Correct order for IIS setup with Shibboleth SP v3

Rod Widdowson rdw at steadingsoftware.com
Thu Aug 16 03:57:10 EDT 2018 

> I was able to resolve the issue I have yesterday by reinstalling Shibboleth 

Good news.  Thanks for closing the loop.

>   My question is what is needed and what order should I do things in to make it reliable?  

Talking about a FRESH INSTALL:

- If you don't install IIS first then you won't be given the option to in "Configure the IIS7 option"?
- If you don't tick the option then IIS won't be told about Shib.

On an UPGRADE nothing is done at all.

> What does the installer do to IIS to make it work?  

It runs the appcmd commands in the wiki [1]:

appcmd install module /name:ShibNative32 /image:"c:\opt\shibboleth-sp\lib\shibboleth\iis7_shib.dll" /precondition:bitness32
appcmd install module /name:ShibNative /image:"c:\opt\shibboleth-sp\lib64\shibboleth\iis7_shib.dll" /precondition:bitness64

> When it failed, my software was installed already, which means it had deleted the default website 
> and created it’s own with site Id=1.  Does Shibboleth care ?  Is it reliant on the default website 
> and/or ID=1 in any way?

It shouldn't do.  It only cares about the site ID as defined to IIS and specified in the <Site> element in shibboleth2.xml.  

On the other hand IIS can behave in very strange ways and I don't have the lifetime I'd need to fully grock it left to me.

> If I was to install shibboleth SP first would removing the default website afterwards break anything?
It shouldn't.  You'd be wise to restart IIS afterwards just in case, ditto shibd_default.

> Finally, how to you tell it to configure IIS from a silent install?  It the GUI it’s a checkbox that is off by default. 

I have chosen not to document that - it adds another dimension to testing & support we can ill afford.  If you have a need you can
always pop in an RFE and we'll add it to the pile (hint consortium members get to influence our prioritization).    Or you can read
the source and infer - but then it becomes your problem.  In the short term remember that you can always tell IIS about shib
post-ad-hoc (and that’s documented and hence supported).

But you can find out whether IIS knows about shib by the appropriate appcmd or from the GUI - it's installed as a module as you can
see above.

[1] https://wiki.shibboleth.net/confluence/display/SP3/Upgrading+Older+ISAPI+Configuration

/Rod

More information about the users mailing list