This document describes the procedure used to install Shibboleth Service Provider (SP) software on Windows Server and Internet Information Server (IIS), and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
Prerequisites
The IIS website must have an appropriate SSL certificate installed and SSL enabled. Shibboleth Service Provider 3.x software supports Windows Server 2008 and later, and installers are available for both 32-bit and 64-bit systems. Shibboleth 3.x supports the versions of the IIS web server that are provided with the supported Windows versions.
Installation Steps
Install the MS Visual C++ re-distributable libraries. You need to restart the server after the installation.
These links may break at some point, but for now the 32-bit and 64-bit run times can be found at:
The top-level link to find them is https://visualstudio.microsoft.com/downloads/ via Other Tools.
Run Shibboleth SP Windows installer
2.1 Download the latest version of the Windows installer package from the Shibboleth download site at https://shibboleth.net/downloads/service-provider/latest/. Select either the win32/ or win64/ directory as appropriate to your 32-bit or 64-bit system. Then download .msi file.
2.2 Run the installer package. It is recommended that you accept all defaults, as follows:
- Accept the license agreement
- Install to
C:\opt\shibboleth-sp - This is the default location. You may change it to other location. - Make sure Configure IIS7 module is checked
- Click Next, then Install, then Finish
- Click Yes to restart your system
Verify installation
On the Administrative Tools menu, click Services. Find Shibboleth Daemon in the list and double-click it. Verify that Service Status is Running, Startup type is Automatic, and on the Log On tab, verify that Local System is selected.
Edit Configuration files
Go to your SP installation directory(
4.1 Save a copy ofC:\opt\shibboleth-spif you used the default) . All the SP configuration files are in the \etc\shibboleth directory.shibboleth2.xmltoshibboleth2.xml.origor similar. Save a copy of attribute-map.xml to attribute-map.xml.orig
4.2 Find <ISAPI...>...<Site id="1" name="sp.example.org"/>. Change the site id to match the id assigned to your site by IIS. You can find your site id in IIS Manager by clicking on "Sites".In this same location, change the name to your DNS name (e.g. myserver.mydept.washington.edu). Go ahead and put your DNS name in your paste buffer because you'll need to enter it twice more.
Verify that scheme="https" and port="443". Note that if you're using a non-standard SSL port you should use that instead of 443.
4.2 Find <RequestMap>...<Host name="sp.example.org">. Change the name to your DNS name.
4.3 Find <ApplicationDefaults entityID=" https://sp.example.org/shibboleth "...>. Replace https://sp.example.org/shibboleth with something based on your DNS name (e.g. https://myserver.mydept.washington.edu/shibboleth ).
4.4 Find <ApplicationDefaults...>...<Sessions...>...checkAddress="false" handlerSSL="false" cookieProps="http"> ...Change to checkAddress="true" handlerSSL="true" cookieProps="https">
If you are using DNS proxy, such as Amazon Route 53, you may receive a "500 - Internal server error." when testing. This is caused by the client's IP address differing from the one used to authenticate to the identity provider. The work around is to set checkAddress="false" instead of "true"; while useful for security, NAT and proxy usage (as well as IPv6 support on only either the webserver hosting the IdP or the SP) often make this setting a source of errors.
4.5 Find <ApplicationDefaults...>...<Sessions...>...<SSO entityID="https://idp.example.org/shibboleth"...>.... Change the entityID to "urn:mace:incommon:washington.edu" (just "urn:mace:incommon:washington.edu" NOT" https://urn:mace:incommon:washington.edu/shibboleth "). Remove discoveryProtocol="SAMLDS" discoveryURL =" https://ds.example.org/DS/WAYF ".
4.6 Find < Errors supportContact ="root@localhost" helpLocation ="/about.html" styleSheet ="/shibboleth-sp/main.css" /> and change the email address to your application's support email address.
4.7 Find the <MetadataProvider...>...</MetadataProvider> section and un-comment the metadata type you'll be using by removing the <!-- and --> tags that surround it.
4.8 If your SP will rely only on the UW IdP for user authentication, skip steps 4.9 and 4.10 and follow instructions at UW IdP Metadata. If your SP will rely on other IdPs from InCommon, continue on at step 4.9.
4.9 Find <MetadataProvider type="XML" url="http://federation.org/federation-metadata.xml"...>. Change the url to "http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml".
4.10 Find ...backingFilePath="federation-metadata.xml" reloadInterval="7200">. Change the backingFilePath to
="InCommon-metadata.xml".4.11 Find <MetadataProvider...><MetadataFilter type="Signature" certificate="fedsigner.pem"/>. Change the certificate to "
inc-md-cert.pem".4.12 Save shibboleth2.xml and close your editor.
4.13 Use Internet Services (IIS) Manager to restart IIS and Administrative Tools > Services to restart the Shibboleth 2 Daemon.
4.14 Restart the web server and the access the URL from the server's browser: https://<your dns name>.sso/Shibboleth.sso/Session . The web server should return a page that says:
A valid session was not found.This message demonstrates that the Shibboleth module is loaded by the webserver and is communicating with the
shibdprocess.4.15 Download your SP metadata from https://<your dns name>/Shibboleth.sso/Metadata. Depending on your OS and browser, the metadata might be displayed in the browser or you might be asked to save the file. If you save the file with a
.xmlfile extension and open the file in your browser it will be easier to read. Make sure there are no instances of sp.example.org in the URLs; any such references should have been replaced by your DNS name. The file will contain a warning about reviewing the contents of the file and not supplying it in real time–that's normal. Checking for sp.example.org counts as review, and our registry doesn't monitor the contents of that file after the initial registration (i.e. not real time).