Date: Fri, 29 Mar 2024 09:20:31 +0000 (UTC) Message-ID: <85732221.7.1711704031415@1dadf4e77608> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6_400581685.1711704031415" ------=_Part_6_400581685.1711704031415 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Half of Shibboleth runs within the web server. For IIS, this hal= f is implemented in an ISAPI filter and extension packaged in a single file= called isapi_shib.dll. Because most versions of IIS provi= de very minimal support for the configuration of extensions on its own, all= of the runtime configuration is handled by the SP configuration file (shib= boleth2.xml) with the exception of the basic installation of the filter and= extension into IIS.
The low-level IIS installation details have been documented as part of t= he Windows installation process, and can be found linked from the NativeSPWindowsInstall topic for each supported= version of IIS.
Typically, environment variables are use= d to set the appropriate path information to enable the library to locate t= he configuration file and initialize itself when IIS or its child processes= are started.
If you experience startup problems, you should do the following:
Populate the
<ISAPI>
elemen= t in shibboleth2.xml with<Site>
elemen= ts that reflect the IIS site/vhost configuration, and then use the<RequestMapper>
to apply content settings.
IIS has a design difference that separates it from Apache: it provides n=
o mechanism to securely establish the "canonical" properties of a web site =
like it's hostname. Instead it divides the web server into "site instances"=
that can have properties like names and ports attached to them. The SP's p=
ortable internals don't understand the concept of a "site", so to correct f=
or this, a non-portable piece of XML configuration is included within the <=
a href=3D"/wiki/spaces/SHIB2/pages/2577072180/NativeSPISAPI" data-linked-re=
source-id=3D"2577072180" data-linked-resource-version=3D"14" data-linked-re=
source-type=3D"page"><ISAPI>
element that performs a=
mapping between a site instance number/ID and the associated "canonical" v=
irtual host information.
It is critical when performing initial setup, and when adding new Shibbo= leth-enabled web sites to an IIS server, to create those mappings. Failure = to do so will result in the system ignoring requests to unmapped sites. Not= e that this is also a feature: any site instances you provide no mapping fo= r will be ignored by the software.
Any time you manipulate the <ISAPI>
configuration section, you'll need to restart IIS completely.
Once the necessary site instance mappings are created, the rest of the p=
er-request configuration is handled exclusively by the <RequestMapper>
component. There is no "=
native" option as with the other web server implementations.
The module does not provide for integration with the native access contr=
ol features of the web server. Therefore you will need to either perform su=
ch work within your application, or rely on the <RequestMapper>
and the XML-based Access Control plugin (or an alternative plugin to the=
SP).
The SP supports an extensible set of content settings, properties that c=
ontrol how it interacts with requests and enforces various requirements. On=
IIS, these settings can be controlled only by attaching properties using t=
he <RequestMapper>
mec=
hanism in the SP configuration.
For more information about using the <RequestMapper>
feature, refer to the NativeSPRequestMapHowTo topic.