Google+
ITS and UVa logos for printed output

NetBadge at UVa

Editing the shibboleth2.xml Configuration File

Configure Shibboleth for IIS Versions 7 & 8

This page is intended to help Windows system administrators configure Shibboleth for IIS versions 7 and 8. (Learn more about NetBadge and Shibboleth »)

Before proceeding save a copy of C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml to shibboleth2.xml.orig or a similar name and then open shibboleth2.xml in a text editor.

  1. Find <ISAPI...>...<Site id="1" name="sp.example.org"/>. Change the site id to match the id assigned to your site by IIS. The site id will be 1 for the default website. You can find your site id in Internet Services (IIS) Manager by clicking on Web Sites (IIS 6) or Sites (IIS 7.x).
    In this same location, change the name to your DNS name (e.g. myserver.mydept.washington.edu). Go ahead and put your DNS name in your paste buffer because you'll need to enter it twice more.
    <InProcess logger="native.logger">
            <ISAPI normalizeRequest="true" safeHeaderNames="true">
                <!--
                Maps IIS Instance ID values to the host scheme/name/port. The name is
                required so that the proper <Host> in the request map above is found 
                without having to cover every possible DNS/IP combination the user might 
                enter.
                -->
                <Site id="1" name="myserver.eservices.virginia.edu" scheme="https" 
                port="443"/>
                <!--
                When the port and scheme are omitted, the HTTP request's port and scheme 
                are used. If these are wrong because of virtualization, they can 
                be explicitly set here to ensure proper redirect generation.
                -->
                <!--
                <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
                -->
            </ISAPI>
        </InProcess>
    
  2. Find <RequestMap>...<Host name="sp.example.org">. Change the name to your DNS name.
    <RequestMapper type="Native">
            <RequestMap>
                <!--
                The example requires a session for documents in /secure on the 
                containing host with http and https on the default ports. Note 
                that the name and port in the <Host> elements MUST match 
                Apache's ServerName and Port directives or the IIS Site name 
                in the <ISAPI> element above.
                -->
                <Host name="myserver.eservices.virginia.edu">
                    <Path name="secure" authType="shibboleth" requireSession="true"/>
    		<Path name="secure2" authType="shibboleth" requireSession="true"/>
                </Host>
                <!-- Example of a second vhost mapped to a different applicationId. -->
                <!--
                <Host name="admin.example.org" applicationId="admin" 
                authType="shibboleth" requireSession="true"/>
                -->
            </RequestMap>
        </RequestMapper>
    
  3. Find <ApplicationDefaults entityID="https://sp.example.org/shibboleth"...>. Replace sp.example.org with your DNS name (e.g., https://myserver.mydept.virginia.edu/shibboleth).
    <ApplicationDefaults entityID="https://myserver.eservices.virginia.edu/shibboleth"
                     REMOTE_USER="samAccountName uid eppn persistent-id targeted-id">
    
  4. Find <ApplicationDefaults...>...<Sessions...>...<SSO entityID="https://idp.example.org/shibboleth"...>. We will first test your configuration with the test IDP, so change the entityID to https://shibidp-test.its.virginia.edu/idp/shibboleth. Remove discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF".
    <SSO entityID="https://shibidp-test.its.virginia.edu/idp/shibboleth" > 
                  SAML2 SAML1
                </SSO>
    
    Later on, after we verify the test configuration, you will need to change the entityID to the production value which is urn:mace:incommon:virginia.edu.
    <SSO entityID="urn:mace:incommon:virginia.edu" > 
                  SAML2 SAML1
                </SSO>
    
  5. Find <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css" /> and change the email address to your application's support email address.
    <Errors supportContact="4HELP@virginia.edu"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>
    
  6. Download the IDP metadata file from https://shibidp.its.virginia.edu/shibboleth/uva-idp-metadata.xml. Save this file as UVAmetadata.xml in the same folder as shibboleth2.xml.
  7. Find the <MetadataProvider type="XML" file=... /> line and uncomment it by removing the <!-- and --> tags that surround it.
  8. Replace file="partner-metadata.xml" with file="UVAmetadata.xml".
    <MetadataProvider type="XML" file="UVAmetadata.xml"/>
    
  9. Save shibboleth2.xml and close your editor.
  10. Locate the attribute-map.xml file and add the following line at the end of the attributes tag.
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />
    
  11. Use Internet Services (IIS) Manager to restart IIS and Administrative Tools > Services to restart the Shibboleth 2 Daemon.
  12. Using a browser on the server, reload the status handler page at https://localhost/Shibboleth.sso/Status. Several lines down from the top you should see the updated value for your entity ID that you configured in step 3. You may need to refresh your browser to see the updated information.
  13. Download your SP metadata from https://your dns name/Shibboleth.sso/Metadata. Depending on your OS and browser, the metadata might be displayed in the browser or you might be asked to save the file. If you save the file with a .xml file extension and open the file in your browser it will be easier to read. Make sure there are no instances of sp.example.org in the URLs; any such references should have been replaced by your DNS name. Once everything is correct ITS will download your SP metadata from https://Your-Virtual-Host-Name/Shibboleth.sso/Metadata
    NOTE: Sometimes the installer will not create the sp-cert.pem and sp-key.pem files correctly. If you discover these files to be incorrect or non-existent, run the keygen.bat file located in C:\opt\shibboleth-sp\etc\shibboleth.

  Page Updated: Thursday 2018-01-11 12:03:33 EST