Versions Compared

Old Version 8

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The first site will be given the host name iis.example.org.

Roles based Authentication

Note
titleNeed REMOTE_USER

The way in which Roles base Authentication works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which hcan be interrogated for roles.


Every SP-authenticated principal will be given the role ShibUser.  Additionally the attributes 'ePa' and 'ePsa' will be queried and their values used as roles.  Hence if a user logged in via the SP and the following attributes were provided

...

The installation is available here.  Note that there is only a 64 bit installer and it does not install anything for 32 bit application pools.

Warning

We expect that the next version SP installer will be able to upgrade systems with this overlay installed. But just in case (and for all the other usual good reasons) this installer should not be used on production systems.

...

Note

Before making any configuration changes to IIS, backup up your system appropriately. Although the overlay installer undoes its own configuration it will not revert any configuration that you change.


  • In the GUI, select the server in the left hand pane and click on the "ISAPI Filters" and in the right.
    • Now remove any Shibboleth related filters.  For a default install this will be called Shibboleth and be for executable C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll
  • In the GUI, select the server in the left hand pane and click on the "Handler Mappings" and in the Right.  
    • Now remove any Shibboleth related ISAPI
    mappings.  These may be distinguished by a path of ".sso" and by a Handler of "IsapiModule"
    • handler.  For a default install this will be called something like AboMapperCustom-8689 and be for executable C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll

  • In the GUI, select the server in the left hand pane and click on the "ISAPI and CGI Restrictions" in the Right.  

    • Now remove any Shibboleth related restriction.  For a default install this will be called something like Shibboleth Web Service Extension and be for executable C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll

  • Edit %SYSTEMROOT%\System32\InetSrv\config\applicationHost.config and look for the words "shib" or "shib_isapi".  The following is the new definition

    Code Block
    <globalModules>
  ...
  <add name="ShibNative" image="C:\opt\shibboleth-sp\lib64\shibboleth\iis7_shib.dll" />
</globalModules>
...
<modules>
  ...
  <add name="ShibNative" />
</modules>

    and should be left along.

    In particular the string isapi_shib.dll indicates that the removal is incomplete.  Such entries should be removed,

  • As well as the applicationHost.config file, you may need to inspect the web.config files for the sites and their sub folders.

...