Installing the Shibboleth SP for IIS 6
V2.4+ are NOT compatible with Windows 2003 Server RTM (without SP1).
The installer does not work fully in conjunction with the IIS "Shared Configuration" option. Disable it prior to installation. After re-enabling it, you will likely have to manually apply some of the configuration changes noted below.
- Download the
.msi Shibboleth SP installer from the Shibboleth download site.
- Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. The shibd service will also be installed.
After rebooting, IIS should be configured for basic support (if you asked it to do so). If you have problems, need to manually configure it, or want to verify what happened, the IIS steps are as follows:
- Add the filter using the Internet Services Manager console. Right click on the "Web Sites" icon on the left, and bring up the Properties dialog. On the "ISAPI Filters" tab, add a new filter called Shibboleth and specify the
lib\shibboleth\isapi_shib.dll library (or
lib64\shibboleth\isapi_shib.dll for a 64-bit IIS). The priority should be
High. You won't see any visual indication it was loaded until after making requests to the server.
- Map the
.sso file extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. On the
Home Directory tab, add a script mapping using the
Configuration button. The
Executable box should point to
isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but
.sso is assumed (and the dot must be included). You should NOT select the option to limit verbs, and you MUST uncheck the
Check that file exists box.
- Add the Shibboleth ISAPI Extension to the list of permitted extensions in the list of allowed extensions.
- Restart IIS and make sure the filter shows up with a green arrow once you access the site. Check the Windows event log and/or the Shibboleth logs if it fails to load.
- IIS6 may require that you manually install the script mapping and/or the filter itself at the site level, rather than at the root of all the sites. You may also wish to do this to ensure that the filter only runs on a subset of your web sites.
- The primary configuration file for the filter and the Shibboleth daemon,
shibd, will be located at
\etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software).
shibd creates its own log at
\var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
- You may need to add permissions to your installation directory for IIS to operate. There are a variety of possible accounts IIS may run with at different times, and failure to set permissions may result in crashes, the filter failing to load, or other odd behavior. The IIS server processes need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to
\var\log\shibboleth to create the
- In order to configure Shibboleth you'll need the site identifier that IIS has assigned to your website. If you're simply using the default website this identifier is 1 (one). If you're not you can find the identifier through the IIS Manager tool by selecting the "Web Sites" folder and looking in the identifier column, on the right, that corresponds to your website.