NetID Login Service - IIS7/8 Installation

Details for installing the Shibboleth SP on IIS7


NOTE: this includes all versions of IIS7 (including 7.5)

IIS7 is a rather radical rewrite and has some major differences from earlier versions. Superficially, the administration GUI is very different. Furthermore, the scripting interfaces used by the SP installer are not supported by default.

If you want the installer to configure IIS for you, you'll need to make sure the IIS6 management compatibility role services are installed first. In the server roles administration tool, IIS includes a set of role services labeled "IIS 6 Management Compatibility". Install these before performing the SP installation.

Installing Shibboleth

Download the DoIT Supported version of the .msi Shibboleth SP installer from the Shibboleth download site here:

Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed, or you can install it manually using the instructions in this guide.

After rebooting, IIS should be configured for basic support (if you asked it to do so and you installed the IIS 6 compatibility services mentioned above). If you have problems, need to manually configure it, or want to verify what happened, the IIS steps are as follows:

  1. Add the filter using the Internet Services Manager console. Right click on the machine icon on the left, and select the "ISAPI Filters" feature; then, add a new filter called Shibboleth and specify the c:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll library.
  2. Map the *.sso file extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. This is done under "Handler Mappings" using the "Add Script Map..." action. The Executable box should point to isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but *.sso is assumed (and the dot must be included). While still in the "Add Script Map" dialog, click on "Request Restrictions." In the "Mapping" Tab, un-check the option labeled, "Invoke handler only if request is mapped to..."
  3. Add the Shibboleth ISAPI Extension to the list of permitted extensions in the list of allowed extensions. This is under "ISAPI and CGI Restrictions".
  4. Restart IIS. At this point, I don't know enough of IIS7 to know how to diagnose filter load problems.

Basic Configuration

  • IIS7 may require that you manually install the script mapping and/or the filter itself at the site level, rather than at the root of all the sites. You may also wish to do this to ensure that the filter only runs on a subset of your web sites.
  • The primary configuration file for the filter and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software). shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
  • If you are trying to use the 32-bit version with 64-bit Windows, and getting 500 errors, you may need to edit the advanced settings for the IIS application pool you're using and enable 32-bit applications in order to load the software. Conversely, using the 64-bit version if 32-bit applications are enabled will also fail.
  • You may need to add permissions to your installation directory for IIS to operate. There are a variety of possible accounts IIS may run with at different times, and failure to set permissions may result in crashes, the filter failing to load, or other odd behavior. The IIS server processes need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth to create the native.log file. IIS 7.x appears to rely largely on accounts that live in the "IUSRS" Windows group, so giving that group read access to the installation may be helpful or essential.
  • In order to configure Shibboleth you'll need the site identifier that IIS has assigned to your website. If you're simply using the default website this identifier is 1 (one). If you're not you can find the identifier through the IIS Manager tool by selecting the "Web Sites" folder and looking in the identifier column, on the right, that corresponds to your website.

Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory (Default: C:\opt\shibboleth-sp\etc\shibboleth)

Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic Shibboleth2.xml Generator

Manual Configuration

Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location ( for your application to NetID Login Service email with your preferred contact for the SP.

Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.


If you are having troubles try these resources:
Document Sourced from official Shibboleth documentation. Adapted September 27th, 2011 from:

Keywords:install shib shibboleth windows iis 7 7.5 8 netid webiso sso   Doc ID:20449
Owner:Ryan L.Group:Access Management Services
Created:2011-09-27 13:19 CDTUpdated:2017-06-19 12:40 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  2   0