Shibboleth Developers

I understand that we will have to obtain a digital certificate when we
deploy shibboleth in production. Meanwhile, can I use the earlier test
certificate you provided for testing?

I had added the isapi sections as you documented.

My mustConatin setings are /scure;/protected. I just kept it the same you
provided for testing.

Here is the extract from the .ini file.

[isapi]
# When using the ISAPI filter version, map IIS Instance IDs to server names.
#
1=delta.epnet.com

[policies]
# This is a sample policy URI used by the InCommon pilot origins.
# You can filter incoming users at a high level by listing the policies to
allow.
InQueue=urn:mace:inqueue

[delta.epnet.com]
#normalizeRequest = true
#checkIPAddress = false
#contentSSLOnly = false
#authLifetime = 7200
#authTimeout = 3600
exportAssertion = true
# For IIS, determine what content to protect by specifying strings
# to match against the request path. Separate matches with semicolons.
mustContain = /secure/;/protected/
# list of attributes to request for server "my.server.name"
# requests everything if this doesn't exist or is empty
#requestAttributes =


I had also tried by uncommenting checkIPAddress and contentSSLOnly settings.
Please let me know if there is some debugging I can turn on to see what is
happening.


Thanks.


-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Monday, July 21, 2003 3:24 PM
To: 'Aboobacker Thanikkal'
Cc: 'Shib Design Team'; 'Oliver Pesch'
Subject: RE: Shib 1.0.1 RC for Windows


>  I just installed the sbhib-target 1.0.1 for IIS and
>  configured the ISAPI filter and started the shar in the
>  console mode. As I noticed that you have not included the
>  sample certificate files mentioned in the shibboleth.ini
>  file, I copied those files from my old alpha installation. Is it OK?

We can't include keys for your server, needless to say. That's site
specific.

>  When I tried to access a protected page (/secure/xxx), the
>  page is shown without any authentication.

What are your mustContain settings? It should protect everything if you
don't set anything for that. You do need to at least create the [isapi]
section and map the INSTANCE ID (1) to the site's hostname, at the very
least. Without that, it will flat out skip the site. I need to document that
more precisely.

>  Do I have to do anything else? Do I need to create any
>  /shibboleth virtual directory as we used to do in the alpha version.

No.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--