PAS via Shibboleth and Active Directory

Is it possible to configure Plone to authenticate Users via AD and Shibboleth (if user not in AD)? Have anyone practical knowledge?

You can integrate via SAML2 - which has been designed to include Shiboleth functionality.

SAML2 can e.g. be integrated either via a Web server solution together with a delegating PAS plugin or with dm.zope.saml2.

If you need only the authentication part, not groups, properties, enumerate users, ... a different approach that still works is plone.session/iis-login at master · plone/plone.session · GitHub. A similar ASP script could be easily rewritten with other languages. The authentication part would be implemented outside plone, generally on IIS or Apache2 + shibboleth or whatever ...