The following software is known to cause incompatibilities that affect the installation or use of the Shibboleth SP module:
The installer does not work fully in conjunction with the IIS "Shared Configuration" option. Disable it prior to installation. After re-enabling it, you will likely have to manually apply some of the configuration changes noted below.
IIS7 is a rather radical rewrite and has some major differences from earlier versions. Superficially, the administration GUI is very different. Furthermore, the scripting interfaces used by the SP installer are not supported by default.
If you want the installer to configure IIS for you, you'll need to make sure the IIS6 management compatibility role services are installed first. In the server roles administration tool, IIS includes a set of role services labeled "IIS 6 Management Compatibility". Install these before performing the SP installation.
You also need to ensure that support for ISAPI filters and extensions is installed. This appears to be a separate installable feature in some cases.
Finally, you need to determine whether your IIS applications are expected to be 32-bit or 64-bit. Typically, a newer 64-bit OS will run 64-bit IIS by default, but some applications require 32-bit. For older SP versions, only one copy of the SP can be easily installed, so you'll have to pick one or the other, and install the appropriate version to match the applications you want to run. As of V2.5+, the installation package is limited by your system type, and the 64-bit installer will include both sets of files so you can adjust which type you use on the fly.
.msi
Shibboleth SP installer from the Shibboleth download site.After rebooting, IIS should be configured for basic support (if you asked it to do so and you installed the IIS 6 compatibility services mentioned above). If you have problems, need to manually configure it, or want to verify what happened, the IIS steps are as follows:
lib\shibboleth\isapi_shib.dll
library. For V2.5+ on a 64-bit IIS, the relative path isĀ lib64\shibboleth\isapi_shib.dll
.sso
file extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. This is done under "Handler Mappings" using the "Add Script Map..." action. The Executable
box should point to isapi_shib.dll
, and the "Extension" can be set to anything unlikely to conflict, but *.sso
is assumed (and the asterisk and dot must be included).A set of commands that may work for some people to perform the above steps:
cd C:\Windows\System32\inetsrv appcmd set config /section:isapiFilters /+[name='shibboleth',path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',enabled='true'] appcmd set config /section:handlers /+[name='Shibboleth',path='*.sso',verb='*',scriptProcessor='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll'] appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',description='Shibboleth',allowed='True'] iisresetFor Windows Server 2012 / IIS 8, you may need to add the modules attribute to the Handler Mapping command:
appcmd set config /section:handlers /+[name='Shibboleth',path='*.sso',verb='*',scriptProcessor='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',modules='IsapiModule']
shibd
, will be located at \etc\shibboleth\shibboleth2.xml
(within the directory used to install the SP software).shibd
creates its own log at \var\log\shibboleth\shibd.log
and must have appropriate read and write permissions itself for the entire installation directory.\var\log\shibboleth
to create the native.log
file. IIS 7.x appears to rely largely on accounts that live in the "IUSRS" Windows group, so giving that group read access to the installation may be helpful or essential.