_id": "SOME-CLIENT-ID",

From dc211b0c3e30269ff61a27659b58e850dd6707e4 Mon Sep 17 00:00:00 2001
From: Fly <3713548+flyinghuman@users.noreply.github.com>
Date: Wed, 22 Feb 2023 21:17:22 +0100
Subject: [PATCH 5/6] Update docs/openid.md

Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
---
 docs/openid.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docs/openid.md b/docs/openid.md
index 3c14d9d5e65a..73f1e061210c 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -631,8 +631,6 @@ oidc_providers:
         email_template: "{{ user.email }}"
 ```
 
-Hint: In my case using a URL like https://myawesomeservice.org as Client_ID lead to an error, so maybe better use something else with fewer special chars.
-
 ### Twitch
 
 1. Setup a developer account on [Twitch](https://dev.twitch.tv/)

From ed8d91468c5c0dca8f28e3cbe0436966b0df10e2 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Wed, 22 Feb 2023 15:21:19 -0500
Subject: [PATCH 6/6] Create newsfragment.

---
 changelog.d/15112.doc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/15112.doc

diff --git a/changelog.d/15112.doc b/changelog.d/15112.doc
new file mode 100644
index 000000000000..7dec43a50b33
--- /dev/null
+++ b/changelog.d/15112.doc
@@ -0,0 +1 @@
+Document using [Shibboleth](https://www.shibboleth.net/) as an OpenID Provider.