Hi @gauburtin,
Sorry for the late reply.
Shibboleth has “spoof checking” feature and it’s pretty robust according to https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking
Starting with version 2.2 (and 1.3.2), this feature should be left enabled, and
should be safe to use, as well as significantly more robust.
So I think we can count on this feature, and we will update https://manual.seafile.com/deploy/shibboleth_config.html soon.
If you still have any security concerns, please fall back to fastcgi mode which is the safest mechanism.