Shibboleth Developers

[Peter Williams <>]

Using the ISAPI filter in IIS7, I've made some progress with Shib2. The general scenario described below is merely attempting to do merely what I do regularly with our own (non-Shib) SAML2 server install.

1. On a win2008 host, local IE7 is talking to the local IIS7. The host file has localhost and sp.example.com domain names mapped to the loopback adaptor.  The computer name is win8pw.rapattoni.local, and the machine is a win2008 domain controller, running its own DNS instance. Its connected to the world through NAT. The browser connects to IIS through a wininet-level spying proxy.

2. One IIS7 website exists, #1, whose port80 identity is bound to the host-header win8pw.rapattoni.local. The 443 port is bound to a self-signed SSL server cert, with the win8pw.rapattoni.local CN.

3. TestShib2IDP is configured with my SP site's certificate, and has issued test SP metadata for sp.example.com.

 - if the IIS website were to be bound to the name sp.example.com, the browser would access secured resources WITHOUT first getting a Shib Session. This proves nothing valuable, even if its correct bhaviour for SHib (the browser being on the IIS7 machine??). If the name is as given as above, I can at least get SP-initated websso to occur on browsing to http://win8pw.rapattoni.local/secure2

Using trial and error (and error and error) and trying all sorts of variants of settings, I settled on the following configuration. However, accessing /secure2 causes a flow loop. SP->IDP->SP flow occurs successfully (according to logs) and a session issued in each round with redirect to the correct TargetResource. However, it access controls cause the system to loop through another SP->IDP->SP flow. The relayState is  properly roundtripped as http://win8pw.rapattoni.local/secure2.

  <InProcess logger="native.logger">
    <ISAPI normalizeRequest="true">
      <!-- Maps IIS Instance ID values to the host name. -->
      <Site id="1" name="sp.example.org">
        <Alias>win8pw.rapattoni.local</Alias>
      </Site>
    </ISAPI>
  </InProcess>

  <!-- The RequestMap defines portions of the webspace to protect; sp.example.org/secure here. -->
  <RequestMapper type="Native">
    <RequestMap applicationId="default">
      <Host name="sp.example.org">
        <Path name="secure" authType="shibboleth" requireSession="true"/>
      </Host>
      <Host name="win8pw.rapattoni.local">
        <Path name="secure2" authType="shibboleth" requireSession="true"/>
      </Host>
    </RequestMap>
  </RequestMapper>

In an early variant of this configuration (where the 2nd HostName element was missing) there was no loop. A session was issued according to logs, but the relayState was roundtripped as http://sp.example.org/secure2 (rather than the requested (http://win8pw.rapattoni.local.secure2/). Upon being issued a session, IIS itself would not grant the final SP redirect access to this ultimately misnamed  resources (properly). Its not known whether other IIS7 might faciliate access, or whether that might cause looping.

That's as good as I can get it all to work, for now.

Compared to 3 weeks ago, at least there is a complete flow IDP->SP, with attribute being decryped/decoded.

----------

With this success, I can probably substitute my own SAML2 server for the Shib SP (which I know how to configure, properly), and complete an alternative interworking against TestShib2 IDP.  This will stress other areas of inteworking, of course including  the XML encryption, size of attribute set, OID-named attribute handling, attribute syntax handling for those attributes with BER-encoded values, etc.

Peter.