Versions Compared

Old Version 4

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 5

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleUnder Construction / Alpha Test only

This page is under constrctionconstruction

It refers to a product which is still under internal/Alpha test. It will currently slated to ship with V3.0 of the SP

Introduction

The InsertNameHere IISNative DLL is an Shibboleth integration against the API set which was introduced in IIS7.  The previous version (isapi_shib.dll) integrated against the old "ISAPI" APIS which in turn required the deployment of explicit down-level support dlls to provide interfaces to support this the legacy API.  The new DLL is a functional super set of isapi_shib plugin, but it does not automatically replace the old one (which is still shipped).

The new DLL takes full advantage of the breadth of the IIS7 APIs.  Two notable advantages are

  • By default it pass passes values to application using Server Variables rather than HTTP Headers
  • It can be easily configures to support native Roles-based Authorization where the roles are derived directly from attribute passed to the SP.  An example use of roles based authorization is URL Authorizaion.

...

  • If a <Site> element is not specified for a site which uses the plugin then the configuration is taken from IIS>  notable IIS.  Notably the host name is derived from the lower case of the name given to the site/.
  • If a <Site> element is specified the following extra attributes can be provided:
    • useVariables=boolean (default true) controls whether attributes are passed the the application as Server Variables.
    • useHeaders=boolean (default false)  whether attributes  controls whether attributes are passed the the application as HTTP Headers.  This setting should be avoided, but is present to provide a level of compatibility with applications developed against the old ISAPI pluginisapi_shib plugin.
  • Additionally, a new element <Roles> may be specified.  This configures the roles that can be used in native Roles-based Authorization.  The following elements can be provided:
    • authNRole=string (default ShibbolethAuthN).  Any principal who which is logged in via the Shibboleth SP is given this role.
    • roleAttributes=space-separated-string-list (no default).  All values of all provided attributes with the names given are added to the Roles associated with this principal

...

The first site will be given the host name iis.example.org.

Every SP-authenticated principal will be given the role ShibUser.  Additionally the attributes 'ePa' and 'ePsa' will be queried and their values used as roles.  Hence if a user logged in via the SP and the following attributes were provided

...

  • Updates the schema definition for shibboleth2.xml to include the new definitions
  • Updates the ISAPI plugin to include code to test for dual (mis) configuration
  • Installs the new Native plugin DLL
  • Configures the IIS with the new plugin.

...

  1. The event viewer ("Windows Logs\Application") may show a warning from SHIB_ISAPI

  2. An attempt to access a protected resource will return a failure (status 500) and the native log will have the following line

    Code Block
    ERROR Shibboleth.NATIVE [<pid>] native_shib: Shibboleth handler invoked at an unconfigured location.

    This indicates that configuration for the ISAPI filter is still active somewhere.