Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and IIS Integration Tips, Tricks, Alternatives

Published byLucinda Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth and IIS Integration Tips, Tricks, Alternatives"— Presentation transcript:

1 Shibboleth and IIS Integration Tips, Tricks, Alternatives
Scott Cantor OSU / Shibboleth Consortium

2 Local Background Local deployment of ~ 200 SPs, ~ 300 servers
IIS usage ~ 60-70% No special software distribution Tailored documentation and configuration: Little use of Windows AD features/security on campus

3 SP Technical Design “shibd” agent run as Windows service
DLL installed as IIS ISAPI filter and extension Configuration external to IIS, not within GUI Not aware of .NET application boundaries/configuration 2.5 highly recommended due to improved installer for upgrades/patches

4 IIS Integration Specifics
Native ISAPI modules cannot set server variables, so data is provided via custom headers Requests to IIS sites are mapped to hostnames using <Site> elements Applying rules/settings for content requires <RequestMap>

5 Mapping Examples <ISAPI normalizeRequest="true" safeHeaderNames="true"> <Site id="1" name=" <Alias>example.com</Alias> </Site> <Site id=" " name="alt.example.com"/> </ISAPI> <RequestMapper type="Native"> <RequestMap> <Host name=" <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> <Host name="example.com"> <Host name="alt.example.com"> </RequestMap> </RequestMapper>

6 Gotchas: File Permissions
All accounts used by IIS processes need read access to most files in the Shibboleth installation Varies widely across IIS versions No access to private key(s) required Write access to log directory only

7 Gotchas: IIS Inheritance
IIS filters globally or per-site, extension script mappings globally, site-level, directory/file-level Installer tries to install filter globally, script/handler mapping at root of each site Systems vary in overriding these settings at lower layers GUI is buggy and does not accurately reflect when settings are overridden or missing

8 Gotchas: WOW64 AppPools 2.5 releases install 32-bit and 64-bit binaries, but only one can be active IIS AppPools on 64-bit OS can be configured as 32-bit: Choose “Run as 32-bit” during install Run SetService32.bat after install and manually edit IIS filter/handler mappings Cannot run both types of AppPool at once

9 Gotchas: Headers The “safeHeaderNames” option removes punctuation from attribute names to avoid a .NET API vulnerability, but still advisable to avoid: System.Web.HttpRequest.ServerVariables Request("HTTP_VARIABLE_NAME") Setting REMOTE_USER not supported, sets HTTP_REMOTEUSER header Avoid unless you need feature that picks first value from a set of possible attributes

10 Gotchas: Virtualization
Client view of scheme, hostname, port not the same as server view Example: https termination from client to load balancer, http from LB to server IIS DOES NOT SUPPORT THIS NATIVELY SP compensates with settings in <Site> elements to override scheme, name, ports; analogous to Apache ServerName and related commands

11 A bit on ADFS ADFSv2 integration with IIS principally relies on embedded WS-Federation token support inside .NET application layer No end to end SAML 2 protocol options Application uses .NET “claims” API to access user data from token Windows account impersonation via REMOTE_USER I think possible using sample code for older ADFSv1 style of integration

Download ppt "Shibboleth and IIS Integration Tips, Tricks, Alternatives"

Similar presentations

Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.

Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.

20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Server Roles and Features.NET Framework 3.51.NET Framework 4.5 IIS Web Server IIS Default Document IIS Directory Browsing IIS HTTP Errors.

Server Roles and Features.NET Framework 3.51.NET Framework 4.5 IIS Web Server IIS Default Document IIS Directory Browsing IIS HTTP Errors.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Configuring PHP on IIS7 Making your application rock on IIS7 Taking advantage of the Windows platform Q&A at Open Space.

Configuring PHP on IIS7 Making your application rock on IIS7 Taking advantage of the Windows platform Q&A at Open Space.
Configuring Apache tomcat Specifying the server port NOTE: Edit the install_dir/conf/server.xml and change the port attribute of the connector element.

Configuring Apache tomcat Specifying the server port NOTE: Edit the install_dir/conf/server.xml and change the port attribute of the connector element.
April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.

April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Linux Operations and Administration

Linux Operations and Administration
AppCMD Quick Reference Guide for IIS 7 installed on Win2k8 Servers.

AppCMD Quick Reference Guide for IIS 7 installed on Win2k8 Servers.
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Securing Apache and PHP

Securing Apache and PHP
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Similar presentations

Ads by Google