Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The

...

following

...

steps

...

allow

...

you

...

to

...

continue

...

the

...

installation

...

of

...

Shibboleth

...

on

...

IIS

...

webservers

...

once

...

the

...

prerequisites

...

are

...

all

...

in

...

place

...

and

...

the

...

module

...

has

...

been

...

built

...

or

...

installed

...

through

...

binaries

...

or

...

RPMs. If this has not been performed yet, please select the proper operating system before continuing with this page.

Configure IIS:

The package includes an ISAPI filter and bundled extension for session startup in a single library, libexec\isapi_shib.dll

...

.

...

This

...

filter

...

is

...

configured

...

using

...

commands

...

in

...

C:\opt\shibboleth\etc\shibboleth\shibboleth.xml

...

(or

...

wherever

...

you've

...

installed

...

the

...

software

...

).

...

Make

...

sure

...

you

...

or

...

the

...

installer

...

has

...

added

...

the

...

lib

...

directory

...

to

...

the

...

path.

...

You

...

will

...

generally

...

need

...

to

...

restart

...

the

...

system

...

after

...

installation.

...

Installing

...

the

...

extension

...

into

...

IIS

...

is

...

a

...

multi-step

...

process:

...

  • First,

...

  • add

...

  • the

...

  • filter

...

  • using

...

  • the

...

  • Internet

...

  • Services

...

  • Manager

...

  • MMC

...

  • console.

...

  • Right

...

  • click

...

  • on

...

  • the

...

  • machine

...

  • icon

...

  • on

...

  • the

...

  • left,

...

  • and

...

  • edit

...

  • the

...

  • WWW

...

  • Service

...

  • master

...

  • properties.

...

  • On

...

  • the

...

  • "ISAPI

...

  • Filters

...

  • " tab,

...

  • add

...

  • a

...

  • new

...

  • filter

...

  • called

...

  • Shibboleth

...

  • and

...

  • specify

...

  • the

...

  • DLL

...

  • named

...

  • above.

...

  • The

...

  • priority

...

  • should

...

  • be

...

  • High,

...

  • and

...

  • once

...

  • the

...

  • filter

...

  • is

...

  • loaded,

...

  • make

...

  • sure

...

  • it

...

  • appears

...

  • in

...

  • the

...

  • list

...

  • below

...

  • the

...

  • sspifilt

...

  • entry.

...

  • Restart

...

  • IIS

...

  • and

...

  • make

...

  • sure

...

  • the

...

  • filter

...

  • shows

...

  • up

...

  • with

...

  • a

...

  • green

...

  • arrow.

...

  • Check

...

  • the

...

  • Windows

...

  • event

...

  • log

...

  • and/or

...

  • the

...

  • Shibboleth

...

  • logs

...

  • if

...

  • it

...

  • fails

...

  • to

...

  • load.

...

  • Secondly,

...

  • map

...

  • a

...

  • special,

...

  • distinct

...

  • file

...

  • extension,

...

  • such

...

  • as

...

  • .sso

...

  • ,

...

  • to

...

  • the

...

  • ISAPI

...

  • library

...

  • so

...

  • that

...

  • virtual

...

  • URLs

...

  • can

...

  • be

...

  • specified

...

  • to

...

  • invoke

...

  • the

...

  • extension

...

  • handler

...

  • for

...

  • each

...

  • web

...

  • site.

...

  • Right

...

  • click

...

  • on

...

  • the

...

  • machine

...

  • icon

...

  • on

...

  • the

...

  • left,

...

  • and

...

  • edit

...

  • the

...

  • WWW

...

  • Service

...

  • master

...

  • properties.

...

  • On

...

  • the

...

  • "Home

...

  • Directory

...

  • " tab,

...

  • add

...

  • a

...

  • script

...

  • mapping

...

  • using

...

  • the

...

  • "Configuration" button.

...

  • The "Executable" box should point to isapi_shib.dll

...

  • ,

...

