iisshibboleth-spwindows-server-2022

Shibboleth 3 on Windows Server 2022

I am unable to get IIS on Windows Server 2022 to interact with Shibboleth 3 SP. I followed the Shibboleth 3 SP installation instructions and ticked the 'Configure IIS' option at the installation stage.

Checking shibd.exe passes fine as below:

PS C:\Windows\System32\inetsrv> C:/opt/shibboleth-sp/sbin/shibd.exe -check
overall configuration is loadable, check console or log for non-fatal problems

I also see that Shibboleth modules are installed in IIS:

PS C:\Windows\System32\inetsrv> ./appcmd.exe list module
MODULE "HttpLoggingModule" ( native, preCondition: )
MODULE "HttpCacheModule" ( native, preCondition: )
MODULE "DynamicCompressionModule" ( native, preCondition: )
MODULE "StaticCompressionModule" ( native, preCondition: )
MODULE "DefaultDocumentModule" ( native, preCondition: )
MODULE "DirectoryListingModule" ( native, preCondition: )
MODULE "ProtocolSupportModule" ( native, preCondition: )
MODULE "StaticFileModule" ( native, preCondition: )
MODULE "AnonymousAuthenticationModule" ( native, preCondition: )
MODULE "RequestFilteringModule" ( native, preCondition: )
MODULE "CustomErrorModule" ( native, preCondition: )
MODULE "AspNetCoreModuleV2" ( native, preCondition: )
MODULE "ShibNative32" ( native, preCondition:bitness32 )
MODULE "ShibNative" ( native, preCondition:bitness64 )

However, http://localhost/Shibboleth.sso/Session returns a 404. And the detailed error says that IIS was unable to find C:\inetpub\wwwroot\Shibboleth.sso\Session. Shibboleth therefore did not handle the request and IIS ended up searching for a static file on the file system.

Using the domain name and HTTPS also have the same issue:

Detailed Error Information:
Module     IIS Web Core
Notification       MapRequestHandler
Handler    StaticFile
Error Code     0x80070002
Requested URL      https://example.com:443/Shibboleth.sso/Session
Physical Path      C:\inetpub\wwwroot\Shibboleth.sso\Session
Logon Method       Anonymous
Logon User     Anonymous

Shibboleth 2 had a handler registered for *.sso, but Shibboleth 3 does not have one.

I have scoured through a lot of sites, but I am unable to find any solution. Could someone help, please. Thanks in advance.

Solution

  • It turned out that I had two config issues:

    1. The folder where Shibboleth is installed should have read & execute permission given to IUSR
    2. The Site id in shibboleth2.xml needs to match with the site id in IIS.

    All good now.