Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

The Shibboleth 2.0 SP Infocard plugin adds a session initiator and assertion consumer service to support Information Card login.

Session Initiator

An infocard login is triggered by the submission of a form containing either an application/x-informationcard object or an ic:informationCard XHTML element. This form also identifies all attributes that are required or are optional. The plugin's configuration requires specification of a page template for this form. It can be set to auto-submit. For example:

Code Block
XML
XML
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<head>
 <title>Shibboleth InfoCard login request</title>
</head>
<body onload="document.forms[0].submit()">
. . .
  <form method="post" action="<shibmlp action_target/>">
     <shibmlpif wctx>
        <input type="hidden" name="wctx" value="<shibmlp wctx/>"/>
     </shibmlpif>
     <ic:informationCard name="xmlToken"
         style="behavior:url(#default#informationCard)"
         tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="true"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonAffiliation" optional="true"/>
      </ic:informationCard>
     <noscript>
       <div>
       <input type="submit" value="Continue"/>
       </div>
     </noscript>
    </form>
</body>
</html>

A session initiator element for infocard might look like:

Code Block
xml
xml
<!-- InfoCard service. -->
     <SessionInitiator type="InfoCard"
        template="/usr/local/shib-R20/etc/shibboleth/infocard1.html"/>
  • The initiator's id attribute can be referenced by a .htaccess or Location apache configuration ShibRequireSessionWith directive to request infocard login.

Assertion Consumer Service

The target of the posted login form is the infocard plugin's assertion consumer service, configured:

Code Block
xml
xml
<!-- InfoCard consumer -->
    <md:AssertionConsumerService Location="/SAML/InfoCard" index="5"
        Binding="InformationCard"/>

The assertion consumer

  • Decrypts the assertion, which has been encrypted with the public key of one of the SP's certificates.
  • Verifies the assertions's signature.
  • Find's the relying party's metadata from the assertion's signature.
  • Extracts the attributes and filters them with the SP's AAP.
  • Builds a session.
  • Returns to the original url that initiated the login.