Versions Compared

Old Version 1

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 2

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Allows the IIS IIS7 module to perform roles based AuthZauthorization.

Note
titleRequire REMOTE_USER

The way in which Roles base Authentication this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.

Attributes

NameTypeDefaultDescription
authNRolestringShibbolethAuthNAny principal which is logged in via the
Shibboleth
SP is given this role.
roleAttributes
space separated string
whitespace-delimited list of stringsnoneAll values of all
provided attributes with the names given
identified SP-mapped attributes are added to the Roles associated with this principal.

Child Elements

No Child Elements may be specifiedNone

Example

Code Block
languagexml
titleRoles based AuthZ
<ISAPI normalizeRequest<ISAPI>
	<Site id="true1" safeHeaderNamesname="true"sp.example.org" />
    	<Roles roleAttributes="ePa ePsaaffiliation" />
</ISAPI>

Every SP-authenticated principal will be given the role ShibbolethAuthN.  Additionally the attributes 'ePa' and 'ePsa' attribute called "affiliation" will be queried and their its values used as roles.  Hence Hence if a user logged in via the SP and the following attributes were provided

  • eppn :  "Userjdoe"
  • ePa affiliation : "member", "walkin"epSa: "staff@example@example.org", "member@examplestudent@example.org"

The session would be have the REMOTE_USER variable set to be "Userjdoe" (assuming that the default setting for ApplicationDefault> were used. settings) and the following roles:

  • ShibbolethAuthN  (by Virtue virtue of being "logged in")

  • member

  • walkin

  • staff@examplestudent@example.org

  • member@example.org