IdP Infocard Configuration
Infocard Configuration
You have to configure infocard profile and login handlers in handlers.xml; and the infocard relying party in relying-party.xml.
If you want to permit Service Providers to request non-eduPerson attributes, which is usually the case, those will have to be configured in your attribute-resolver.xml as well.
Create an SP entity.
Add to one of your local metadata files:
<EntityDescriptor entityID="urn:mace:shibboleth:2.0:infocard"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol">
<!-- This tells IdPs that you only need transient identifiers. -->
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">(some name)</OrganizationName>
<OrganizationDisplayName xml:lang="en">(some display name)</OrganizationDisplayName>
<OrganizationURL xml:lang="en">(some URL)</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<SurName>your name</SurName>
<EmailAddress>your address</EmailAddress>
</ContactPerson>
</EntityDescriptor>
Configure profile handlers.
handler.xml:
Add this namespace definition:
xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard"
Add to the schema location:
urn:mace:shibboleth:2.0:idp:infocard classpath:/schema/infocard.xsd
Add these ProfileHandler endpoints:
<!-- Infocard profile handlers -->
<ProfileHandler xsi:type="icard:InfocardStatus">
<RequestPath>/infocard/status</RequestPath>
</ProfileHandler>
<!-- the '.crd' path is needed for some IS to identify the content as a card -->
<ProfileHandler xsi:type="icard:InfocardCard" relyingParty="urn:mace:shibboleth:2.0:infocard">
<RequestPath>/infocard/card</RequestPath>
<RequestPath>/infocard/card/your_name.crd</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
<RequestPath>/infocard/mex</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
<RequestPath>/infocard/mex/pw</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
<RequestPath>/infocard/mex/pc</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="icard:InfocardSTS" relyingParty="urn:mace:shibboleth:2.0:infocard">
<RequestPath>/infocard/sts</RequestPath>
</ProfileHandler>
Configure the infocard relying party.
relying-party.xml:
Add this namespace definition:
xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard-rp"
Add to the schema location:
urn:mace:shibboleth:2.0:idp:infocard-rp classpath:/schema/infocard-rp.xsd
Define the infocard relying party. By convention, claims are specified by "namespace/attribute", so the claim definitions can be a little long.
The signing credential must be the credential used by your webserver's browser port.
<RelyingParty id="urn:mace:shibboleth:2.0:infocard"
provider="your_provider_id"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
defaultSigningCredentialRef="some_credential">
<ProfileConfiguration xsi:type="icard:InfocardCardProfile"
cardName="some_name" cardId="some_id:{0}" cardVersion="1"
imageGenerator="path_to_your_image_generator"
mexAddress="https://your_server/idp/profile/infocard/mex"
stsAddress="https://your_server/idp/profile/infocard/sts"
privacyNotice="https://your_server/path_to_privacynotice">
<!-- JDBC configuration for the "managed card backed by personal card" auth method -->
<!-- postgres example -->
<icard:JDBCConnection jdbcDriver="org.postgresql.Driver"
poolAcquireRetryAttempts="1" poolAcquireRetryDelay="1" poolBreakAfterAcquireFailure="false"
jdbcURL="jdbc:postgresql://localhost/personalcards"
jdbcUserName="shib" jdbcPassword="whatever" />
<!-- edu person examples -->
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonAffiliation" displayName="Affiliation"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonScopedAffiliation" displayName="Affiliation"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonPrincipalName" displayName="UW NetID"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonEntitlement" displayName="Entitlement"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:givenName" displayName="Given name"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:surname" displayName="Surname"/>
<icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonTargetedID" displayName="Targeted ID"/>
<!-- MS attr examples -->
<icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" displayName="Given name"/>
<icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" displayName="Surname"/>
<icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" displayName="Email"/>
<icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" displayName="Private ID"/>
</ProfileConfiguration>
<ProfileConfiguration xsi:type="icard:InfocardMexProfile"/>
<ProfileConfiguration xsi:type="icard:InfocardSTS1Profile"/>
<ProfileConfiguration xsi:type="icard:InfocardSTS2Profile"/>
</RelyingParty>
login.config
Add a stanza for your authn, for example:
InfocardUserPassAuth {
com.sun.security.auth.module.Krb5LoginModule required;
};