Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

Infocard Configuration

You have to configure infocard profile and login handlers in handlers.xml; and the infocard relying party in relying-party.xml.

If you want to permit Service Providers to request non-eduPerson attributes, which is usually the case, those will have to be configured in your attribute-resolver.xml as well.

Create an SP entity.

Add to one of your local metadata files:

   <EntityDescriptor entityID="urn:mace:shibboleth:2.0:infocard"
                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
                urn:oasis:names:tc:SAML:1.1:protocol">
           <!-- This tells IdPs that you only need transient identifiers. -->
           <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
           <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
         </SPSSODescriptor>

        <Organization>
                <OrganizationName xml:lang="en">(some name)</OrganizationName>
                <OrganizationDisplayName xml:lang="en">(some display name)</OrganizationDisplayName>
                <OrganizationURL xml:lang="en">(some URL)</OrganizationURL>
        </Organization>
        <ContactPerson contactType="technical">
                <SurName>your name</SurName>
                <EmailAddress>your address</EmailAddress>

        </ContactPerson>
     </EntityDescriptor>

Configure profile handlers.

handler.xml:

Add this namespace definition:

xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard"

Add to the schema location:

urn:mace:shibboleth:2.0:idp:infocard classpath:/schema/infocard.xsd

Add these ProfileHandler endpoints:

<!-- Infocard profile handlers -->

    <ProfileHandler xsi:type="icard:InfocardStatus">
        <RequestPath>/infocard/status</RequestPath>
    </ProfileHandler>

    <!-- the '.crd' path is needed for some IS to identify the content as a card -->
    <ProfileHandler xsi:type="icard:InfocardCard" relyingParty="urn:mace:shibboleth:2.0:infocard">
      <RequestPath>/infocard/card</RequestPath>
      <RequestPath>/infocard/card/your_name.crd</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
        <RequestPath>/infocard/mex</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
        <RequestPath>/infocard/mex/pw</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="icard:InfocardMex" relyingParty="urn:mace:shibboleth:2.0:infocard">
        <RequestPath>/infocard/mex/pc</RequestPath>
    </ProfileHandler>

    <ProfileHandler xsi:type="icard:InfocardSTS" relyingParty="urn:mace:shibboleth:2.0:infocard">
        <RequestPath>/infocard/sts</RequestPath>
    </ProfileHandler>

Configure the infocard relying party.

relying-party.xml:

Add this namespace definition:

xmlns:icard="urn:mace:shibboleth:2.0:idp:infocard-rp"

Add to the schema location:

urn:mace:shibboleth:2.0:idp:infocard-rp classpath:/schema/infocard-rp.xsd

Define the infocard relying party. By convention, claims are specified by "namespace/attribute", so the claim definitions can be a little long.

The signing credential must be the credential used by your webserver's browser port.

<RelyingParty id="urn:mace:shibboleth:2.0:infocard"
                  provider="your_provider_id"
                  defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
                  defaultSigningCredentialRef="some_credential">
        <ProfileConfiguration xsi:type="icard:InfocardCardProfile"
                 cardName="some_name" cardId="some_id:{0}" cardVersion="1"
                 imageGenerator="path_to_your_image_generator"
                 mexAddress="https://your_server/idp/profile/infocard/mex"
                 stsAddress="https://your_server/idp/profile/infocard/sts"
                 privacyNotice="https://your_server/path_to_privacynotice">

           <!-- JDBC configuration for the "managed card backed by personal card" auth method -->
              <!-- postgres example -->
           <icard:JDBCConnection jdbcDriver="org.postgresql.Driver"
            poolAcquireRetryAttempts="1" poolAcquireRetryDelay="1" poolBreakAfterAcquireFailure="false"
            jdbcURL="jdbc:postgresql://localhost/personalcards"
            jdbcUserName="shib" jdbcPassword="whatever" />

           <!-- edu person examples -->
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonAffiliation" displayName="Affiliation"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonScopedAffiliation" displayName="Affiliation"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonPrincipalName" displayName="UW NetID"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonEntitlement" displayName="Entitlement"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:givenName" displayName="Given name"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:surname" displayName="Surname"/>
           <icard:SupportedClaim uri="urn:mace:shibboleth:1.0:attributeNamespace:uri/urn:mace:dir:attribute-def:eduPersonTargetedID" displayName="Targeted ID"/>
           <!-- MS attr examples -->
           <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" displayName="Given name"/>
           <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" displayName="Surname"/>
           <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" displayName="Email"/>
           <icard:SupportedClaim uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" displayName="Private ID"/>
        </ProfileConfiguration>
        <ProfileConfiguration xsi:type="icard:InfocardMexProfile"/>
        <ProfileConfiguration xsi:type="icard:InfocardSTS1Profile"/>
        <ProfileConfiguration xsi:type="icard:InfocardSTS2Profile"/>
    </RelyingParty>

login.config

Add a stanza for your authn, for example:

InfocardUserPassAuth {
  com.sun.security.auth.module.Krb5LoginModule required;
};
  • No labels