Allows the IIS7 module to perform roles based authorization.
| Note | |
|---|---|
| title | Require REMOTE_USERThe way in which this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles. |
Attributes
Name | Type | Default | Description |
|---|---|---|---|
authNRole | string | ShibbolethAuthN | Any principal which is logged in via the SP is given this role. |
roleAttributes | whitespace-delimited list of strings | none | All values of all identified SP-mapped attributes are added to the Roles associated with this principal. |
Child Elements
None
Example
Roles based AuthZ
| Code Block | ||||
|---|---|---|---|---|
| ||||
<ISAPI> <Site id="1" name="sp.example.org" /> <Roles roleAttributes="affiliation" /> </ISAPI> |
Every SP-authenticated principal will be given the role ShibbolethAuthN. Additionally the attribute called "affiliation" will be queried and its values used as roles. Hence if a user logged in via the SP and the following attributes were provided
eppn : "
jdoe"affiliation : "
member@examplemember@example.org", "student@example.org"
The session would be have the REMOTE_USER variable set to be "jdoe" (assuming that the default settings) and the following roles:
...