...
With IIS, the first thing to do is to check the Windows Event Log. If you access a site with the filter installed, you should get event log messages saying that the filter initialized. If so, the filter is running, and there's a decent chance permissions are ok. If not, I'd start by making sure that the anonymous IIS user (IUSR_<machine>) has read access the \opt\shibboleth-sp tree. There may be other accounts that need access also, if you have ASP.NET AppPool identities configured.
...
Once you get that green arrow, the rest is going to be SP configuration work.
Check Application Pool 32-bit Application Support
If you are using the 32-bit library on 64-bit Windows, you'll need to activate support for 32-bit applications. In the Application Pools list, select the application pool for your site(s), and view Advanced Settings. In the (General) group, set "Enable 32-Bit Applications" to True.
Site and Request Mapping
The first thing to check is for the proper <Site> elements defined in the <ISAPI> configuration element. You MUST create them for each web site you're using the filter with by mapping from the IIS Site Instance ID to the right hostname(s). You can find the ID on the GUI in the list of Web Sites. It's often a large number on IIS 6.
The rest of the protection trickery is in the <RequestMapper>. If you did all the above, but it's still not triggering for you, you've got something wrong in the map. Make sure you have the requireSession="true" attribute placed into the right <Host> or <Path> element for your choice of host or directory names.
Logging
If you still have no joy, the next step is to try collecting some logging detail. You need to raise the native logging level to DEBUG by editing native.logger and changing the default INFO level to DEBUG. Then you'll want to restart IIS. You should get more verbose information in the native.log file.
It will include a line each time you access the site that tells you what URL has been "mapped" by the filter. If it doesn't look right, you should get a hint on what to fix. If you get nothing, despite raising the level to DEBUG, then the filter isn't running, or isn't configured to process requests for the affected site.
Apache
Before getting into debugging, please make sure to read the NativeSPApacheConfig topic thoroughly and make sure you understand it and that you've done the necessary setup work.
Apache is much simpler when it comes to getting at least initial interception to function, but it depends on how you choose to configure it. If you use .htaccess files, things are pretty automatic, you just have to do:
| Code Block |
|---|
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
|
If you're relying on the <RequestMapper> instead, then you'll run into issues based on server name configuration details. The Apache ServerName command MUST be set to match what you put in the map's <Host> element and you'll need to make sure UseCanonicalName On is set. But additionally you'll need to get the module running for those requests by globally activating the module for those resources, using this kind of approach:
| Code Block |
|---|
<Location />
AuthType shibboleth
require shibboleth
</Location>
|
...