Instructions for Installing the Shibboleth ISAPI module
on Windows 2003 and IIS6

Prerequisites

  • Windows 2003 R2 SP2 installed
  • IIS6 Installed

Installation steps

Follow the installation and configuration instructions you received after the approval of your SP

  1. Run the installer and follow the directions. Please do not change any paths or port settings.
  2. Once installation is complete, reboot your machine
  3. The installer should have added the ISAPI filter to your web sites. To check this :
    • Start up the IIS Manager
    • Right click on “Web Sites” and click properties. Click on the “ISAPI Filters” tab.
      You should see a Shibboleth entry with a priority of High.
    • Click on the “Home Directory” Tab and then click on the “Configuration” button. In the application extensions area you should see an extension of “.sso” with a executable path of C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll that allows all verbs.
  4. The installer should have added a Shibboleth service to your machines. To check this:
    • Click on start, and then Run. And enter: “services.msc /s”
    • You should see a service named “Shibboleth 2.0 Daemon”. It should be started and set to automatically start-up on boot.
  5. Shibboleth is now installed

Configuring Shibboleth

Under Construction


Protecting Content

Access control in Shibboleth on IIS is done by modifying the shibboleth2.xml file in C:\opt\shibboleth-sp\etc\shibboleth. In that file you will find the definition for your host and add some access control rules.

Access control rules allow you to use Boolean logic to specify if a web resource is accessible based on what attributes are available. One of the attributes in our environment that is used in access control is “primary-affiliation”. It specifies if the user accessing the resource is either a “Staff”, “Student”, or “Guest”. For example, a rule to allow only “Staff” to access a resource the rule would look like this:

<AccessControl><Rule require="primary-affiliation">STAFF</Rule></AccessControl>

To protect content if the user is either a “Staff” or “Student” you would use this rule:

<AccessControl>
	<OR>
	<Rule require="primary-affiliation">STAFF</Rule>
	<Rule require="primary-affiliation">STUDENT</Rule>
	</OR>
	</AccessControl>

To protect content on you website, you will need to do the following:

  1. Open up the shibboleth2.xml file located in C:\opt\shibboleth-sp\etc\shibboleth
  2. Look for a <RequestMapper> element in the shibboleth2.xml file. There should be a child element named <Host> that has an attribute named “name” that is your website’s name
  3. There should be a child element of <Host> named <Path> that has an attribute named “name” which corresponds with a url in your website that you want protected. By default that name is “secure”. Change the name to be a part of you web space that you want protected eg if you want to protect http://hostname.ufl.edu/payroll then the name attribute would be “payroll”
  4. Create a child element of <Path> named <AccessControl> which follows the syntax in the above section.
  5. Restart the shibboleth daemon