IdP Infocard Configuration
Infocard Configuration
You have to configure infocard profile and login handlers in handlers.xml
; and the infocard relying party in relying-party.xml
.
If you want to permit Service Providers to request non-eduPerson attributes, which is usually the case, those will have to be configured in your attribute-resolver.xml as well.
Create an SP entity.
Add to one of your local metadata files:
<EntityDescriptor entityID="urn:mace:shibboleth:2.0:infocard" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> <!-- This tells IdPs that you only need transient identifiers. --> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> </SPSSODescriptor> <Organization> <OrganizationName xml:lang="en">(some name)</OrganizationName> <OrganizationDisplayName xml:lang="en">(some display name)</OrganizationDisplayName> <OrganizationURL xml:lang="en">(some URL)</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <SurName>your name</SurName> <EmailAddress>your address</EmailAddress> </ContactPerson> </EntityDescriptor>
Configure profile handlers.
handler.xml
:
Add this namespace definition:
xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard"
Add to the schema location:
urn:mace:shibboleth:2.0:idp:infocard classpath:/schema/infocard.xsd
Add these ProfileHandler endpoints:
<!-- Infocard profile handlers --> <ProfileHandler xsi:type="icard:InfocardStatus"> <RequestPath>/infocard/status</RequestPath> </ProfileHandler> <!-- the '.crd' path is needed for some IS to identify the content as a card --> <ProfileHandler xsi:type="icard:InfocardCard" relyingParty="urn:mace:shibboleth:2.0:infocard"> <RequestPath>/infocard/card</RequestPath> <RequestPath>/infocard/card/your_name.crd</RequestPath> </ProfileHandler> <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard"> <RequestPath>/infocard/mex</RequestPath> </ProfileHandler> <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard"> <RequestPath>/infocard/mex/pw</RequestPath> </ProfileHandler> <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard"> <RequestPath>/infocard/mex/pc</RequestPath> </ProfileHandler> <ProfileHandler xsi:type="icard:InfocardSTS" relyingParty="urn:mace:shibboleth:2.0:infocard"> <RequestPath>/infocard/sts</RequestPath> </ProfileHandler>
Configure the infocard relying party.
relying-party.xml
:
Add this namespace definition:
xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard-rp"
Add to the schema location:
urn:mace:shibboleth:2.0:idp:infocard-rp classpath:/schema/infocard-rp.xsd
Define the infocard relying party. By convention, claims are specified by "namespace/attribute", so the claim definitions can be a little long.
The signing credential must be the credential used by your webserver's browser port.
<RelyingParty id="urn:mace:shibboleth:2.0:infocard" provider="your_provider_id" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" defaultSigningCredentialRef="some_credential"> <ProfileConfiguration xsi:type="icard:InfocardCardProfile" cardName="some_name" cardId="some_id:{0}" cardVersion="1" imageGenerator="path_to_your_image_generator" mexAddress="https://your_server/idp/profile/infocard/mex" stsAddress="https://your_server/idp/profile/infocard/sts" privacyNotice="https://your_server/path_to_privacynotice"> <!-- JDBC configuration for the "managed card backed by personal card" auth method --> <!-- postgres example --> <icard:JDBCConnection jdbcDriver="org.postgresql.Driver" poolAcquireRetryAttempts="1" poolAcquireRetryDelay="1" poolBreakAfterAcquireFailure="false" jdbcURL="jdbc:postgresql://localhost/personalcards" jdbcUserName="shib" jdbcPassword="whatever" /> <!-- edu person examples --> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonAffiliation" displayName="Affiliation"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonScopedAffiliation" displayName="Affiliation"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonPrincipalName" displayName="UW NetID"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonEntitlement" displayName="Entitlement"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:givenName" displayName="Given name"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:surname" displayName="Surname"/> <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonTargetedID" displayName="Targeted ID"/> <!-- MS attr examples --> <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" displayName="Given name"/> <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" displayName="Surname"/> <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" displayName="Email"/> <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" displayName="Private ID"/> </ProfileConfiguration> <ProfileConfiguration xsi:type="icard:InfocardMexProfile"/> <ProfileConfiguration xsi:type="icard:InfocardSTS1Profile"/> <ProfileConfiguration xsi:type="icard:InfocardSTS2Profile"/> </RelyingParty>
login.config
Add a stanza for your authn, for example:
InfocardUserPassAuth { com.sun.security.auth.module.Krb5LoginModule required; };