Allows the IIS to perform roles based AuthZ
Require REMOTE_USER
The way in which Roles base Authentication works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
authNRole | string | ShibbolethAuthN | Any principal which is logged in via the Shibboleth SP is given this role. |
roleAttributes | space separated string | none | All values of all provided attributes with the names given are added to the Roles associated with this principal |
Child Elements
No Child Elements may be specified
Example
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Roles roleAttributes="ePa ePsa" />
</ISAPI>
Every SP-authenticated principal will be given the role ShibbolethAuthN. Additionally the attributes 'ePa' and 'ePsa' will be queried and their values used as roles. Hence if a user logged in via the SP and the following attributes were provided
- eppn : "
User" - ePa : "member", "
walkin" - epSa: "
staff@example.org", "member@example.org"
The session would be have the REMOTE_USER variable set to be "User" (assuming that the default setting for ApplicationDefault> were used. and the following roles
ShibbolethAuthN (by Virtue of being "logged in")
member
walkin
staff@example.org
member@example.org