IIS Shibboleth Host exception

[Cantor, Scott]

On 2/11/13 4:45 PM, "Vruwink, Timothy Roger" <vruwink at illinois.edu> wrote:

>Is it possible under Shibboleth SP for Windows (IIS7) to set a hostname
>exception at the webserver level that states; ³if anyone coming from this
>host connects, do _not_ require them to authenticate²?  Our server is
>currently set to send all requests to shibboleth, we have not specified
>any secured directories.

I would doubt it. Apache would express this easily enough, but there's no
real way to directly configure rules related to authentication modules,
plus combine that with IP-based rules. The address rules can be built-in,
but the IIS layer doesn't know about custom authentication modules so it
can't combine such policies. Apache does all this because the rules are
one system.

The only way you'd make this work is by turning off the SP's active
protection, and initiating a login with your application rather than based
on the request URL.

>Longer version:
>We have a shibboleth installation running mostly well under IIS7 as an
>SP.  On its own, it is working as expected. However, when users try to
>connect to resources on this server from off campus, they are prompted to
>go through our EZ-Proxy service, which in turn asks them to authenticate
>(via shibb) and then things break.

I'm not seeing the point of this. The whole point of using Shibboleth is
not to use the proxy. If you stop sending them to the proxy at all, you're
done, aren't you?

-- Scott