I wrote a small model that uses intercepts requests to "/web" and looks for a Shibboleth session.  If it finds one, it looks up the username to see if there's a matching username in odoo.  If so, it creates an odoo login session.

I extended res.user by adding two fields (`sso_user` and `sso_session`).  I then overrode `_check_credentials()` to see if there is a shibboleth session id mapped.  If not, I revert ack to standard odoo behavior (i.e. local login)

Next, I intercepted @http.roue("/web") to look for shibboleth session headers indicating a session.  If these headers exist, then it is here that I try to match the shibboleth username (email address) to a local (odoo) user.

It mostly works.  The one place that it fails is when I try to upload attachments.  I can't figure out why that is.  My expectation is a user would already have a valid odoo session through /web so subsequent to that other paths (like whatever attachments are uploaded to) would work the same.  You definitely have to make sure that your odoo session timeout is in sync with the shibboleth session timeout or things get very wonky.  Other than that, it works pretty well - except for uploads.

Does anybody have any insight into why this would be the case?

I'm happy to share the source code for my module.  Unforutnately, I don't have enough karma to post a link.  You can go to github dot com / wz2b/odoo-auth-shibboleth  if you are motivated to look at it.