Home / server / Questions / 745586
In Process
posixpascal
Asked: 2015-12-29 08:14:18 +0800 CST

Shibboleth - Secure whole IIS application

  • 772

I've setup shibboleth SP on my server and now I want to protect my IIS folders. I followed a few tutorials and used this syntax in my shibboleth2.xml file:

<RequestMapper type="Native">
     <RequestMap applicationId="default">
           <Host name="mydomain" redirectToSSL="443">
                <Path name="secure" authType="shibboleth" requireSession="true" />
           </Host>
     </RequestMap>
</RequestMapper>

Now mydomain.tld/secure is protected by shibboleth which works fine. How can I protect the root folder and every children in it?

I'm using a PHP application at the root of the webapp, also I'm using a few URLRewrite rules which redirect stuff like: frontpage/item/123 to: index.php?t=frontpage/item&id=123.

How can I secure index.php and possibly all subfolders

php

1 Answers

  1. Okay, I got it myself. Basically you can add the requireSession attribute to the Host attribute, these are handled globally and the Path attributes are there to overwrite global behavior like disable shibboleth auth on exception/ requests.

    <RequestMapper type="Native">
     <RequestMap applicationId="default">
           <Host name="mydomain" authType="shibboleth" requireSession="true"  redirectToSSL="443">
                <Path name="exception" requireSession="false" />
           </Host>
     </RequestMap>
</RequestMapper>

    Hope this helps other people as well. Correct me if I my explanation is wrong.

    • 4