The sample shibboleth2.xml document shows this for IIS under the RequestMap node:
<Host name="domain.com">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
That indeed locks down the "secure" directory at domain.com/secure. However, what if I just want to secure domain.com but not any specific subdirectory?
How do I secure the root directory and still apply the authType and requireSession, in other words?
I tried putting nothing "" in that space and also just a slash (/), but that doesn't seem to do it.
You need to move the authType="shibboleth" and requireSession="true" elements to the <Host> RequestMap configuration, i.e. replace yours with:
<Host name="domain.com" authType="shibboleth" requireSession="true" />
See: https://wiki.shibboleth.net/confluence/display/SP3/Host