Upload
lucinda-griffith
View
219
Download
0
Embed Size (px)
Citation preview
Shibboleth and IIS IntegrationTips, Tricks, Alternatives
Scott CantorOSU / Shibboleth Consortium
Local Background
• Local deployment of ~ 200 SPs, ~ 300 servers
• IIS usage ~ 60-70%• No special software distribution• Tailored documentation and configuration:
• https://webauth.service.ohio-state.edu/~shibboleth/
• Little use of Windows AD features/security on campus
SP Technical Design
• “shibd” agent run as Windows service• DLL installed as IIS ISAPI filter and
extension• Configuration external to IIS, not within GUI• Not aware of .NET application
boundaries/configuration• 2.5 highly recommended due to improved
installer for upgrades/patches
IIS Integration Specifics
• Native ISAPI modules cannot set server variables, so data is provided via custom headers
• Requests to IIS sites are mapped to hostnames using <Site> elements
• Applying rules/settings for content requires <RequestMap>
Mapping Examples
<ISAPI normalizeRequest="true" safeHeaderNames="true"> <Site id="1" name="www.example.com"> <Alias>example.com</Alias> </Site> <Site id="135234524" name="alt.example.com"/></ISAPI>…<RequestMapper type="Native"> <RequestMap> <Host name="www.example.com"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> <Host name="example.com"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> <Host name="alt.example.com"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap></RequestMapper>
Gotchas: File Permissions
• All accounts used by IIS processes need read access to most files in the Shibboleth installation• Varies widely across IIS versions
• No access to private key(s) required• Write access to log directory only
Gotchas: IIS Inheritance
• IIS filters globally or per-site, extension script mappings globally, site-level, directory/file-level
• Installer tries to install filter globally, script/handler mapping at root of each site
• Systems vary in overriding these settings at lower layers
• GUI is buggy and does not accurately reflect when settings are overridden or missing
Gotchas: WOW64 AppPools
• 2.5 releases install 32-bit and 64-bit binaries, but only one can be active
• IIS AppPools on 64-bit OS can be configured as 32-bit:• Choose “Run as 32-bit” during install• Run SetService32.bat after install and manually
edit IIS filter/handler mappings
• Cannot run both types of AppPool at once
Gotchas: Headers
• The “safeHeaderNames” option removes punctuation from attribute names to avoid a .NET API vulnerability, but still advisable to avoid:• System.Web.HttpRequest.ServerVariables• Request("HTTP_VARIABLE_NAME")
• Setting REMOTE_USER not supported, sets HTTP_REMOTEUSER header• Avoid unless you need feature that picks first
value from a set of possible attributes
Gotchas: Virtualization
• Client view of scheme, hostname, port not the same as server view
• Example: https termination from client to load balancer, http from LB to server
• IIS DOES NOT SUPPORT THIS NATIVELY• SP compensates with settings in <Site>
elements to override scheme, name, ports; analogous to Apache ServerName and related commands
A bit on ADFS
• ADFSv2 integration with IIS principally relies on embedded WS-Federation token support inside .NET application layer• No end to end SAML 2 protocol options• Application uses .NET “claims” API to access
user data from token
• Windows account impersonation via REMOTE_USER I think possible using sample code for older ADFSv1 style of integration