Allows the IIS to perform roles based AuthZ
Require REMOTE_USER
The way in which Roles base Authentication works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.
Attributes
Name | Type | Default | Description |
---|---|---|---|
authNRole | string | ShibbolethAuthN | Any principal which is logged in via the Shibboleth SP is given this role. |
roleAttributes | space separated string | none | All values of all provided attributes with the names given are added to the Roles associated with this principal |
Child Elements
No Child Elements may be specified
Example
<ISAPI normalizeRequest="true" safeHeaderNames="true"> <Roles roleAttributes="ePa ePsa" /> </ISAPI>
Every SP-authenticated principal will be given the role ShibbolethAuthN
. Additionally the attributes 'ePa
' and 'ePsa
' will be queried and their values used as roles. Hence if a user logged in via the SP and the following attributes were provided
- eppn : "
User
" - ePa : "member", "
walkin
" - epSa: "
staff@example.org
", "member@example.org
"
The session would be have the REMOTE_USER variable set to be "User" (assuming that the default setting for ApplicationDefault>
were used. and the following roles
ShibbolethAuthN (by Virtue of being "logged in")
member
walkin
staff@example.org
member@example.org