Don Faulkner
2014-08-25 20:05:16 UTC
Trying to Shibbolize a single site on an IIS7 host. Details below. The problem is:
If I go to https://default-site/secure, then I get sent to my IdP for authentication
If I go to https://site-to-protect/secure, then I fall straight through to my default.aspx file with no bounce to IdP and no shib variables.
Ive tried other sites beside the site Im interested in with the same results. Ive configured IIS7 per the instructions in the wiki. To be sure, I bootstrapped a clean VM and tried again. To my dismay, this second VM works fine! So, Im left wondering what odd thing in IIS is preventing the site from working.
What am I missing?
-----
Versions
IIS7, with many many sites. Im protecting siteid=26, myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu> [1]
Shibboleth SP 2.5.3
dual-stack IPv4 and IPv6. Names registered in IPv4 DNS only
-----
shibboleth2.xml (relavent bits)
<InProcess logger=native.logger>
<ISAPI normalizeRequest=true safeHeaderNames=true>
<Site id=1 name=www1-clone.uark.edu<http://www1-clone.uark.edu>/>
<Site id=26 name=myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu>/>
</ISAPI>
</InProcess>
<RequestMapper type=Native>
<RequestMap>
<Host name=www1-clone.uark.edu<http://www1-clone.uark.edu>>
<Path name=secure authType=shibboleth requireSession=true/>
</Host>
<Host name=myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu>>
<Path name=secure authType=shibboleth requireSession=true/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults entityID=https://www1-clone.uark.edu/shibboleth REMOTE_USER=uid eppn persistent-id targeted-id>
<SSO entityID=https://idp.uark.edu/idp/shibboleth>
SAML2
</SSO>
<MetadataProvider type=XML uri=https://federation.uark.edu/metadata/uark-identity-metadata.xml
backingFilePath=uark-identity-metadata.xml reloadInterval=7200>
</MetadataProvider>
</ApplicationDefaults>
[1] Please dont flame me for poor DNS choices. Its out of my control.
--
[http://goo.gl/2ZYiQ] Don Faulkner, CISSP | CISO<http://security.uark.edu/> at the University of Arkansas<http://www.uark.edu/>
contact>> donf-***@public.gmane.org<mailto:donf-***@public.gmane.org> | +1 (479) 575-5349
connect>> uarkITS on Facebook<http://www.facebook.com/uarkITS> | @uaits<http://twitter.com/uaits> | @dfaulkner<http://twitter.com/dfaulkner>
If I go to https://default-site/secure, then I get sent to my IdP for authentication
If I go to https://site-to-protect/secure, then I fall straight through to my default.aspx file with no bounce to IdP and no shib variables.
Ive tried other sites beside the site Im interested in with the same results. Ive configured IIS7 per the instructions in the wiki. To be sure, I bootstrapped a clean VM and tried again. To my dismay, this second VM works fine! So, Im left wondering what odd thing in IIS is preventing the site from working.
What am I missing?
-----
Versions
IIS7, with many many sites. Im protecting siteid=26, myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu> [1]
Shibboleth SP 2.5.3
dual-stack IPv4 and IPv6. Names registered in IPv4 DNS only
-----
shibboleth2.xml (relavent bits)
<InProcess logger=native.logger>
<ISAPI normalizeRequest=true safeHeaderNames=true>
<Site id=1 name=www1-clone.uark.edu<http://www1-clone.uark.edu>/>
<Site id=26 name=myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu>/>
</ISAPI>
</InProcess>
<RequestMapper type=Native>
<RequestMap>
<Host name=www1-clone.uark.edu<http://www1-clone.uark.edu>>
<Path name=secure authType=shibboleth requireSession=true/>
</Host>
<Host name=myparkingaccount-clone.uark.edu<http://myparkingaccount-clone.uark.edu>>
<Path name=secure authType=shibboleth requireSession=true/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults entityID=https://www1-clone.uark.edu/shibboleth REMOTE_USER=uid eppn persistent-id targeted-id>
<SSO entityID=https://idp.uark.edu/idp/shibboleth>
SAML2
</SSO>
<MetadataProvider type=XML uri=https://federation.uark.edu/metadata/uark-identity-metadata.xml
backingFilePath=uark-identity-metadata.xml reloadInterval=7200>
</MetadataProvider>
</ApplicationDefaults>
[1] Please dont flame me for poor DNS choices. Its out of my control.
--
[http://goo.gl/2ZYiQ] Don Faulkner, CISSP | CISO<http://security.uark.edu/> at the University of Arkansas<http://www.uark.edu/>
contact>> donf-***@public.gmane.org<mailto:donf-***@public.gmane.org> | +1 (479) 575-5349
connect>> uarkITS on Facebook<http://www.facebook.com/uarkITS> | @uaits<http://twitter.com/uaits> | @dfaulkner<http://twitter.com/dfaulkner>