Instructions for Installing the Shibboleth ISAPI module
on Windows 2003 and IIS6
- Windows 2003 R2 SP2 installed
- IIS6 Installed
Follow the installation and configuration instructions you received after the approval of your SP
- Run the installer and follow the directions. Please do not change any paths or port settings.
- Once installation is complete, reboot your machine
- The installer should have added the ISAPI filter to your web sites. To check this :
- Start up the IIS Manager
- Right click on “Web Sites” and click properties. Click on the “ISAPI Filters” tab.
You should see a Shibboleth entry with a priority of High.
- Click on the “Home Directory” Tab and then click on the “Configuration” button. In the application extensions area you should see an extension of “.sso” with a executable path of C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll that allows all verbs.
- The installer should have added a Shibboleth service to your machines. To check this:
- Click on start, and then Run. And enter: “services.msc /s”
- You should see a service named “Shibboleth 2.0 Daemon”. It should be started and set to automatically start-up on boot.
- Shibboleth is now installed
Access control in Shibboleth on IIS is done by modifying the shibboleth2.xml file in C:\opt\shibboleth-sp\etc\shibboleth. In that file you will find the definition for your host and add some access control rules.
Access control rules allow you to use Boolean logic to specify if a web resource is accessible based on what attributes are available. One of the attributes in our environment that is used in access control is “primary-affiliation”. It specifies if the user accessing the resource is either a “Staff”, “Student”, or “Guest”. For example, a rule to allow only “Staff” to access a resource the rule would look like this:
To protect content if the user is either a “Staff” or “Student” you would use this rule:
<AccessControl> <OR> <Rule require="primary-affiliation">STAFF</Rule> <Rule require="primary-affiliation">STUDENT</Rule> </OR> </AccessControl>
To protect content on you website, you will need to do the following:
- Open up the shibboleth2.xml file located in C:\opt\shibboleth-sp\etc\shibboleth
- Look for a <RequestMapper> element in the shibboleth2.xml file. There should be a child element named <Host> that has an attribute named “name” that is your website’s name
- There should be a child element of <Host> named <Path> that has an attribute named “name” which corresponds with a url in your website that you want protected. By default that name is “secure”. Change the name to be a part of you web space that you want protected eg if you want to protect http://hostname.ufl.edu/payroll then the name attribute would be “payroll”
- Create a child element of <Path> named <AccessControl> which follows the syntax in the above section.
- Restart the shibboleth daemon