  • and

...

  • the

...

  • "Extension" can be set to anything unlikely to conflict, but .sso is assumed (and the dot must be included). You should NOT select the option to limit verbs, and you MUST uncheck the "Check that file exists" box. On newer versions of IIS, checking the "Script Engine" box is suggested, as it will permit the extension to handle requests in directories with only script permissions assigned.
  • (IIS 6 Only): A new Web Service Extension must be defined for Shibboleth; without this, the mapping from *.sso to isapi_shib.dll won't occur and a file error will appear. Add this extension with an arbitrary name and associate it with isapi_shib.dll.
  • All other aspects of configuration are handled via the shibboleth.xml file and associated XML files described in subsequent sections. Particular use is made of the Implementation/ISAPI element that allows IIS sites to be mapped to a hostname for proper request mapping and generation of redirects. This must be configured now.

Instance IDs are used in the IIS metabase to identify web sites. In older versions, they are applied starting with 1 (one) and number the web sites in order in the Internet Services Manager from top to bottom. Newer versions appear to assign some IID values with strange ASCII formulas applied to the site name. A simple ASP or CGI script can be run within a site to dump the INSTANCE_ID header. Newer versions actually list the site ID in the GUI console.

Obtain a Bossie test certificate:

Note that Bossie will retire by February, 2008.

The following files should be kept in a secure directory, but there is no level of assurance for any certificate issued by Bossie. It must not be used in production.

  • First, generate a public/private keypair using OpenSSL.
    The following OpenSSL commands generate a new keypair and a certificate request, assuming 2048 bit RSA keys are to be used. They should be run from or stored in /etc/shibboleth/ in order to keep credentials with the configuration files to simplify storage, access, and maintenance. On Mac, Solaris, and Linux, use the following:
    Code Block
    
keytool -genkey -alias signFiles -keypass sibboleth -keystore shibbolethsp -storepass hamasakiayumi
openssl req -new -key supervillain.key -out supervillain.csr

...

  • On Windows, 
...
  • openssl
...
  •  is 
...
  •  bundled 
...
  •  with 
...
  •  Shibboleth 
...
  •  and 
...
  •  may 
...
  •  be 
...
  •  run 
...
  •  from 
...
  •  Shibboleth's 
...
  • bin/
...
  •  folder 
...
  •  using 
...
  •  the 
...
  •  following 
...
  •  commands: 
...
  •  Code Block
...
  • 
openssl genrsa -out supervillain.key 2048
openssl req -new -config ..\etc\shibboleth\openssl.cnf -key supervillain.key -out supervillain.csr

...
  • Complete the various DN components when prompted by OpenSSL. When OpenSSL requests Common Name (eg, YOUR name), it wants the full domain name of the server.
  • cat out the contents of the signing request: cat supervillain.csr
     and paste the resulting block into the web form available at https://bossie.doit.wisc.edu:3443/cert/i2server/csr
...
  • . 
...
  •  The 
...
  •  PIN 
...
  •  is 
...
  • 4304538
...
  •  .
  • Use any text editor (e.g. 
...
  • vi
...
  • ) 
...
  •  to 
...
  •  take 
...
  •  the 
...
  •  resultant 
...
  •  certificate 
...
  •  from 
...
  •  the 
...
  •  webpage, 
...
  •  including 
...
  • -
...
  • -
...
  • -
...
  • -
...
  • -
...
  • BEGIN CERTIFICATE-
...
  • -
...
  • -
...
  • -
...
  • -
...
  •  and 
...
  • -
...
  • -
...
  • -
...
  • -
...
  • -
...
  • END CERTIFICATE-
...
  • -
...
  • -
...
  • -
...
  • -
...
  • , 
...
  •  and 
...
  •  put 
...
  •  it 
...
  •  in 
...
  •  a 
...
  •  matching 
...
  • .crt
...
  •  file.
...
Proceed 
...
 to 
...
 Shibboleth 
...
 Configuration
...