Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Shibboleth Installation Guide for IIS 6 on Windows Server 2003

The purpose of this document is to instruct you on how to install Shibboleth on Windows using Internet Information Services (IIS) 6. Upon completion of this guide, you will have a functional installation of Shibboleth ready to be configured to federate with an IdP. Refer to the screenshots accompanying a step for any further clarification you may need. This guide assumes that IIS has already been installed. If it has not, see the Microsoft documentation here: http://technet.microsoft.com/en-us/library/aa998483(EXCHG.65).aspx.

Installation

  1. Download the appropriate MSI installer for your version of Windows (either 32-bit or 64-bit) from the following web site: http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest
  2. Open the installer. You will be greeted with the screen below. Close any other open programs and click the Next button.
    Welcome Screen
  3. Read the license agreement and select the top radio button to accept it. Click Next.
    Liscense Agreement
  4. Read over the readme displayed on the screen shown below, then click Next to continue the installation.
    Readme Information
  5. Choose a destination folder for Shibboleth to end up in by clicking the Browse button or accepting the default location. The actual path is irrelevant, but if you choose to change the location, be sure not to include any folders with spaces in their names in the destination path, as this will cause Shibboleth to not function properly. Click Next to continue.
    Destination Folder Page
  6. Enter the port number that you wish Shibboleth to operate on, or leave it at the default of 1600. Leave the checkbox checked and click Next to continue.
    Shibd Service Page
  7. Change the extension associated with Shibboleth if you wish, and leave the checkbox checked to auto-configure IIS to use Shibboleth. Click Next to continue.
    Install ISAPI Filter Page
  8. If you need to change anything you just configured, now is the time to go back and change it. Click the Next button to proceed with the installation.
    Ready to Install Page
  9. After the progress bar fills, you will be presented with this screen. Your Shibboleth installation was successful. Click the Finish button to exit the installer.
    Success Page
  10. The system will need to be restarted for Shibboleth to function properly. Click the Yes button to restart the server if you wish, or click No to manually restart at a later time.
    Restart Confirmation Box

Additional Notes:

  • IIS may require that you manually install the filter on the individual site level as opposed to globally for all sites, which is what the Shibboleth installer configures it for. You may also wish to do this to limit which sites on IIS you want to utilize Shibboleth.
  • You may need to add permissions to the Shibboleth installation directory. If you experience crashes, the filter failing to load, or other strange issues, this may be the cause.
  • If you are in need of additional information, reference this page: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWindowsIIS6Installer

Configuration

Configuring Shibboleth for Penn's IdP/InCommon

  1. Request the configuration bundle from weblogin-help@isc.upenn.edu, providing them with your SP’s hostname.
  2. Download the configuration bundle once it is prepared for you.
  3. Unzip the configuration bundle to your Shibboleth installation’s etc/shibboleth directory, overwriting any files as necessary. If you accepted the default installation path, it will be C:\opt\shibboleth\etc\shibboleth.
  4. Copy and rename idp.pennkey.upenn.edu-metadata.xml to metadata.xml.
  5. Stop the website from the IIS Manager.
  6. Stop the Shibboleth 2 Daemon from Services, under Administrative Tools on the Start menu.
  7. Stop the IIS Admin Manager from Services.
  8. Start the IIS Admin Manager.
  9. Start the Shibboleth 2 Daemon.
  10. Start the website.
  11. Shibboleth is now configured to federate with the Penn IdP.

Configuring SSL

Prerequisite:

A valid signed certificate for use with IIS (.pfx format). If you do not have a signed certificate, you may generate a self-signed certificate (for testing purposes only) using either OpenSSL or Microsoft’s Certificate Authority application. You may also request a certificate from a Certificate Authority (for production systems).

  1. Open the IIS Manager via the Start menu under Administrative Tools.
  2. Expand the tree on the left side of the IIS manager by clicking on the server’s name -> Web Sites -> Default Web Site.
  3. Right click on Default Web Site and select Properties.
  4. Navigate to the Directory Security tab.
  5. Click the Server Certificate button.
  6. Click Next in the wizard and select the Import from pfx option.
  7. Browse to and select your pfx file.
  8. Click Next to confirm the SSL port as 443.
  9. Review the details of your certificate and click Next to continue.
  10. Click Finish to complete the addition of SSL.
  11. Click the OK button on the properties window to accept changes.

Redirecting to a Secure Connection

  1. Create a file named HttpRedirect.htm (or a similarly descriptive name of your choosing) in the C:/Inetpub folder containing the following:

    <!-- beginning of HttpRedirect.htm file -->
    <HEAD>
    <META HTTP-EQUIV=”refresh” content=”0;URL=https://server.name/path.to.application”>
    </HEAD>
    <-- end of HttpRedirect.htm file -->


    This will force the web server to redirect to a page of your choosing (in this case, the application you need to federate with Penn) instead of displaying the SSL required error. This can be set on a per-site basis.
  2. Expand the tree on the left side of the IIS manager by clicking on the server’s name -> Web Sites -> Default Web Site.
  3. Right click on Default Web Site and select Properties.
  4. Navigate to the Directory Security tab.
  5. Click the Edit button under the Secure communications section.
  6. Check the box marked Require secure channel (SSL) and click OK.
  7. Navigate to the Custom Errors tab.
  8. Edit the entry for HTTP Error 403;4.
  9. Set Message type to File.
  10. Set the file that will be used for the error to the HttpRedirect.htm file you created in Step 1.
  11. Click the OK button in both this window and the properties window to accept the changes.

Service Alerts

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania