University of Oregon

Identity Management - Shibboleth SP on Windows and IIS instructions

Audience
Faculty/Staff
Researcher
Student
GTF

The Shibboleth Service Provider is supported on Windows 2003 and 2008 and both IIS 6 and IIS 7. It is implemented as an ISAPI filter that communicates with the Shibboleth service (analagous to shibd the shibd daemon on unix systems). Once it is installed, most of the configuration options are the same as on any other OS. However, the installation process differs significantly. It is detailed below. Most of the instructions apply to both IIS 6 and IIS 7, I've noted where they differ.

For more complete installation notes and additional troubleshooting tips, please reference Internet2's Shibboleth wiki pages:

Configuration

  • If you are installing on IIS 7, it will make the installation and initial configuration easier if you install the IIS 6 Management Compatibility roles. This allows Shibboleth to configure itself as part of the installation process. Details on how to do this are here: Enabling IIS 6 Management Compatibility roles
  • Next, download the Shibboleth SP software from Shibboleth SP downloads
    Make sure to use the appropriate version for your architecture (32-bit or 64-bit).
  • Start the MSI installer by double-clicking the downloaded file. The default configuration options presented during the installation process should work on most servers. This document assumes that you used the default installation path (c:\opt\shibboleth-sp\). You will need to restart the system to complete the installation.
  • Now you will need to configure your SP for your application. Edit the shibboleth2.xml file, by default this is found in the c:\opt\shibboleth-sp\etc\shibboleth directory. Make the following changes:
    • In the section, add mappings for all web sites that you plan to integrate with Shibboleth. Here is an example for the default site:
    		<Site id="1" name="iistest1.uoregon.edu"/>
    • In the section, change the hostname from sp.example.org to your hostname. You can also configure URLs under each host that will require Shibboleth authentication. For example, this configures https://iistest1.uoregon.edu/secure to require Shibboleth authentication:
    		<Host name="iistest1.uoregon.edu">
         <Path name="secure" authType="shibboleth" requireSession="true"/>
    </Host>
    • Modify the element to use your application's URL for entityID and homeURL. If you are using the REMOTE_USER variable, you will also want to change the REMOTE_USER mapping to contain duckid. Here is an example for https://iistest1.uoregon.edu/secure:
    		<ApplicationDefaults id="default" policyId="default"
            entityID="http://iistest1.uoregon.edu/secure"
            homeURL="http://iistest1.uoregon.edu/secure"
            REMOTE_USER="duckid eppn persistent-id targeted-id"
            signing="false" encryption="false"
            >
    • Configure your SP to point to the University of Oregon's test Identity Provider. This is done in the element in the section. Below is an example:
    		<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
                        relayState="cookie" entityID="https://shibboleth-test.uoregon.edu/idp/shibboleth">
                    <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
                    <SessionInitiator type="Shib1" defaultACSIndex="5"/>
                </SessionInitiator>
    		<MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\idp-metadata.xml" />
  • Restart the Shibboleth Service to make the configuration changes effective. If all goes well and you don't see any errors in the shibd.log, contact your Shibboleth administrator and they will add your application to the test instance.
  • Once this is done, here is a ASP.NET sample that you can use to verify the attributes that you are receiving from the IdP:
<%@ Page Language="C#" %>
<% Response.Write(Request.ServerVariables["ALL_HTTP"]);%>