Additional Entity in IIS

Matthews, Lee (NIH/NIDDK) [E] lee.matthews at
Wed Nov 16 17:57:10 UTC 2022

I have a total newbie question. I apologize in advance.
We are running a web application on IIS on Windows server 2019 using shibboleth.
We need to enable an additional external module that allows esigning.
The external module is supposed to be set up as a separate shibboleth entity and when launched requires the user to enter their password or smartcard pin.
This is driven by some type of compliance issue.
Most of the consortium people using this are using Apache.
The instructions specify using ApplicationOverride  with the new entity id and path as well as adding additional parameters in the sessions section with a different lifetime, timeout, etc.

We have set this up with our team that manages the IDP with the different path and metadata.
When testing I am seeing the original entity id as the Shib_Handler.
The application does not prompt to re-authenticate. Our IDP folks say it should not, this is the expected behavior.
The people that work with the application insist that the prompt for re-authentication has to be there.
At this point I am wondering if this is even possible given the component we are using.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list