The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SPWindowsInstallIIS5

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
2 min read

Install Shibboleth in IIS 5

This information is for IIS 5. Once completed, please return to the main installation instructions and proceed with step 3.

The package includes an ISAPI filter and bundled extension for session startup in a single library, libexec\isapi_shib.dll. This filter is configured using commands in C:\opt\shibboleth\etc\shibboleth\shibboleth.xml (or wherever you've installed the software). Make sure you or the installer has added the lib directory to the path. You will generally need to restart the system after installation. Installing the extension into IIS is a multi-step process:

  • Add the filter using the Internet Services Manager MMC console. Right click on the machine icon on the left, and edit the WWW Service master properties. On the "ISAPI Filters" tab, add a new filter called Shibboleth and specify the DLL named above. The priority should be High, and once the filter is loaded, make sure it appears in the list below the sspifilt entry. Restart IIS and make sure the filter shows up with a green arrow. Check the Windows event log and/or the Shibboleth logs if it fails to load.
  • Map a special, distinct file extension, such as .sso, to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. Right click on the machine icon on the left, and edit the WWW Service master properties. On the "Home Directory" tab, add a script mapping using the "Configuration" button. The "Executable" box should point to isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but .sso is assumed (and the dot must be included). You should NOT select the option to limit verbs, and you MUST uncheck the "Check that file exists" box.

All other aspects of configuration are handled via the shibboleth.xml file and associated XML files described in subsequent sections. Particular use is made of the Implementation/ISAPI element that allows IIS sites to be mapped to a hostname for proper request mapping and generation of redirects. This must be configured now.

Instance IDs are used in the IIS metabase to identify web sites. In older versions, they are applied starting with 1(one) and number the web sites in order in the Internet Services Manager from top to bottom. Newer versions appear to assign some IID values with strange ASCII formulas applied to the site name. A simple ASP or CGI script can be run within a site to dump the INSTANCE_ID header.

Running shibd

%COMMENT%