The <ISAPI> element defines part of the integration between the SP and the Microsoft IIS web server, due to deficiencies in its support for native configuration of such extensions.

With V3, a new IIS7 native module is supplied. This has significant benefits as detailed elsewhere, and also means that less configuration may be needed.

Restart IIS after making changes

You'll need to restart IIS after changing any of the options in this area.

Upgraded V2 installations will continue to use the old ISAPI extension as documented here. If you convert an existing site to use the new plugin (as described here) you should be aware that although the configuration is compatible, some defaults have changed and you will need to make changes to your applications to take proper advantage of the new module.


normalizeRequestbooleantrueThis is essentially obligatory with IIS, and causes the software to determine the URLs its processing based on information from the SP's own configuration per its <Site> element(s). Turning this off will generally result in security issues unless you avoid any use of content settings and the RequestMapper.
safeHeaderNamesbooleanfalse (true if the useHeaders option is enabled)

Causes all non-alphanumeric characters to be automatically removed from the names of all SP-controlled headers. This defaults to false for compatibility with V2, but is auto-enabled if the useHeaders option is set, since that option is new to V3. It should be enabled if the old ISAPI extension is used.

useVariablesbooleantrueControls whether attributes are passed the the application as Server Variables.

Controls whether attributes are passed as HTTP Headers.

This setting should be avoided, but is present to provide a level of compatibility with applications developed against the old ISAPI extension.

Child Elements

<Site>0 or moreControls how the SP establishes canonical URLs for requests to a given IIS site. This is used to provide a limited form of virtualization support, which IIS does not support itself. Use Apache if you intend to do serious virtual hosting, or ask Microsoft to fix their product.
<Roles>0 or 1Provides support for role-based authorization.