You have to add the extension module to the lists of extensions; add a session initiator for infocard; and configure an assertion consumer location; and provide a login form template.
You may have to add an attribute acceptanec policy as well.
shibboleth2.xml.Add the module to both the InProcess and OutOfProcess sections:
<OutOfProcess ...>
<Extensions>
<Library path="(shib-root)/lib/infocard/infocard.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess ...>
<Extensions>
<Library path="(shib-root)/lib/infocard/infocard-lite.so" fatal="true"/>
</Extensions>
</InProcess>
|
Add a session initiator:
<SessionInitiator type="Chaining" Location="/SHIB/Infocard"
id="Infocard" isDefault="false" relayState="cookie">
<SessionInitiator type="Infocard" template="(shib-root)/etc/shibboleth/infocard.html"/>
</SessionInitiator>
|
Configure an assertion consumer service:
<md:AssertionConsumerService Location="/SAML/Infocard" index="7"
Binding="urn:mace:shibboleth:2.0:infocard"/>
|
The login template, referenced in the session initiator, automatically submits a form that starts Infocard login. The form identifies the attributes you want from the IdP.
Here is an example, requesting eduPerson attributes (infocard.html for the session initiator)
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<head>
<title>Shibboleth InfoCard login request</title>
</head>
<body onload="document.forms[0].submit()">
<h3>Shibboleth InfoCard login request</h3>
<script type="text/javascript">
<!--
document.write("<p>You are automatically being redirected to the authentication service. ");
document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
document.write("the page before contacting the technical support staff in charge of the ");
document.write("authentication service you are trying to access.</p>");
document.write("<h2>Redirecting...</h2>");
// -->
</script>
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript, you must press the
Continue button once to proceed to the authentication service.
</p>
</noscript>
<form method="post" action="<shibmlp action_target/>">
<shibmlpif wctx>
<input type="hidden" name="wctx" value="<shibmlp wctx/>"/>
</shibmlpif>
<ic:informationCard name="xmlToken"
style="behavior:url(#default#informationCard)"
<shibmlpif stsid>
issuer="<shibmlp stsid/>"
</shibmlpif>
<!-- Specify either a SAML1 or SAML2 assertion -->
<!-- <tokenType="urn:oasis:names:tc:SAML:1.0:assertion"> -->
<tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/>
<ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="false"/>
<ic:add claimType="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" optional="false"/>
</ic:informationCard>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>
|