Shibboleth Authentication on IIS

by Leroy Altman

As you may have heard, Stanford is moving away from their in-house created authentication software known as “WebAuth” to an industry standard Open Source technology called SAML2.  Software called “Shibboleth” is available to leverage SAML2 and it includes a version created for Microsoft’s Internet Information Server (IIS) web server running on Windows.

This article was gathered from two great sources listed below, and I encourage you to read both for more details.  This article is really just the tip of the iceberg:

There are two new terms to know:

  • Identity Provider (IDP):  This is Stanford’s central authentication service
  • Service Provider (SP):  This is your web server

Installation:  This is a quick summary of how to get Shibboleth installed and working on a Windows IIS web site.

Some prerequisites:

  • Windows Server 2012 R2 w/ IIS installed.
  • In addition to the default IIS modules, you’ll also need to add Management Compatibility components:
    • IIS 6 WMI
    • IIS 6 Metabase compatibility
    • IIS 6 Scripting tools
    • IIS 6 Management Console
  • Install ISAPI filter and Extensions [located in Web Server (IIS) → Web Server → Application Development]
  • A “Default Web Site” which has a default page, used for testing.
  • A “/secure” subfolder under the root, also with a test page.
  • An SSL certificate installed and working on the website.

Run the Shibboleth Installer.  The most recent version, as of this writing, is here:

The defaults for installation are typically fine to use:

Continue reading “Shibboleth Authentication on IIS”

Granting User Access Without Granting User Access in Windows

by Kevin Tai

I recently had a client who hired a consultant to work on a special project to update their website.  The client initially requested to allow the consultant access to a file share on the server where the website is hosted so that he can update the files.  Then the consultant realized that he needed additional access like restarting the services for the website’s Prod and Dev environments. We could’ve lazily grant him Remote Desktop access to the server and call it the day, but that would be giving him more access than he really needs.  All he really needs to do is to be able to restart 2 services (the production web server and the dev web server) after he makes updates to the environments.

That got me thinking that there must be an alternative way to accomplish this without giving up too much access.  So, I designed a process that would do just that and here’s how it works…

Continue reading “Granting User Access Without Granting User Access in Windows”