Shibboleth2 ECP for IIS7/Windows 2008

To allow IIS7 (via the shib_isapi handler) to invoke the NativeSP in "handler" mode (so Shib2 act as a layer 5 protocol engine, rather than web-session middleware) and then support a trial generting a SAMLRequest using ECP and PAOS, I did the following

1. in isapi src, alter code lines as follows

    A pair<bool,long> res = stf.getServiceProvider().doAuthentication(stf, true); // note true for 2nd parm

    B dynabuf handlervar(256);   // define val as global, and have CRT static alloc space

    C GetHeader(pn,pfc,"url",handlervar,256,false);  // add line to ShibTargetIsapiF constructor, after existing GetHeader(url). Fast hack to store inbound querystring as global char* in handlervar

    D // The filter never processes the POST, so stub these methods.
            const char* getQueryString() const {
                  return (char*)handlervar;                        // implement using nasty hack, for use by CGIReader
                  //   throw IOException("getQueryString not implemented");  // comment away not implemented throw

2. in isapi src, comment out any undesirable, "non protocol" features

        SPConfig::Listener |
       // SPConfig::Caching |                //disable caching support in library
        SPConfig::RequestMapping |
        SPConfig::InProcess |
        SPConfig::Logging |

3. In a shibboleth2.xml SP config file generated by TestShib harness, ensure default SessionInitiator has (undocumented) attribute ECP="true"

   <SessionInitiator type="SAML2" Location="/TestShib" ECP="true"        

   // note case sensitivity of ECP

4. Invoke trial usin tool like curl(1) …using GET to induce protocol run, where providerId parameter is demonstrably set to "none" to showcase the ECP scenario. Run-time mux/demux requirements for trial varied by changing "TestShib" and applicationId=<val>. Invokes protocol engine for layer 5 S-SDU/initiate, in raw mode.


5. Ensure HTTP Request has conforming http request headers (taken verbatim from SAML2 documentation/latest-errata)

   Accept: text/html; application/vnd.paos+xml
   PAOS: ver="urn:liberty:paos:2003-08” ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"

Unless I missed some of my code hacks, this produces a trial as follows. Since this is the first time in 12 months of trying with 3 windows products that I’ve got this far with ECP …Im pretty happy with Shib2! Thanks!

GET /Shibboleth.sso/TestShib?applicationId=default&providerId=none HTTP/1.1
Accept-Language: en-us,en-securid
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)
Connection: Keep-Alive
Host: win8pw.rapattoni.local
Accept: text/html; application/vnd.paos+xml
PAOS: ver="urn:liberty:paos:2003-08" ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Content-Type: application/vnd.paos+xml
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 26 Apr 2008 22:30:38 GMT
Connection: closeContent-Length: 1515 
    <S:Envelope xmlns:S=""
      <a href="">"><S:Header>
      </a> xmlns:paos="urn:liberty:paos:2003-08" S:actor="<a href=""></a>" S:mustUnderstand="1" responseConsumerURL="<a href="">http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP</a>" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor=""
        <a href=""></a>" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
          <samlp:IDPEntry ProviderID="none"/>
      </ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor=""<a href=""></a>" S:mustUnderstand="1"/></S:Header><S:Body>
        <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=""
          <a href="">http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP</a>" ID="_f5c9b87a8863ad2f94c7be25b5522cc3" IssueInstant="2008-04-26T22:30:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping>
              <samlp:IDPEntry ProviderID="none"/>

Peter Williams
Chief Information Security Officer
Mobile (805) 416-6305

From: Peter Williams
Sent: Sat 4/26/2008 1:11 PM
Subject: RE: TestShib not responding to ACSURL

I’ve moved on in my experiment (changing Shib2 code to suit), hopefully exploiting a response on a different thread. It noted that one can initiate a (SAML2) protocol handler using URIs of the form:


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in SAML. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s