Installing the Shibboleth SP for IIS 5

Installation

1. Download the .msi Shibboleth SP installer from the Shibboleth download site.
2. Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. The shibd service will also be installed for you.

After rebooting, IIS should be configured for basic support (if you asked it to do so). If you have problems, need to manually configure it, or want to verify what happened, the IIS steps are as follows:

1. Add the filter using the Internet Services Manager MMC console. Right click on the machine icon on the left, and edit the WWW Service master properties. On the "ISAPI Filters" tab, add a new filter called Shibboleth and specify the lib\shibboleth\isapi_shib.dll library (or lib64\shibboleth\isapi_shib.dll for a 64-bit IIS). The priority should be High, and once the filter is loaded, make sure it appears in the list below the sspifilt entry. Restart IIS and make sure the filter shows up with a green arrow. Check the Windows event log and/or the Shibboleth logs if it fails to load.
2. Map the .sso file extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. Right click on the machine icon on the left, and edit the WWW Service master properties. On the Home Directory tab, add a script mapping using the Configuration button. The Executable box should point to isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but .sso is assumed (and the dot must be included). You should NOT select the option to limit verbs, and you MUST uncheck the Check that file exists box.
3. Restart IIS.

Basic Configuration

• The primary configuration file for the filter and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software).
• shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
• You may need to add permissions to your installation directory for IIS to operate. There are a variety of possible accounts IIS may run with at different times, and failure to set permissions may result in crashes, the filter failing to load, or other odd behavior. The IIS server processes need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth to create the native.log file.
• In order to configure Shibboleth you'll need the site identifier that IIS has assigned to your website. If you're simply using the default website this identifier is 1 (one). If you're not you can find the identifier through the IIS Manager tool by selecting the "Web Sites" folder and looking in the identifier column, on the right, that corresponds to your website.