Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

Infocard Configuration

You have to add the extension module to the lists of extensions; add a session initiator for infocard; and configure an assertion consumer location; and provide a login form template.

You may have to add an attribute acceptanec policy as well.

shibboleth2.xml.

Add the module to both the InProcess and OutOfProcess sections:

<OutOfProcess ...>
     <Extensions>
        <Library path="(shib-root)/lib/infocard/infocard.so" fatal="true"/>
     </Extensions>

  </OutOfProcess>
  <InProcess ...>
     <Extensions>
        <Library path="(shib-root)/lib/infocard/infocard-lite.so" fatal="true"/>
     </Extensions>
  </InProcess>

Add a session initiator:

<SessionInitiator type="Chaining" Location="/SHIB/Infocard"
        id="Infocard" isDefault="false" relayState="cookie">
     <SessionInitiator type="Infocard" template="(shib-root)/etc/shibboleth/infocard.html"/>
  </SessionInitiator>

Configure an assertion consumer service:

<md:AssertionConsumerService Location="/SAML/Infocard" index="7"
     Binding="urn:mace:shibboleth:2.0:infocard"/>

Define a login template

The login template, referenced in the session initiator, automatically submits a form that starts Infocard login. The form identifies the attributes you want from the IdP.
Here is an example, requesting eduPerson attributes (infocard.html for the session initiator)

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
<head>
 <title>Shibboleth InfoCard login request</title>
</head>
<body onload="document.forms[0].submit()">

<h3>Shibboleth InfoCard login request</h3>

  <script type="text/javascript">
   <!--
    document.write("<p>You are automatically being redirected to the authentication service. ");
    document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
    document.write("the page before contacting the technical support staff in charge of the ");
    document.write("authentication service you are trying to access.</p>");
    document.write("<h2>Redirecting...</h2>");
    // -->
  </script>

  <noscript>
  <p>
  <strong>Note:</strong> Since your browser does not support JavaScript, you must press the
  Continue button once to proceed to the authentication service.
  </p>
  </noscript>


  <form method="post" action="<shibmlp action_target/>">
     <shibmlpif wctx>
        <input type="hidden" name="wctx" value="<shibmlp wctx/>"/>
     </shibmlpif>

     <ic:informationCard name="xmlToken"
         style="behavior:url(#default#informationCard)"
         <shibmlpif stsid>
           issuer="<shibmlp stsid/>"
         </shibmlpif>
         <!-- Specify either a SAML1 or SAML2 assertion -->
         <!-- <tokenType="urn:oasis:names:tc:SAML:1.0:assertion"> -->
         <tokenType="urn:oasis:names:tc:SAML:2.0:assertion">

        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonPrincipalName" optional="false"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonEntitlement" optional="false"/>
        <ic:add claimType="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" optional="false"/>
      </ic:informationCard>
     <noscript>
       <div>
       <input type="submit" value="Continue"/>
       </div>
     </noscript>

    </form>

</body>
</html>
  • No labels