The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The Shibboleth 2.0 SP Infocard plugin adds a session initiator and
assertion consumer service to support Information Card login.

Session Initiator

An infocard login is triggered by the submission of a form
containing either an application/x-informationcard object or
an ic:informationCard XHTML element. This form also identifies
all attributes that are required or are optional. The plugin's
configuration requires specification of a page template for
this form. It can be set to auto-submit. For example:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<head>
 <title>Shibboleth InfoCard login request</title>
</head>
<body onload="document.forms[0].submit()">
. . .
  <form method="post" action="<shibmlp action_target/>">
     <shibmlpif wctx>
        <input type="hidden" name="wctx" value="<shibmlp wctx/>"/>
     </shibmlpif>
     <ic:informationCard name="xmlToken"
         style="behavior:url(#default#informationCard)"
         tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="true"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonAffiliation" optional="true"/>
      </ic:informationCard>
     <noscript>
       <div>
       <input type="submit" value="Continue"/>
       </div>
     </noscript>
    </form>
</body>
</html>

A session initiator element for infocard might look like:

  <!-- InfoCard service. -->
     <SessionInitiator type="InfoCard"
        template="/usr/local/shib-R20/etc/shibboleth/infocard1.html"/>

  • The initiator's id attribute
    can be referenced by a .htaccess or Location apache
    configuration ShibRequireSessionWith directive to request infocard login.

Assertion Consumer Service

The target of the posted login form is the infocard plugin's assertion
consumer service, configured:

    <!-- InfoCard consumer -->
    <md:AssertionConsumerService Location="/SAML/InfoCard" index="5"
        Binding="InformationCard"/>

The assertion consumer

  • Decrypts the assertion, which has been encrypted with the
    public key of one of the SP's certificates.
  • Verifies the assertions's signature.
  • Find's the relying party's metadata from the assertion's signature.
  • Extracts the attributes and filters them with the SP's AAP.
  • Builds a session.
  • Returns to the original url that initiated the login.
  • No labels