Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Shibboleth Installation Guide for IIS 7 on Windows Server 2008

The purpose of this document is to instruct you on how to install Shibboleth on Windows using Internet Information Services (IIS) 7. Upon completion of this guide, you will have a functional installation of Shibboleth ready to be configured to federate with an IdP. Refer to the screenshots accompanying a step for any further clarification you may need. This guide assumes that IIS has already been installed. If it has not, see the Microsoft documentation here: http://technet.microsoft.com/en-us/library/cc771209(WS.10).aspx.

Installation

  1. Ensure that you have the IIS 6 compatibility feature installed for IIS 7. These can be found by entering the Server Manager (available from the taskbar by default) and selecting Roles from the left pane. If IIS 6 Management Compatibility is not yet installed, select Add Role Services and follow the wizard instructions.
  2. Download the appropriate MSI installer for your version of Windows (either 32-bit or 64-bit) from the following web site: http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest
  3. Open the installer. You will be greeted with the screen below. Close any other open programs and click the Next button.
    Welcome Screen
  4. Read the license agreement and select the top radio button to accept it. Click Next.
    Liscense Agreement
  5. Read over the readme displayed on the screen shown below, then click Next to continue the installation.
    Readme Information
  6. Choose a destination folder for Shibboleth to end up in by clicking the Browse button or accepting the default location. The actual path is irrelevant, but if you choose to change the location, be sure not to include any folders with spaces in their names in the destination path, as this will cause Shibboleth to not function properly. Click Next to continue.
    Destination Folder Page
  7. Enter the port number that you wish Shibboleth to operate on, or leave it at the default of 1600. Leave the checkbox checked and click Next to continue.
    Shibd Service Page
  8. Change the extension associated with Shibboleth if you wish, and leave the checkbox checked to auto-configure IIS to use Shibboleth. Click Next to continue.
    Install ISAPI Filter Page
  9. If you need to change anything you just configured, now is the time to go back and change it. Click the Next button to proceed with the installation.
    Ready to Install Page
  10. After the progress bar fills, you will be presented with this screen. Your Shibboleth installation was successful. Click the Finish button to exit the installer.
    Success Page
  11. The system will need to be restarted for Shibboleth to function properly. Click the Yes button to restart the server if you wish, or click No to manually restart at a later time.
    Restart Confirmation Box

Additional Notes:

  • IIS may require that you manually install the filter on the individual site level as opposed to globally for all sites, which is what the Shibboleth installer configures it for. You may also wish to do this to limit which sites on IIS you want to utilize Shibboleth.
  • You may need to add permissions to the Shibboleth installation directory. If you experience crashes, the filter failing to load, or other strange issues, this may be the cause.
  • If you are in need of additional information, reference this page: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWindowsIIS7Installer

Configuration

Configuring Shibboleth for Penn's IdP/InCommon

  1. Request the configuration bundle from weblogin-help@isc.upenn.edu, providing them with your SP’s hostname.
  2. Download the configuration bundle once it is prepared for you.
  3. Unzip the configuration bundle to your Shibboleth installation’s etc/shibboleth directory, overwriting any files as necessary. If you accepted the default installation path, it will be C:\opt\shibboleth\etc\shibboleth.
  4. Copy and rename idp.pennkey.upenn.edu-metadata.xml to metadata.xml.
  5. Stop the website from the IIS Manager.
  6. Stop the Shibboleth 2 Daemon from Services, under Administrative Tools on the Start menu.
  7. Stop the IIS Admin Manager from Services.
  8. Start the IIS Admin Manager.
  9. Start the Shibboleth 2 Daemon.
  10. Start the website.
  11. Shibboleth is now configured to federate with the Penn IdP.

Configuring SSL

Prerequisite:

A valid signed certificate for use with IIS (.pfx format). If you do not have a signed certificate, you may generate a self-signed certificate (for testing purposes only) using either OpenSSL or Microsoft’s Certificate Authority application. You may also request a certificate from a Certificate Authority (for production systems).

  1. Open the IIS Manager from the Administrative Tools menu on the Start menu.
  2. Click on the server’s name on the tree in the Connection pane of the IIS manager.
  3. Open the Server Certificates feature under the IIS heading.
  4. Select the Import option from the Actions pane.
  5. Follow the wizard to import your certificate, inputting the required information.
  6. Expand the tree in the Connections pane of the IIS manager by clicking on the server’s name -> Sites -> Default Web Site.
  7. Click the Bindings option in the Actions pane.
  8. Click Add in the window that appears.
  9. Select https as the Type, select the imported certificate for the for the SSL Certificate and click OK.

Redirecting to a Secure Connection

  1. Download and install the Microsoft URL Rewrite Extension for IIS from this link: http://www.iis.net/download/urlrewrite.
  2. Reopen the IIS Manager.
  3. Expand the tree in the Connections pane of the IIS manager by clicking on the server’s name -> Sites -> Default Web Site.
  4. Open the URL Rewrite feature under the IIS heading.
  5. Click Add Rule(s) in the Actions pane and select Blank Rule from the box that appears.
  6. In the Match URL box, set Requested URL to Matches the Pattern, Using to Regular Expressions, and Pattern to “(.*)“ without the quotes. Set Ignore Case to unchecked.
  7. In the Conditions box, set Logical Grouping to Match All, and click Add.
  8. Set Condition input to “{HTTPS}” (without quotes), Check if input string to Matches the Pattern, and Pattern to “off” (without quotes). Uncheck Ignore case and click OK.
  9. In the Action box, set Action type to Redirect, Redirect URL to “https://{HTTP_HOST}{URL}” without quotes, and Redirect type to Found (302). Check Append query string.
  10. Click Apply in the Actions pane to confirm changes.

Service Alerts

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania