Versions Compared

Old Version 23

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 24

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Add the filter using the IIS Manager console. At either the top-level or individual Site level, select the "ISAPI Filters" feature; then, add a new filter called Shibboleth and specify the lib\shibboleth\isapi_shib.dll library. For V2.5+ on a 64-bit IIS, the relative path is lib64\shibboleth\isapi_shib.dll
  2. Map the *.sso file extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. This is done under "Handler Mappings" using the "Add Script Map..." action. The Executable box should point to isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but *.sso is assumed (and the asterisk and dot must be included).
    1. Configure Request Restrictions for the handler mapping to permit the handler to execute for all requests that match the extension. While still in the "Add Script Map" dialog, click on "Request Restrictions." In the "Mapping" Tab, un-check the option labeled, "Invoke handler only if request is mapped to..." If checked, the handler will activate only for real files or folders matching the extension, instead of activating on all requests, regardless of whether the file exists. (After saving the script map, the "Path Type" column for the new handler in the Handler Mappings list should be "Unspecified.")
  3. Add the Shibboleth ISAPI Extension to the list of permitted extensions in the list of allowed extensions. This is under "ISAPI and CGI Restrictions" at the top level.
  4. Restart IIS. At this point, I don't know enough of IIS7 to know how to diagnose filter load problems, but the filter does log startup and shutdown events in the Windows event log.

 

A set of commands that may work for some people to perform the above steps, but is known not to work on probably most Server 2012/IIS 8 systems follows:

Code Block
cd C:\Windows\System32\inetsrv
appcmd set config /section:isapiFilters /+[name='shibboleth',path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',enabled='true']
appcmd set config /section:handlers /+[name='Shibboleth',path='*.sso',verb='*',scriptProcessor='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll']
appcmd set config /section:isapiCgiRestriction 
/+[path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',description='Shibboleth',allowed='True']
iisreset
 
Basic Configuration
  • IIS7 may require that you manually install the script mapping and/or the filter itself at the site level, rather than at the root of all the sites. You may also wish to do this to ensure that the filter only runs on a subset of your web sites.
...