The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SP InfoCard Plugin

The Shibboleth 2.0 SP Infocard plugin adds a session initiator and assertion consumer service to support Information Card login.

Session Initiator

An infocard login is triggered by the submission of a form containing either an application/x-informationcard object or an ic:informationCard XHTML element. This form also identifies all attributes that are required or are optional. The plugin's configuration requires specification of a page template for this form. It can be set to auto-submit. For example:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<head>
 <title>Shibboleth InfoCard login request</title>
</head>
<body onload="document.forms[0].submit()">
. . .
  <form method="post" action="<shibmlp action_target/>">
     <shibmlpif wctx>
        <input type="hidden" name="wctx" value="<shibmlp wctx/>"/>
     </shibmlpif>
     <ic:informationCard name="xmlToken"
         style="behavior:url(#default#informationCard)"
         tokenType="urn:oasis:names:tc:SAML:1.0:assertion">
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="true"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonAffiliation" optional="true"/>
      </ic:informationCard>
     <noscript>
       <div>
       <input type="submit" value="Continue"/>
       </div>
     </noscript>
    </form>
</body>
</html>

A session initiator element for infocard might look like:

<!-- InfoCard service. -->
     <SessionInitiator type="InfoCard"
        template="/usr/local/shib-R20/etc/shibboleth/infocard1.html"/>
  • The initiator's id attribute can be referenced by a .htaccess or Location apache configuration ShibRequireSessionWith directive to request infocard login.

Assertion Consumer Service

The target of the posted login form is the infocard plugin's assertion consumer service, configured:

<!-- InfoCard consumer -->
    <md:AssertionConsumerService Location="/SAML/InfoCard" index="5"
        Binding="InformationCard"/>

The assertion consumer

  • Decrypts the assertion, which has been encrypted with the public key of one of the SP's certificates.
  • Verifies the assertions's signature.
  • Find's the relying party's metadata from the assertion's signature.
  • Extracts the attributes and filters them with the SP's AAP.
  • Builds a session.
  • Returns to the original url that initiated the login.