NetBadge

NetBadge for Developers: Editing the shibboleth2.xml Configuration File

Configure Shibboleth for IIS Versions 7 & 8

This page is intended to help Windows system administrators configure Shibboleth for IIS versions 7 and 8.

Before proceeding save a copy of C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml to shibboleth2.xml.orig or a similar name and then open shibboleth2.xml in a text editor.

1. Find <ISAPI...>...<Site id="1" name="sp.example.org"/>. Change the site id to match the id assigned to your site by IIS. The site id will be 1 for the default website. You can find your site id in Internet Services (IIS) Manager by clicking on Web Sites (IIS 6) or Sites (IIS 7.x).
   In this same location, change the name to your DNS name (e.g. myserver.mydept.washington.edu). Go ahead and put your DNS name in your paste buffer because you'll need to enter it twice more.
   

   <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true"> <ISAPI normalizeRequest="true" safeHeaderNames="true"> <!-- Maps IIS Instance ID values to the host scheme/name/port. The name is required so that the proper <Host> in the request map above is found without having to cover every possible DNS/IP combination the user might enter. --> <Site id="1" name="myserver.eservices.virginia.edu" scheme="https" port="443"/> <!-- When the port and scheme are omitted, the HTTP request's port and scheme are used. If these are wrong because of virtualization, they can be explicitly set here to ensure proper redirect generation. --> <!-- <Site id="42" name="virtual.example.org" scheme="https" port="443"/> --> </ISAPI> </InProcess>

2. Find <RequestMap>...<Host name="sp.example.org">. Change the name to your DNS name.

   <RequestMapper type="Native"> <RequestMap> <!-- The example requires a session for documents in /secure on the containing host with http and https on the default ports. Note that the name and port in the <Host> elements MUST match Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above. --> <Host name="myserver.eservices.virginia.edu"> <Path name="secure" authType="shibboleth" requireSession="true"/> <Path name="secure2" authType="shibboleth" requireSession="true"/> </Host> <!-- Example of a second vhost mapped to a different applicationId. --> <!-- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/> --> </RequestMap> </RequestMapper>

3. Find <ApplicationDefaults entityID="https://sp.example.org/shibboleth"...>. Replace sp.example.org with your DNS name (e.g., https://myserver.mydept.virginia.edu/shibboleth).

   <ApplicationDefaults entityID="https://myserver.eservices.virginia.edu/shibboleth" REMOTE_USER="samAccountName uid eppn persistent-id targeted-id">

4. Test your configuration using a local /etc/hosts file containing: 
   

   128.143.125.97 shibidp.its.virginia.edu

   The entityID to the production value is urn:mace:incommon:virginia.edu; use this for testing as well.

   <SSO entityID="urn:mace:incommon:virginia.edu" > SAML2 SAML1 </SSO>

5. Find <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css" /> and change the email address to your application's support email address.

   <Errors supportContact="4HELP@virginia.edu" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>

6. Download the IdP metadata file from https://shibidp.its.virginia.edu/idp/shibboleth/uva-idp-metadata.xml. Save this file as UVAmetadata.xml in the same folder as shibboleth2.xml.
7. Find the <MetadataProvider type="XML" file=... /> line and uncomment it by removing the <!-- and --> tags that surround it.
8. Replace file="partner-metadata.xml" with file="UVAmetadata.xml".

   <MetadataProvider type="XML" file="UVAmetadata.xml"/>

9. Save shibboleth2.xml and close your editor.
10. Locate the attribute-map.xml file and add the following line at the end of the attributes tag.

    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />

11. Use Internet Services (IIS) Manager to restart IIS and Administrative Tools > Services to restart the Shibboleth 2 Daemon.
12. Using a browser on the server, reload the status handler page at https://localhost/Shibboleth.sso/Status. Several lines down from the top you should see the updated value for your entity ID that you configured in step 3. You may need to refresh your browser to see the updated information.
13. Download your SP metadata from https://your dns name/Shibboleth.sso/Metadata. Depending on your OS and browser, the metadata might be displayed in the browser or you might be asked to save the file. If you save the file with a .xml file extension and open the file in your browser it will be easier to read. Make sure there are no instances of sp.example.org in the URLs; any such references should have been replaced by your DNS name. Once everything is correct ITS will download your SP metadata from https://Your-Virtual-Host-Name/Shibboleth.sso/Metadata
    NOTE: Sometimes the installer will not create the sp-cert.pem and sp-key.pem files correctly. If you discover these files to be incorrect or non-existent, run the keygen.bat file located in C:\opt\shibboleth-sp\etc\shibboleth.

Short URL for this page: https://in.virginia.edu/netbadge-shibboleth