The Shibboleth 2.0 SP Infocard plugin adds a session initiator and
assertion consumer service to support Information Card login.
Session Initiator
An infocard login is triggered by the submission of a form
containing either an application/x-informationcard
object or
an ic:informationCard
XHTML element. This form also identifies
all attributes that are required or are optional. The plugin's
configuration requires specification of a page template for
this form. It can be set to auto-submit. For example:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"> <head> <title>Shibboleth InfoCard login request</title> </head> <body onload="document.forms[0].submit()"> . . . <form method="post" action="<shibmlp action_target/>"> <shibmlpif wctx> <input type="hidden" name="wctx" value="<shibmlp wctx/>"/> </shibmlpif> <ic:informationCard name="xmlToken" style="behavior:url(#default#informationCard)" tokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="true"/> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonAffiliation" optional="true"/> </ic:informationCard> <noscript> <div> <input type="submit" value="Continue"/> </div> </noscript> </form> </body> </html>
A session initiator element for infocard might look like:
<!-- InfoCard service. --> <SessionInitiator type="InfoCard" template="/usr/local/shib-R20/etc/shibboleth/infocard1.html"/>
- The initiator's
id
attribute
can be referenced by a.htaccess
orLocation
apache
configurationShibRequireSessionWith
directive to request infocard login.
Assertion Consumer Service
The target of the posted login form is the infocard plugin's assertion
consumer service, configured:
<!-- InfoCard consumer --> <md:AssertionConsumerService Location="/SAML/InfoCard" index="5" Binding="InformationCard"/>
The assertion consumer
- Decrypts the assertion, which has been encrypted with the
public key of one of the SP's certificates.
- Verifies the assertions's signature.
- Find's the relying party's metadata from the assertion's signature.
- Extracts the attributes and filters them with the SP's AAP.
- Builds a session.
- Returns to the original url that initiated the login.