Allows the IIS7 module to perform roles based authorization.
The way in which this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.
|Any principal which is logged in via the SP is given this role.|
|whitespace-delimited list of strings||none||All values of all identified SP-mapped attributes are added to the Roles associated with this principal.|
<Site id="1" name="sp.example.org" />
<Roles roleAttributes="affiliation" />
Every SP-authenticated principal will be given the role
ShibbolethAuthN. Additionally the attribute called "affiliation" will be queried and its values used as roles. Hence if a user logged in via the SP and the following attributes were provided
- eppn : "
- affiliation : "
The session would be have the REMOTE_USER variable set to be "jdoe" (assuming that the default settings) and the following roles: