Allowing Shibboleth authentication

Topics: Installing Orchard
May 8, 2013 at 11:17 PM
Edited May 8, 2013 at 11:17 PM
We're looking at using Orchard for an internal site.

We currently use Shibboleth ( for initial authentication, which makes a POST back to our site in the format of http://domain/Shibboleth.sso/{stuff}

In our current ASP.NET MVC website we needed to just modify the Global.asax with the following:
Unfortunately, Orchard doesn't allow us to go that route, so after some research it looks like it requires a handler to be added.

Via IIS (Server 2008 R2) this was added into the web.config within the handlers group:
<add name="Shib" path="*.sso" verb="*" modules="IsapiFilterModule" scriptProcessor="C:\{path}\isapi_shib.dll" resourceType="Either" requireAccess="Script" preCondition="integratedMode" />
I've tried a couple different variations of this, and still no dice.

Since I pulled down the source anyway, I tried going the simple route of just adding the two routes.IgnoreRoute calls and re-building, but that results in the same issue.

If I remove the Shib requirement than Orchard starts fine, and if I put in a new MVC project with Shib on (and our two IgnoreRoute calls added) that also works fine.

The browser is returning a 404 (blank page), so I have the feeling that Orchard is still grabbing the request.

Any suggestions on how I could go about getting Orchard to skip over this path?
May 9, 2013 at 11:17 PM
Making it a little more general, any suggestions on making sure ISAPI Filter Modules in IIS are hit?

I haven't done much with Web API; is it possible that aspect is hijacking the request, since adding the IgnoreRoute doesn't resolve it?
May 28, 2013 at 3:05 AM
Pretty much anything that requires using a http module and such global resources that don't play nice with a modular system such as Orchard won't be a good or easy fit.
May 28, 2013 at 7:33 PM
Hi Bertrand.

Sorry, looks like I only updated the question I posted on SO.

I was actually able to get this working; I just had to make sure Orchard didn't steal the request and use the correct modules attribute when adding the handler.

Once I dropped in logic to check the correct request data, and etcetera, it seems to be working fine.