The Shibboleth 2.0 SP Infocard plugin adds a session initiator and assertion consumer service to support Information Card login.
Session Initiator
An infocard login is triggered by the submission of a form containing either an application/x-informationcard
object or an ic:informationCard
XHTML element. This form also identifies all attributes that are required or are optional. The plugin's configuration requires specification of a page template for this form. It can be set to auto-submit. For example:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"> <head> <title>Shibboleth InfoCard login request</title> </head> <body onload="document.forms[0].submit()"> . . . <form method="post" action="<shibmlp action_target/>"> <shibmlpif wctx> <input type="hidden" name="wctx" value="<shibmlp wctx/>"/> </shibmlpif> <ic:informationCard name="xmlToken" style="behavior:url(#default#informationCard)" tokenType="urn:oasis:names:tc:SAML:1.0:assertion"> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="true"/> <ic:add claimType="urn:mace:dir:attribute-def:eduPersonAffiliation" optional="true"/> </ic:informationCard> <noscript> <div> <input type="submit" value="Continue"/> </div> </noscript> </form> </body> </html>
A session initiator element for infocard might look like:
<!-- InfoCard service. --> <SessionInitiator type="InfoCard" template="/usr/local/shib-R20/etc/shibboleth/infocard1.html"/>
- The initiator's
id
attribute can be referenced by a.htaccess
orLocation
apache configurationShibRequireSessionWith
directive to request infocard login.
Assertion Consumer Service
The target of the posted login form is the infocard plugin's assertion consumer service, configured:
<!-- InfoCard consumer --> <md:AssertionConsumerService Location="/SAML/InfoCard" index="5" Binding="InformationCard"/>
The assertion consumer
- Decrypts the assertion, which has been encrypted with the public key of one of the SP's certificates.
- Verifies the assertions's signature.
- Find's the relying party's metadata from the assertion's signature.
- Extracts the attributes and filters them with the SP's AAP.
- Builds a session.
- Returns to the original url that initiated the login.