This document describes the procedure used to install Shibboleth Service Provider (SP) software on Windows Server and Internet Information Server (IIS), and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
Prerequisites
- Shibboleth Service Provider 3.x software supports Windows Server 2008 and later, and installers are available for both 32-bit and 64-bit systems. Shibboleth 3.x supports the versions of the IIS web server that are provided with the supported Windows versions.
- The IIS website must have an appropriate SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate
- If you have any URL rewrite rules defined in IIS, make sure those rules do not apply to Shibboleth.sso path. Or you can add this rule at the top of all the other rules that will stop redirecting any request for /Shibboleth.sso
Installation
Install the MS Visual C++ re-distributable libraries. You need to restart the server after the installation.
These links may break at some point, but for now the 32-bit and 64-bit run times can be found at:
The top-level link to find them is https://visualstudio.microsoft.com/downloads/ via Other Tools.
Run Shibboleth SP Windows installer
2.1 Download the latest version of the Windows installer package from the Shibboleth download site at https://shibboleth.net/downloads/service-provider/latest/. Select either the win32/ or win64/ directory as appropriate to your 32-bit or 64-bit system. Then download .msi file.
2.2 Run the installer package. It is recommended that you accept all defaults, as follows:
- Accept the license agreement
- Install to C:\opt\shibboleth-sp ( this is the default location. You may change it to other location.)
- Make sure Configure IIS7 module is checked
- Click Next, then Install, then Finish
- Click Yes to restart your system
Verify installation
On the Administrative Tools menu, click Services. Find Shibboleth Daemon in the list and double-click it. Verify that Service Status is "Running", Startup type is "Automatic", and on the Log On tab, verify that "Local System" is selected.
Configuration
Go to your SP installation directory(C:\opt\shibboleth-sp
if you use the default) . All the SP configuration files are in the \etc\shibboleth directory.
Whenever you make changes to SP's configuration file, save the file. You can wait for the Shibboleth Daemon to pick up the changes or you can restart the Shibboleth Daemon to make the changes take effect right away.
5. Get SP metadata
Restart IIS and the Shibboleth Daemon. The Shibboleth Daemon can be restarted using the Administrative Tools > Services navigation.
Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it. Open your downloaded file with text editor. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in IIS require Shibboleth authentication and you define them in shibboleth2.xml, you need to manually add consumer service url for each site in your SP's metadata.
For example, I get my SP's metadata from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata, in the metadata there should be a line like this:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>
I also have shibtest1.cit.cornell.edu defined in shibboleth2.xml, I need to add AssertionConsumerService url for shibtest1.cit.cornell.edu like this
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest1.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>
Save your metadata file. You'll need to submit your SP's metadata in shibboleth integration request form.
Register Service Provider with Cornell Identity Provider
If your site is configured with test IDP, you don't have to submit Shibboleth integration request form because test IDP supports anonymous SP. You can start testing the authentication of your site.
For sites configured with prod IDP, submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of request form, select 'No' for question "Has the application service provider's metadata been published with InCommon?". Use text editor open your SP's metadata, copy the content of the metadata and paste it in the request form.Once the form is submitted, Identity Management get a Remedy case. We'll configure your SP in prod IDP in 1 - 2 business day. We'll notify you when the configuration is complete.
Test SP integration with IdP
Confirm that you are able to log in with your netID and that attributes are properly released.
- Using a web browser, visit the /secure directory (or other protected location) of your SP.
- If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
- After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session. Your browser should return a status page that show you all the attributes and values released to your SP.
Need Help?
contact idmgmt@cornell.edu