Half of Shibboleth runs within the web server. For IIS, this half is implemented in an IIS "native module" packaged in a file named iis7_shib.dll. Because IIS provides very minimal support for the configuration of extensions on its own, all of the runtime configuration is handled by the standard SP configuration file (shibboleth2.xml) with the exception of the basic installation of the module into IIS.
Table of Contents |
---|
New Version in V3 of the SP
...
The new module takes full advantage of the breadth of the IIS7 APIs. Two notable advantages are:
By default, it passes values to application using Server Variables rather than HTTP Headers.
It can be easily configured to support native Roles-based Authorization where the roles are derived directly from attribute passed to the SP. An example use of roles based authorization is URL Authorizaion.
Additionally the new plugin allows form-preservation across a SSO login by setting the postData
attribute in the <Sessions>
element.
...
If the Installer detects IIS7 or later, then the iis7_shib.dll module is used. This automatically configures the IIS7 module, adding support for both 32-bit and 64-bit app pools.
Tip | |
---|---|
title | No need for 32-bit shibd on 64-bit OSThe 32-bit web server modules can function with a 64-bit shibd service, so there is no need to install a special version of shibd to handle 32-bit cases as with older SP versions. |
Typically, environment variables are used to set the appropriate path information to enable the library to locate the configuration file and initialize itself when IIS or its child processes are started (though this is all handled by the installer when required).
Tip |
---|
Startup FailuresIf you experience startup problems, you should do the following:
|
Configuring
IIS has a design difference that separates it from Apache: it doesn't support true virtual hosting because it provides no mechanism to securely establish the "canonical" properties of a web site such as its virtual hostname or port. Instead it divides the web server into "site instances" that can have properties like names and ports attached to them (with no reliable/secure way for applications to obtain them or to override the physical settings with logical ones).
...
The IIS plugin has limited support for Roles Based Authorization. This is performed by adding <Roles
> elements to the <ISAPI>
element. However it is currently more usual to either perform the authorization within your application, or rely on the <RequestMapper>
and the XML-based Access Control plugin (or an alternative plugin to the SP).
...