Page tree
Skip to end of metadata
Go to start of metadata

Allows the IIS7 module to perform roles based authorization.


The way in which this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.


authNRolestringShibbolethAuthNAny principal which is logged in via the SP is given this role.
roleAttributeswhitespace-delimited list of stringsnoneAll values of all identified SP-mapped attributes are added to the Roles associated with this principal.

Child Elements



Roles based AuthZ
	<Site id="1" name="" />
	<Roles roleAttributes="affiliation" />

Every SP-authenticated principal will be given the role ShibbolethAuthN.  Additionally the attribute called "affiliation" will be queried and its values used as roles. Hence if a user logged in via the SP and the following attributes were provided

  • eppn :  "jdoe"
  • affiliation : "", ""

The session would be have the REMOTE_USER variable set to be "jdoe" (assuming that the default settings) and the following roles:

  • ShibbolethAuthN  (by virtue of being "logged in")



  • No labels