...
The
...
following
...
steps
...
allow
...
you
...
to
...
continue
...
the
...
installation
...
of
...
Shibboleth
...
on
...
IIS
...
webservers
...
once
...
the
...
prerequisites
...
are
...
all
...
in
...
place
...
and
...
the
...
module
...
has
...
been
...
built
...
or
...
installed
...
through
...
binaries
...
or
...
RPMs.
...
If
...
this
...
has
...
not
...
been
...
performed
...
yet,
...
please
...
select
...
the
...
...
...
...
before
...
continuing
...
with
...
this
...
page.
...
Configure IIS:
...
The
...
package
...
includes
...
an
...
ISAPI
...
filter
...
and
...
bundled
...
extension
...
for
...
session
...
startup
...
in
...
a
...
single
...
library,
...
libexec\isapi_shib.dll
...
.
...
This
...
filter
...
is
...
configured
...
using
...
commands
...
in
...
C:\opt\shibboleth\etc\shibboleth\shibboleth.xml
...
(or
...
wherever
...
you've
...
installed
...
the
...
software).
...
Make
...
sure
...
you
...
or
...
the
...
installer
...
has
...
added
...
the
...
lib
...
directory
...
to
...
the
...
path.
...
You
...
will
...
generally
...
need
...
to
...
restart
...
the
...
system
...
after
...
installation.
...
Installing
...
the
...
extension
...
into
...
IIS
...
is
...
a
...
multi-step
...
process:
...
- First,
...
- add
...
- the
...
- filter
...
- using
...
- the
...
- Internet
...
- Services
...
- Manager
...
- MMC
...
- console.
...
- Right
...
- click
...
- on
...
- the
...
- machine
...
- icon
...
- on
...
- the
...
- left,
...
- and
...
- edit
...
- the
...
- WWW
...
- Service
...
- master
...
- properties.
...
- On
...
- the
...
- "ISAPI
...
- Filters"
...
- tab,
...
- add
...
- a
...
- new
...
- filter
...
- called
...
- Shibboleth
...
- and
...
- specify
...
- the
...
- DLL
...
- named
...
- above.
...
- The
...
- priority
...
- should
...
- be
...
- High,
...
- and
...
- once
...
- the
...
- filter
...
- is
...
- loaded,
...
- make
...
- sure
...
- it
...
- appears
...
- in
...
- the
...
- list
...
- below
...
- the
...
sspifilt
...
- entry.
...
- Restart
...
- IIS
...
- and
...
- make
...
- sure
...
- the
...
- filter
...
- shows
...
- up
...
- with
...
- a
...
- green
...
- arrow.
...
- Check
...
- the
...
- Windows
...
- event
...
- log
...
- and/or
...
- the
...
- Shibboleth
...
- logs
...
- if
...
- it
...
- fails
...
- to
...
- load.
...
- Secondly,
...
- map
...
- a
...
- special,
...
- distinct
...
- file
...
- extension,
...
- such
...
- as
...
.sso
...
- ,
...
- to
...
- the
...
- ISAPI
...
- library
...
- so
...
- that
...
- virtual
...
- URLs
...
- can
...
- be
...
- specified
...
- to
...
- invoke
...
- the
...
- extension
...
- handler
...
- for
...
- each
...
- web
...
- site.
...
- Right
...
- click
...
- on
...
- the
...
- machine
...
- icon
...
- on
...
- the
...
- left,
...
- and
...
- edit
...
- the
...
- WWW
...
- Service
...
- master
...
- properties.
...
- On
...
- the
...
- "Home
...
- Directory"
...
- tab,
...
- add
...
- a
...
- script
...
- mapping
...
- using
...
- the
...
- "Configuration"
...
- button.
...
- The
...
- "Executable"
...
- box
...
- should
...
- point
...
- to
...
isapi_shib.dll
...
- ,
...
- and
...
- the
...
- "Extension"
...
- can
...
- be
...
- set
...
- to
...
- anything
...
- unlikely
...
- to
...
- conflict,
...
- but
...
.sso
...
- is
...
- assumed
...
- (and
...
- the
...
- dot
...
- must
...
- be
...
- included).
...
- You
...
- should
...
- NOT
...
- select
...
- the
...
- option
...
- to
...
- limit
...
- verbs,
...
- and
...
- you
...
- MUST
...
- uncheck
...
- the
...
- "Check
...
- that
...
- file
...
- exists"
...
- box.
...
- On
...
- newer
...
- versions
...
- of
...
- IIS,
...
- checking
...
- the
...
- "Script
...
- Engine"
...
