SHIBBOLETH SETUP DOCUMENTATION
Shibboleth and IIS 6
Instructions for Installing the Shibboleth ISAPI module on Windows 2003 and IIS6
Windows 2003 R2 SP2 installed
Download the Shibboleth installer from: Shibboleth Download site
Run the installer and follow the directions. Please do not change any paths or port
Once installation is complete, reboot your machine
The installer should have added the ISAPI filter to your web sites. To check this :
o Start up the IIS Manager
o Right click on "Web Sites" and click properties. Click on the "ISAPI Filters" tab.
You shoud see a Shibboleth entry with a priority of High.
o Click on the "Home Directory" Tab and then click on the "Configuration" button.
In the application externsions area you should see an extension of ".sso" with a
excutable path of C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll that allows all
The installer should have added a Shibboleth service to your machines. To check this:
o Click on start, and then Run. And enter: "services.msc /s"
o You should see a service named "Shibboleth 2.0 Daemon". It should be started
and set to automatically startup on boot.
Shibboleth is now installed
Service Provider Approval
Have the Service Providers approved by IAS, CNS.
You will need to go to the website and complete the request form that identifies
administrators and security ISA, ISM and other info regarding your service. Please
see form at http://www.it.ufl.edu/identity/shibboleth/Access.asp
It will be reviewed, and forwarded to OSG for implementation.
Wait for approval from the IAM Administration.
On Approval they provide you with URNs for production machine as well as test
based on the request.
Also the ARPs are included as per request.
To actually use Shibboleth you will need a few certificates and a configuration file. To
get these files go to site http://open-systems.ufl.edu/shibboleth and download
The following steps are to be followed for different URNs.
You will need to replace a few things in the file. They are:
o _HOSTNAME_ with the fully-qualified domain name of your site
o _URN_ with your entity id from your SP approval notification(This should be the
entire URN ie urn:edu:ufl:test:#####
o For IIS users: _SITEID_ is IIS host id(Identifier) for this site
After you replace these entries, place the file in c:\opt\shibboleth-sp\etc\shibboleth for
Open Systems will provide you certificates and directions on how to install them on your
Next you will need to generate a new key and certificate for your SP to exchange with the
To do this, first remove the sp-key.pem and sp-cert.pem files in c:\opt\shibboleth-
This is also the same place where your shibboleth2.xml file is located. Then get a
command prompt in that same directory and run the following: keygen.bat -h
This will create a new sp-key.pem and sp-cert.pem. Rename the sp-key.pem to
_HOSTNAME_.key. Rename sp-cert.pem to _HOSTNAME_.cert.
You will now need to restart your webserver software and the shibboleth service/daemon.
You should be able to access: http://_HOSTNAME_/Shibboleth.sso/Metadata.
When this works (by that, we mean you can see your full URN and matching URLs and
a new SSL public key all in the Metadata), you should intimate with IAM so that they
will add your SP to the IdP and you should be able to start to protect content.
Access control in Shibboleth on IIS is done by modifying the shibboleth2.xml file in
C:\opt\shibboleth-sp\etc\shibboleth. In that file you will find the definition for your host
and add some access control rules.
Access control rules allow you to use Boolean logic to specify if a web resource is
accessible based on what attributes are available. One of the attributes in our environment
that is used in access control is "primary-affiliation". It specifies if the user accessing the
resource is either a "Staff", "Student", (S or T) For example, a rule to allow only "Staff"
to access a resource the rule would look like this:
To protect content if the user is either a "Staff" or "Student" you would use this rule:
To protect content on you website, you will need to do the following:
Open up the shibboleth2.xml file located in C:\opt\shibboleth-sp\etc\shibboleth
Look for a <RequestMapper>element in the shibboleth2.xml file. There should be a child
element named <Host>that has an attribute named "name" that is your website's name
There should be a child element of <Host> named <Path> that has an attribute named
"name" which corresponds with a url in your website that you want protected. By default
that name is "secure". Change the name to be a part of you webspace that you want
protected eg if you want to protect http://hostname.ufl.edu/Abc then the name attribute
would be "Abc"
Create a child element of <Path> named <AccessControl> which follows the syntax in
the above section.
Path tags can be nested within each other for customized selection of folders inside a
<Path name="Applications/Net" authType="shibboleth" >
<Path name="Donors/test_shib.aspx" authType="shibboleth" requireSession="true" >
<Path name="Shibboleth/default.aspx" authType="shibboleth" requireSession="true" />
<Path name="Common/index.aspx" authType="shibboleth" requireSession="true" />
Restart the shibboleth daemon on making any changes to shibboleth2.xml
Please note that this page is not intended to be full documentation on how to use the SP software.
Documentation of that nature is already available at the Shibboleth2 wiki and the UF Shibboleth site.