This page is under construction

It refers to a product which is still under internal/Alpha test. It will currently slated to ship with V3.0 of the SP

Introduction

The IISNative DLL is an Shibboleth integration against the API set which was introduced in IIS7.  The previous version (isapi_shib.dll) integrated against the old "ISAPI" APIS which in turn required the deployment of explicit down-level support dlls to provide interfaces to the legacy API.  The new DLL is a functional super set of isapi_shib plugin, but it does not automatically replace the old one (which is still shipped).

The new DLL takes full advantage of the breadth of the IIS7 APIs.  Two notable advantages are

Configuration

The new plugin is configured using an extension to the existing NativeSPISAPI element (and this documentation will move there).  The following changes should be noted


<ISAPI normalizeRequest="true" safeHeaderNames="true">
    <Roles roleAttributes="ePa ePsa" />
	<Site id="1" name="iis.example.org"/>
</ISAPI>

The first site will be given the host name iis.example.org.

Roles based Authentication

The way in which Roles base Authentication works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which hcan be interrogated for roles.


Every SP-authenticated principal will be given the role ShibUser.  Additionally the attributes 'ePa' and 'ePsa' will be queried and their values used as roles.  Hence if a user logged in via the SP and the following attributes were provided

The session would be have the REMOTE_USER variable set to be "User" (assuming that the default setting for ApplicationDefault> were used. and the following roles

Installation

The installation is available here

We expect that the next version SP installer will be able to upgrade systems with this overlay installed. But just in case (and for all the other usual good reasons) this installer should not be used on production systems.

For the test release the IIS7Native plugin is installed on top of an existing Shibboleth SP installation.  It is expected (but not required) that the installation would have the old style ISAPI plugin configured.  You may need/wish to stop IIS during the installation. The installation runs with no dialog and does the following

The installation does not deconfigure the old plugin and you need to do this by hand. Doing this is highly installation dependant (which is why there is no automation) but the following hints may help

Before making any configuration changes to IIS, backup up your system appropriately. Although the overlay installer undoes its own configuration it will not revert any configuration that you change.



If the ISAPI module is still configured the following tell-tales will indicate it

  1. The event viewer ("Windows Logs\Application") may show a warning from SHIB_ISAPI
  2. An attempt to access a protected resource will return a failure (status 500) and the native log will have the following line

    ERROR Shibboleth.NATIVE [<pid>] native_shib: Shibboleth handler invoked at an unconfigured location.

    This indicates that configuration for the ISAPI filter is still active somewhere.