Versions Compared

Old Version 1

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Allows the IIS IIS7 module to perform roles based AuthZauthorization.

title
Note

Require REMOTE_USER

The way in which Roles base Authentication this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.

Attributes

Name

Type

Default

Description

authNRole

string

ShibbolethAuthN

Any principal which is logged in via the

Shibboleth

SP is given this role.

roleAttributes

space separated string

whitespace-delimited list of strings

none

All values of all

provided attributes with the names given

identified SP-mapped attributes are added to the Roles associated with this principal.

Child Elements

No Child Elements may be specifiedNone

Example

Roles based AuthZ
Code Block
languagexml
titleRoles based AuthZ
<ISAPI normalizeRequest="true" safeHeaderNames="true">
    <ISAPI>
	<Site id="1" name="sp.example.org" />
	<Roles roleAttributes="ePa ePsaaffiliation" />
</ISAPI>

Every SP-authenticated principal will be given the role ShibbolethAuthN.  Additionally the attributes 'ePa' and 'ePsa' attribute called "affiliation" will be queried and their its values used as roles.  Hence Hence if a user logged in via the SP and the following attributes were provided

  • eppn :  "

    User

    jdoe"

  • ePa

    affiliation : "

    member", "walkin"epSa: "staff@example

    member@example.org", "

    member@example

    student@example.org"

The session would be have the REMOTE_USER variable set to be "Userjdoe" (assuming that the default setting for ApplicationDefault> were used. settings) and the following roles:

  • ShibbolethAuthN  (by Virtue virtue of being "logged in")

  • member

  • walkin

  • staff@examplestudent@example.org

  • member@example.org