Allows the IIS IIS7 module to perform roles based AuthZauthorization.
Note | ||
---|---|---|
| ||
The way in which Roles base Authentication this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles. |
Attributes
Name | Type | Default | Description |
---|---|---|---|
authNRole | string | ShibbolethAuthN | Any principal which is logged in via the |
SP is given this role. |
roleAttributes |
whitespace-delimited list of strings | none | All values of all |
identified SP-mapped attributes are added to the Roles associated with this principal. |
Child Elements
No Child Elements may be specifiedNone
Example
Code Block | ||||
---|---|---|---|---|
| ||||
<ISAPI normalizeRequest<ISAPI> <Site id="true1" safeHeaderNamesname="true"sp.example.org" /> <Roles roleAttributes="ePa ePsaaffiliation" /> </ISAPI> |
Every SP-authenticated principal will be given the role ShibbolethAuthN
. Additionally the attributes 'ePa
' and 'ePsa
' attribute called "affiliation" will be queried and their its values used as roles. Hence Hence if a user logged in via the SP and the following attributes were provided
- eppn : "
User
jdoe
" - ePa affiliation : "
member
", "walkin
"epSa: "staff@example@example.org
", "member@examplestudent@example.org
"
The session would be have the REMOTE_USER variable set to be "Userjdoe" (assuming that the default setting for ApplicationDefault>
were used. settings) and the following roles:
ShibbolethAuthN (by Virtue virtue of being "logged in")
member
walkin
staff@examplestudent@example.org
member@example.org