Shibboleth - Secure whole IIS application

Question

I've setup shibboleth SP on my server and now I want to protect my IIS folders. I followed a few tutorials and used this syntax in my shibboleth2.xml file:

<RequestMapper type="Native">
     <RequestMap applicationId="default">
           <Host name="mydomain" redirectToSSL="443">
                <Path name="secure" authType="shibboleth" requireSession="true" />
           </Host>
     </RequestMap>
</RequestMapper>

Now mydomain.tld/secure is protected by shibboleth which works fine. How can I protect the root folder and every children in it?

I'm using a PHP application at the root of the webapp, also I'm using a few URLRewrite rules which redirect stuff like: frontpage/item/123 to: index.php?t=frontpage/item&id=123.

How can I secure index.php and possibly all subfolders

score 4 · Answer 1 · answered Dec 28 '15 at 16:28

Okay, I got it myself. Basically you can add the requireSession attribute to the Host attribute, these are handled globally and the Path attributes are there to overwrite global behavior like disable shibboleth auth on exception/ requests.

<RequestMapper type="Native">
     <RequestMap applicationId="default">
           <Host name="mydomain" authType="shibboleth" requireSession="true"  redirectToSSL="443">
                <Path name="exception" requireSession="false" />
           </Host>
     </RequestMap>
</RequestMapper>

Hope this helps other people as well. Correct me if I my explanation is wrong.

Shibboleth - Secure whole IIS application

1 Answers1