Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As of V3, a new IIS plugin is available which provides a richer and more secure integration with IIS version 7 and later. New Installations should use this version unless they are constrained to use IIS version 6 or earlier, but no such versions of IIS are actually supported and the old module is formally deprecated and likely to be removed in a future major release.

The old ISAPI filter/extension DLL (isapi_shib.dll) is still shipped (though formally deprecated ) and existing and likely to be removed in a future major release. It is officially unsupported, though the DLL will continue to be present through at least this major version. Existing installations will be updated to the latest version of the older DLL until such time as it is no longer available.

The configuration for the new module is backward-compatible with the old extension (although it uses Server variables rather than HTTP headers for AttributeAccess by default).

...

Additionally the new plugin allows form-preservation across a SSO login by setting the postData attribute in the <Sessions> element.

Upgrading an Existing Installation

...

The SP's internals don't understand the concept of a "site", so to correct for this, an IIS-specific piece of XML configuration must be included within the <ISAPI> element that performs a mapping between a site instance number/ID and the associated "canonical" virtual host information. Note that the hostname can be inferred by the plugin from the client request, but it is usual not to, and can create security vulnerabilities.

...

Any time you manipulate the <ISAPI> configuration section, you'll need to restart IIS completely.

Once the necessary site instance mappings are created, the rest of the per-request configuration is handled exclusively by the <RequestMapper> component, which essentially takes the place of what would be done in Apache with its command format.

...

The IIS plugin has limited support for Roles Based Authorization. This is performed by adding <Roles> <Roles> elements to the <ISAPI> element. However it is currently more usual to either perform the authorization within your application, or rely on the <RequestMapper> and the XML-based Access Control plugin (or an alternative plugin to the SP).

...

The SP supports an extensible set of content settings, properties that control how it interacts with requests and enforces various requirements. On IIS, these settings can be controlled only by attaching properties using the <RequestMapper> mechanism in the SP configuration.

For more information about using the <RequestMapper> feature, refer to the How To topic.