Versions Compared

Old Version 16

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 17

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Half of Shibboleth runs within the web server. For IIS, this half is implemented in an IIS "native module" packaged in a file named iis7_shib.dll. Because IIS provides very minimal support for the configuration of extensions on its own, all of the runtime configuration is handled by the standard SP configuration file (shibboleth2.xml) with the exception of the basic installation of the module into IIS.

Table of Contents

New Version in V3 of the SP

...

The new module takes full advantage of the breadth of the IIS7 APIs. Two notable advantages are:

  • By default, it passes values to application using Server Variables rather than HTTP Headers.

  • It can be easily configured to support native Roles-based Authorization where the roles are derived directly from attribute passed to the SP.  An example use of roles based authorization is URL Authorizaion.

Additionally the new plugin allows form-preservation across a SSO login by setting the postData attribute in the <Sessions> element.

...

If the Installer detects IIS7 or later, then the iis7_shib.dll module is used. This automatically configures the IIS7 module, adding support for both 32-bit and 64-bit app pools.

Tip
title

No need for 32-bit shibd on 64-bit OS

The 32-bit web server modules can function with a 64-bit shibd service, so there is no need to install a special version of shibd to handle 32-bit cases as with older SP versions.

Typically, environment variables are used to set the appropriate path information to enable the library to locate the configuration file and initialize itself when IIS or its child processes are started (though this is all handled by the installer when required).

title
Tip

Startup Failures

If you experience startup problems, you should do the following:

  • Verify the configuration is generally valid by running %SHIBSP_PREFIX%/sbin/shibd.exe -check from the command line.

  • Make sure the system path contains the location of the SP's library DLLs (and make sure you reboot after installation before assuming that's happened).

  • Assuming that reports no serious errors, verify that all of the machine accounts used by IIS have read permission to the SP installation tree.

Configuring

IIS has a design difference that separates it from Apache: it doesn't support true virtual hosting because it provides no mechanism to securely establish the "canonical" properties of a web site such as its virtual hostname or port. Instead it divides the web server into "site instances" that can have properties like names and ports attached to them (with no reliable/secure way for applications to obtain them or to override the physical settings with logical ones).

...

The IIS plugin has limited support for Roles Based Authorization. This is performed by adding <Roles> elements to the <ISAPI> element. However it is currently more usual to either perform the authorization within your application, or rely on the <RequestMapper> and the XML-based Access Control plugin (or an alternative plugin to the SP).

...