ITS Operations : SSO - Shibboleth Service Provider - Win/IIS

Created by Clay Cooper, last modified by Shawn Thomas on Mar 17, 2021


If the service is moving from existing server(s) to new server(s) and the hostname is staying the same

  • Make sure the entityID on the new server matches the entityID from the existing server.
  • Copy the keys from the existing server to C:\Program Files\shibboleth-sp\etc\shibboleth\ on the new server.
    • These are located in C:\opt\shibboleth-sp\etc\shibboleth as sp-cert.pem and sp-key.pem

    • Modify the config to reflect the key file names by replacing the two <Credential Resolver> blocks with:

      <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
  • Copy C:\opt\shibboleth-sp\etc\attribute-map.xml from the existing server to C:\Program Files\shibboleth-sp\etc\shibboleth\ on the new server.
  • Do NOT copy C:\opt\shibboleth-sp\etc\shibboleth2.xml from the existing server to the new server. It's unlikely to work due to a version change.


  1. Copy Shibboleth SP software from the Apps share on the DML (Current package - \\main.ad.rit.edu\DML\apps\Shibboleth Consortium\Shibboleth Service Provider\Windows\3.2.1.0\) to C:\ITS\ on the server.
  2. Open an administrative command prompt.
  3. Navigate to C:\ITS.
  4. Run SCCM_INSTALL_SERVER.CMD.
  5. Close the command prompt.
  6. Modify C:\Program Files\shibboleth-sp\etc\shibboleth\shibboleth2.xml

    1. Replace the id and name in the <ISAPI> block with the IIS site ID and hostname for the site. Note that this is the user-facing hostname and not the server's name.

      For multiple sites, duplicate the line and modify as necessary.

    2. Replace the name on in the <Host> section of <RequestMap> with the hostname for the site.
    3. Configure session enforcement.

      1. To require a session for page(s) or directories:

        <Host name="site.example.com">
            <Path name="login.aspx" authType="shibboleth" requireSession="true"/> <!-- Require a session for the page "login.aspx" -->
            <Path name="secure" authType="shibboleth" requireSession="true"/>     <!-- Require a session for the directory "secure" -->
</Host>

      2. To require a session for the whole host:

        <Host name="site.example.com" authType="shibboleth" requireSession="true"/>

        For multiple sites, duplicate the <Host> block as necessary.

    4. Modify the entityID in <ApplicationDefaults>. Typically appending "/shibboleth" to the hostname is sufficient.
    5. If the application expects the REMOTE_USER environment variable to be something other than "uid" (i.e. username) then configure that as well in the <ApplicationDefaults> block.
  7. Submit a request to have site added to the Shibboleth IdP at https://www.rit.edu/its/server-management-requests with the information requested at
    SSO - Deploying under "Connecting to RIT's Identity Provider".



Attachments:

reservetest.rit.edu-shibboleth2.xml (text/xml)
Shibboleth SP - Windows and IIS.url (application/octet-stream)