NetID Login Service - IIS7/8 Installation
Details for installing the Shibboleth SP on IIS7
PreparationNOTE: this includes all versions of IIS7 (including 7.5)
IIS7 is a rather radical rewrite and has some major differences from earlier versions. Superficially, the administration GUI is very different. Furthermore, the scripting interfaces used by the SP installer are not supported by default.
If you want the installer to configure IIS for you, you'll need to make sure the IIS6 management compatibility role services are installed first. In the server roles administration tool, IIS includes a set of role services labeled "IIS 6 Management Compatibility". Install these before performing the SP installation.
Download the DoIT Supported version of the .msi Shibboleth SP installer from the Shibboleth download site here:
Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed, or you can install it manually using the instructions in this guide.
After rebooting, IIS should be configured for basic support (if you asked it to do so and you installed the IIS 6 compatibility services mentioned above). If you have problems, need to manually configure it, or want to verify what happened, the IIS steps are as follows:
- Add the filter using the Internet Services Manager console. Right click on the machine icon on the left, and select the "ISAPI Filters" feature; then, add a new filter called Shibboleth and specify the
- Map the
*.ssofile extension to the ISAPI library so that virtual URLs can be specified to invoke the extension handler for each web site. This is done under "Handler Mappings" using the "Add Script Map..." action. The
Executablebox should point to
isapi_shib.dll, and the "Extension" can be set to anything unlikely to conflict, but *.sso is assumed (and the dot must be included). While still in the "Add Script Map" dialog, click on "Request Restrictions." In the "Mapping" Tab, un-check the option labeled, "Invoke handler only if request is mapped to..."
- Add the Shibboleth ISAPI Extension to the list of permitted extensions in the list of allowed extensions. This is under "ISAPI and CGI Restrictions".
- Restart IIS. At this point, I don't know enough of IIS7 to know how to diagnose filter load problems.
- IIS7 may require that you manually install the script mapping and/or the filter itself at the site level, rather than at the root of all the sites. You may also wish to do this to ensure that the filter only runs on a subset of your web sites.
- The primary configuration file for the filter and the Shibboleth daemon, shibd, will be located at
\etc\shibboleth\shibboleth2.xml(within the directory used to install the SP software). shibd creates its own log at
\var\log\shibboleth\shibd.logand must have appropriate read and write permissions itself for the entire installation directory.
- If you are trying to use the 32-bit version with 64-bit Windows, and getting 500 errors, you may need to edit the advanced settings for the IIS application pool you're using and enable 32-bit applications in order to load the software. Conversely, using the 64-bit version if 32-bit applications are enabled will also fail.
- You may need to add permissions to your installation directory for IIS to operate. There are a variety of possible accounts IIS may run with at different times, and failure to set permissions may result in crashes, the filter failing to load, or other odd behavior. The IIS server processes need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to
\var\log\shibbolethto create the
native.logfile. IIS 7.x appears to rely largely on accounts that live in the "IUSRS" Windows group, so giving that group read access to the installation may be helpful or essential.
- In order to configure Shibboleth you'll need the site identifier that IIS has assigned to your website. If you're simply using the default website this identifier is 1 (one). If you're not you can find the identifier through the IIS Manager tool by selecting the "Web Sites" folder and looking in the identifier column, on the right, that corresponds to your website.
Download Metadata Signing CertificateSave this file in the Shibboleth installation directory (Default: C:\opt\shibboleth-sp\etc\shibboleth)
UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
- Production: https://login.wisc.edu/metadata/login.wisc.edu-signing.pem
- QA: https://loginqa.wisc.edu/metadata/loginqa.wisc.edu-signing.pem
- Test ("ITE"): https://logintest.wisc.edu/metadata/logintest.wisc.edu-signing.pem
Wisconsin Federation (eg. Approved IAA Request)
- Download the Signing Certificate
- Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem
Generate Shibboleth2.xml File
After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.
Automatic Shibboleth2.xml Generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
- NetID Login Service - Manual Configuration (General)
- NetID Login Service - Manual Configuration (Advanced)
Service Provider Activation
Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location (https://domain.wisc.edu/Shibboleth.sso/Metadata) for your application to NetID Login Service email with your preferred contact for the SP.
Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.