use C4::Auth_with_shibboleth;


This module is specific to Shibboleth authentication in koha and relies heavily upon the native shibboleth service provider package in your operating system.


To use this type of authentication these additional packages are required:

We let the native shibboleth service provider packages handle all the complexities of shibboleth negotiation for us, and configuring this is beyond the scope of this documentation.

But to sum up, to get shibboleth working in koha, as a minimum you will need to:

  1. Create some metadata for your koha instance (if you're in a single instance setup then the default metadata available at https://youraddress.com/Shibboleth.sso/Metadata should be adequate)
  2. Swap metadata with your Identidy Provider (IdP)
  3. Map their attributes to what you want to see in koha
  4. Tell apache that we wish to allow koha to authenticate via shibboleth.

    This is as simple as adding the below to your virtualhost config (for CGI running):

     <Location />
       AuthType shibboleth
       Require shibboleth

    Or (for Plack running):

     <Location />
       AuthType shibboleth
       Require shibboleth
       ShibUseEnvironment Off
       ShibUseHeaders On

    IMPORTANT: Please note, if you are running in the plack configuration you should consult https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking for security advice regarding header spoof checking settings. (See also bug 17776 on Bugzilla about enabling ShibUseHeaders.)

  5. Configure koha to listen for shibboleth environment variables.

    This is as simple as enabling useshibboleth in koha-conf.xml:

  6. Map shibboleth attributes to koha fields, and configure authentication match point in koha-conf.xml.
       <matchpoint>userid</matchpoint> <!-- koha borrower field to match upon -->
         <userid is="eduPersonID"></userid> <!-- koha borrower field to shibboleth attribute mapping -->

    Note: The minimum you need here is a <matchpoint> block, containing a valid column name from the koha borrowers table, and a <mapping> block containing a relation between the chosen matchpoint and the shibboleth attribute name.

It should be as simple as that; you should now be able to login via shibboleth in the opac.

If you need more help configuring your Service Provider to authenticate against a chosen Identity Provider then it might be worth taking a look at the community wiki page



Sends a logout signal to the native shibboleth service provider and then logs out of koha. Depending upon the native service provider configuration and identity provider capabilities this may or may not perform a single sign out action.



Given a query, this will return a shibboleth login url with return code to page with given given query.

  my $shibLoginURL = login_shib_url($query);


Returns the shibboleth login attribute should it be found present in the http session

  my $shib_login = get_login_shib();


Given a shib_login attribute, this routine checks for a matching local user and if found returns true, their cardnumber and their userid. If a match is not found, then this returns false.

  my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib( $shib_login );



A sugar function to that simply returns the current page URI with appropriate protocol attached

This routine is NOT exported


  my $config = _get_shib_config();

A sugar function that checks for a valid shibboleth configuration, and if found returns a hashref of it's contents

This routine is NOT exported


  my ( $retval, $retcard, $retuserid ) = _autocreate( $config, $match );

Given a shibboleth attribute reference and a userid this internal routine will add the given user to Koha and return their user credentials.

This routine is NOT exported