- box
...
- is
...
- suggested,
...
- as
...
- it
...
- will
...
- permit
...
- the
...
- extension
...
- to
...
- handle
...
- requests
...
- in
...
- directories
...
- with
...
- only
...
- script
...
- permissions
...
- assigned.
...
- (IIS
...
- 6
...
- Only):
...
- A
...
- new
...
- Web
...
- Service
...
- Extension
...
- must
...
- be
...
- defined
...
- for
...
- Shibboleth;
...
- without
...
- this,
...
- the
...
- mapping
...
- from
...
*.sso
...
- to
...
isapi_shib.dll
...
- won't
...
- occur
...
- and
...
- a
...
- file
...
- error
...
- will
...
- appear.
...
- Add
...
- this
...
- extension
...
- with
...
- an
...
- arbitrary
...
- name
...
- and
...
- associate
...
- it
...
- with
...
isapi_shib.dll
...
- .
...
- All
...
- other
...
- aspects
...
- of
...
- configuration
...
- are
...
- handled
...
- via
...
- the
...
shibboleth.xml
...
- file
...
- and
...
- associated
...
- XML
...
- files
...
- described
...
- in
...
- subsequent
...
- sections.
...
- Particular
...
- use
...
- is
...
- made
...
- of
...
- the
...
Implementation/ISAPI
...
- element
...
- that
...
- allows
...
- IIS
...
- sites
...
- to
...
- be
...
- mapped
...
- to
...
- a
...
- hostname
...
- for
...
- proper
...
- request
...
- mapping
...
- and
...
- generation
...
- of
...
- redirects.
...
- This
...
- must
...
- be
...
- configured
...
- now.
...
Instance
...
IDs
...
are
...
used
...
in
...
the
...
IIS
...
metabase
...
to
...
identify
...
web
...
sites.
...
In
...
older
...
versions,
...
they
...
are
...
applied
...
starting
...
with
...
1
...
(one)
...
and
...
number
...
the
...
web
...
sites
...
in
...
order
...
in
...
the
...
Internet
...
Services
...
Manager
...
from
...
top
...
to
...
bottom.
...
Newer
...
versions
...
appear
...
to
...
assign
...
some
...
IID
...
values
...
with
...
strange
...
ASCII
...
formulas
...
applied
...
to
...
the
...
site
...
name.
...
A
...
simple
...
ASP
...
or
...
CGI
...
script
...
can
...
be
...
run
...
within
...
a
...
site
...
to
...
dump
...
the
...
INSTANCE_ID
...
header.
...
Newer
...
versions
...
actually
...
list
...
the
...
site
...
ID
...
in
...
the
...
GUI
...
console.
...
Obtain a Bossie test certificate:
Note that Bossie will retire by February, 2008.
The following files should be kept in a secure directory, but there is no level of assurance for any certificate issued by Bossie. It must not be used in production.
- First, generate a public/private keypair using OpenSSL.
The following OpenSSL commands generate a new keypair and a certificate request, assuming 2048 bit RSA keys are to be used. They should be run from or stored in/etc/shibboleth/in order to keep credentials with the configuration files to simplify storage, access, and maintenance. On Mac, Solaris, and Linux, use the following:Code Block keytool -genkey -alias signFiles -keypass sibboleth -keystore shibbolethsp -storepass hamasakiayumi openssl req -new -key supervillain.key -out supervillain.csr
...
- On Windows,
...
openssl
...
- is
...
- bundled
...
- with
...
- Shibboleth
...
- and
...
- may
...
- be
...
- run
...
- from
...
- Shibboleth's
...
bin/
...
- folder
...
- using
...
- the
...
- following
...
- commands:
...
Code Block
...
openssl genrsa -out supervillain.key 2048 openssl req -new -config ..\etc\shibboleth\openssl.cnf -key supervillain.key -out supervillain.csr
...
- Complete the various DN components when prompted by OpenSSL. When OpenSSL requests
Common Name (eg, YOUR name), it wants the full domain name of the server. catout the contents of the signing request:cat supervillain.csr
and paste the resulting block into the web form available at https://bossie.doit.wisc.edu:3443/cert/i2server/csr
...
- .
...
- The
...
- PIN
...
- is
...
4304538
...
- .
- Use any text editor (e.g.
...
vi
...
- )
...
- to
...
- take
...
- the
...
- resultant
...
- certificate
...
- from
...
- the
...
- webpage,
...
- including
...
-
...
-
...
-
...
-
...
-BEGIN CERTIFICATE-----and-----END CERTIFICATE-----, and put it in a matching.crtfile.