Introducing Shin, a Shibboleth IdP admin Library

in  software
Pete Birkinshaw by Pete Birkinshaw
Admin tools for Shibboleth IdPs

Another open source release from Digital Identity Labs: Shin is an Elixir package written to access the various administration APIs provided by the Shibboleth IdP software.

The Shibboleth Identity Provider has a variety of admin APIs that are frequently overlooked. For many administrators the only time they access the admin APIs is when using some of the tools bundled with the IdP, such as aacli or mdquery, which can sometimes be fiddly to use even on the same server as the IdP. Shin aims to offer the same functionality as the bundled admin scripts but as an Elixir library suitable for use in scripts and web services.

The admin APIs of the Shibboleth IdP allow you to:

  • Look up the attributes that will be released to user for a particular user: this is incredibly useful when configuring
    or debugging attribute release filters and attributes.
  • Fetch metadata for SPs from the IdP itself - handy to check that the correct version is being used, or to warm metadata caches.
  • Get live status metrics on things like RAM usage, number of logins, Java versions and even custom stats
  • Lock out abusive users, or remove locks.
  • Restart individual components (services) within the IdP without restarting the entire IdP - incredibly useful when making changes while avoiding a service outage.

Mimoto will be using Shin in some new products planned for next year but it’s easy to use in small scripts too - there’s an example in the Github repository.

Shin is available from with documentation online at You can see the Shin sourcecode at Github.

We’ve included a Livebook of example code so you can easily try Shin with your own Shibboleth service:

Run in Livebook

(You can get Livebook here)