Versions Compared

Old Version 19

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 20

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixed a few typos and grammar issues

...

  • In the GUI, select the server in the left-hand pane and click on the "ISAPI Filters" in the right.
    • Now remove any Shibboleth-related filters. Dependending on the IIS version, for a default install this will be called Shibboleth or ShibFilter and be for executable: C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll
  • In the GUI, select the server in the left-hand pane and click on the "Handler Mappings" in the Right.  
    • Now remove any Shibboleth-related ISAPI handler mapping (generally for path *.sso).  Dependending on the IIS version, for a default install this will be called something like AboMapperCustom-8689 and be for executable: C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll

  • In the GUI, select the server in the left-hand pane and click on the "ISAPI and CGI Restrictions" in the Right.  

    • Now remove any Shibboleth-related permission grant. For a default install this will be called something like Shibboleth Web Service Extension and be for executable: C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll

  • Edit %SYSTEMROOT%\System32\InetSrv\config\applicationHost.config and look for the words "shib" or "shib_isapi".

  • As well as the the applicationHost.config file, you may need to inspect the web.config files for the sites and their sub folderssubfolders.

Configuring the New Plugin

...

Code Block
languagebash
titleConfiguring the IIS7 DLL
appcmd install module /name:ShibNative32 /image:"c:\opt\shibboleth-sp\lib\shibboleth\iis7_shib.dll" /precondition:bitness32
appcmd install module /name:ShibNative /image:"c:\opt\shibboleth-sp\lib64\shibboleth\iis7_shib.dll" /precondition:bitness64

(Obviously on a 32-bit machine only the first line is required).

...

  • If a <Site> element is not specified for a site which uses the plugin, then the module will ignore requests to that site, as with the old plugin.
  • When the <Site> element is specified, the following new settings can be provided:
    • useVariables=boolean (default true) controls whether attributes are passed the to the application as Server Variables.
    • useHeaders=boolean (default false)  controls whether attributes are passed the to the application as HTTP Headers. This setting should be avoided , but is present to provide a level of compatibility with applications developed against the old isapi_shib plugin. You should move aggressively to fix this.
  • REMOTE_USER will (usually) be populated in the manner one expects and that is familiar to the use of Shibboleth on Apache. This was not possible with the old plugin, which poopulated populated a weird and dangerous header (HTTP_REMOTE_USER) as a workaround. The new module does not populate that header regardless of the settings used, so this may impact applications immediately.
  • Additionally, a new element <Roles> may be specified. This configures the roles that can be used in native Roles Based Authorization.

...