...
The IIS7 plugin is fully defined in the <ISAPI> documentation; the following changes should be noted:
If a
<a <Site> element is not specified for a site which uses the plugin, then the module will ignore requests to that site, as with the old plugin.When the <Site> element is specified, the following new settings can be provided:
useVariables=boolean(default true) controls whether attributes are passed to the application as Server Variables.useHeaders=boolean(default false) controls whether attributes are passed to the application as HTTP Headers. This setting should be avoided but is present to provide a level of compatibility with applications developed against the old isapi_shib plugin. You should move aggressively to fix this.
REMOTE_USER will (usually) be populated in the manner one expects and that is familiar to the use of Shibboleth on Apache. This was not possible with the old plugin, which populated a weird and dangerous header (HTTP_REMOTE_USER) as a workaround. The new module does not populate that header regardless of the settings used, so this may impact applications immediately.
Additionally, a new element
<element <Roles> may be specified. This configures the roles that can be used in native Roles Based Authorization.
...