Allows the IIS IIS7 module to perform roles based AuthZauthorization.
The way in which Roles base Authentication this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.
|string||Any principal which is logged in via the|
|SP is given this role.|
|whitespace-delimited list of strings||none||All values of all|
|identified SP-mapped attributes are added to the Roles associated with this principal.|
No Child Elements may be specifiedNone
<ISAPI normalizeRequest<ISAPI> <Site id="true1" safeHeaderNamesname="true"sp.example.org" /> <Roles roleAttributes="ePa ePsaaffiliation" /> </ISAPI>
Every SP-authenticated principal will be given the role
ShibbolethAuthN. Additionally the attributes
'ePa' and '
ePsa' attribute called "affiliation" will be queried and their its values used as roles. Hence Hence if a user logged in via the SP and the following attributes were provided
- eppn : "
- ePa affiliation : "
The session would be have the REMOTE_USER variable set to be "Userjdoe" (assuming that the default setting for
ApplicationDefault> were used. settings) and the following roles:
ShibbolethAuthN (by Virtue virtue of being "logged in")