Page tree
Skip to end of metadata
Go to start of metadata

Allows the IIS7 module to perform roles based authorization.

Require REMOTE_USER

The way in which this feature works in IIS means that a valid REMOTE_USER must be specified. This allows the plugin to provide a Principal which can be interrogated for roles.

Attributes

NameTypeDefaultDescription
authNRolestringShibbolethAuthNAny principal which is logged in via the SP is given this role.
roleAttributeswhitespace-delimited list of stringsnoneAll values of all identified SP-mapped attributes are added to the Roles associated with this principal.

Child Elements

None

Example

Roles based AuthZ
<ISAPI>
	<Site id="1" name="sp.example.org" />
	<Roles roleAttributes="affiliation" />
</ISAPI>

Every SP-authenticated principal will be given the role ShibbolethAuthN.  Additionally the attribute called "affiliation" will be queried and its values used as roles. Hence if a user logged in via the SP and the following attributes were provided

  • eppn :  "jdoe"
  • affiliation : "member@example.org", "student@example.org"

The session would be have the REMOTE_USER variable set to be "jdoe" (assuming that the default settings) and the following roles:

  • ShibbolethAuthN  (by virtue of being "logged in")

  • student@example.org

  • member@example.org

  • No labels