Search code examples
orchardcmsshibboleth

Orchard CMS and Shibboleth authentication

We're looking at using Orchard for an internal site.

We currently use Shibboleth for initial authentication, which makes a POST back to our site in the format of http://domain/Shibboleth.sso/{stuff}

In our current ASP.NET MVC website we needed to just modify the Global.asax with the following:

routes.IgnoreRoute("Shibboleth.sso/{isapiInfo}/{isapiDetails}");
routes.IgnoreRoute("Shibboleth.sso/{*pathInfo}");

Unfortunately, Orchard doesn't allow us to go that route, so after some research it looks like it requires a handler to be added.

Via IIS (Server 2008 R2) this was added into the web.config within the handlers group:

<add name="Shib" path="*.sso" verb="*" modules="IsapiFilterModule" scriptProcessor="C:\{path}\isapi_shib.dll" resourceType="Either" requireAccess="Script" preCondition="integratedMode" />

I've tried a couple different variations of this, and still no dice.

Since I pulled down the source anyway, I tried going the simple route of just adding the two routes.IgnoreRoute calls and re-building, but that results in the same issue.

If I remove the Shib requirement then Orchard starts fine, and if I put in a new MVC project with Shib on (and our two IgnoreRoute calls added) that also works fine.

The browser is returning a 404 (blank page), so I have the feeling that Orchard is still grabbing the request.

Any suggestions on how I could go about getting Orchard to skip over this path?

Solution

  • I ended up doing two things.

    First, I created a new module using Not Found MVC as a template. In particular the InstallerModule code.

    I added the following in system.web > httpModules:

    <add name="InstallerModule" type="IgnoreShibboleth.InstallerModule, IgnoreShibboleth" />

    I also added the same to system.webServer > modules.

    All the code did was add in the ignore routes.

    routes.IgnoreRoute("Shibboleth.sso/{isapiInfo}/{isapiDetails}");
routes.IgnoreRoute("Shibboleth.sso/{*pathInfo}");

    The final step I was really close on. I added the following under system.webServer > handlers, immediately after the <clear />:

    <add name="Shib" path="*.sso" verb="*" modules="IsapiModule" scriptProcessor="{path-to}\lib\shibboleth\isapi_shib.dll" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,bitness64" />

    The last time wasn't required in the past, but seems necessary for something Orchard is doing.