...
The first site will be given the host name iis.example.org.
Roles based Authentication
Note | ||
---|---|---|
| ||
The way in which Roles base Authentication works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which hcan be interrogated for roles. |
Every SP-authenticated principal will be given the role ShibUser
. Additionally the attributes 'ePa' and 'ePsa' will be queried and their values used as roles. Hence if a user logged in via the SP and the following attributes were provided
...
The installation is available here. Note that there is only a 64 bit installer and it does not install anything for 32 bit application pools.
Warning |
---|
We expect that the next version SP installer will be able to upgrade systems with this overlay installed. But just in case (and for all the other usual good reasons) this installer should not be used on production systems. |
...
Note |
---|
Before making any configuration changes to IIS, backup up your system appropriately. Although the overlay installer undoes its own configuration it will not revert any configuration that you change. |
- In the GUI, select the server in the left hand pane and click on the "ISAPI Filters" and in the right.
- Now remove any Shibboleth related filters. For a default install this will be called Shibboleth and be for executable
C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll
- Now remove any Shibboleth related filters. For a default install this will be called Shibboleth and be for executable
- In the GUI, select the server in the left hand pane and click on the "Handler Mappings" and in the Right.
- Now remove any Shibboleth related ISAPI
- handler. For a default install this will be called something like
AboMapperCustom-8689
and be for executableC:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll
In the GUI, select the server in the left hand pane and click on the "ISAPI and CGI Restrictions" in the Right.
Now remove any Shibboleth related restriction. For a default install this will be called something like
Shibboleth Web Service Extension
and be for executableC:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll
Edit
%SYSTEMROOT%\System32\InetSrv\config\applicationHost.config
and look for the words "shib" or "shib_isapi". The following is the new definitionCode Block <globalModules> ... <add name="ShibNative" image="C:\opt\shibboleth-sp\lib64\shibboleth\iis7_shib.dll" /> </globalModules> ... <modules> ... <add name="ShibNative" /> </modules>
and should be left along.
In particular the stringisapi_shib.dll
indicates that the removal is incomplete. Such entries should be removed,- As well as the
applicationHost.config file, y
ou may need to inspect theweb.config
files for the sites and their sub folders.
...