Shibboleth, Windows IIS Server specific configuration instructions
For IT Pros: This page explains additional configuration steps needed to modify shibboleth2.xml to work with IIS-based web applications.
In order to supply the necessary information in the block and select the correct bitness, you need to gather some information for the site that you are setting up. This can all be done from the IIS manager (the tool used to configure IIS.
Specifically, you need to know for a given site:
- The site binding (what name and ports and protocol it is using)
- The internally assigned "Site Id" that's being used for the site.
- The application pool that the site is using.
- The setting on the application pool then determines if you want a 32bit or 64bit download.
Please see Windows IIS Information Gathering for Shibboleth configuration (PDF) for guidance on how to locate this information.
Adding the InProcess code block
This code sample is from the original Shibboleth example file; it was removed from the campus-specific shibboleth2.xml file but should be added back in for IIS server use. The bolded information in the <Site> tag is gathered in the steps shown in the attachment.
If you wish to Shibboleth-enable multiple sites served off the same server, the <Site> tag can be repeated with additional information. Additional sites will also need to be registered with the IDP.
The InProcess section contains settings affecting web server modules.
Required for IIS, but can be removed when using other web servers.
<ISAPI normalizeRequest="true" safeHeaderNames="true">
Maps IIS Instance ID values to the host scheme/name/port. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
<Site id="2" name="name.domain.illinois.edu" scheme="https" port="443"/>
When the port and scheme are omitted, the HTTP request's port and scheme are used.
If these are wrong because of virtualization, they can be explicitly set here to
ensure proper redirect generation. -->
Adding the RequestMapper block
Next, IIS also needs the <RequestMapper> block. This is also an example that was removed from the campus-specific shibboleth2.xml file that should be added for IIS use.
In the code example below:
- 'Host name' needs to match your web server name.
- 'Path name="secure"' means a directory named "secure" at the top-level of that site needs protection. (You can change this directory name as needed.) Accessing anything inside that directory will cause authentication to happen first.
- The second example commented out protects an entire site.
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
<Path name="secure" authType="shibboleth" requireSession="true"/>
<!-- Example of a second vhost mapped to a different applicationId. -->
<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>