Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
CardSpace Interop
In preparation for the Catalyst june 27th Interop demonstration, the following tests (among many others!) were done.
Contents
Identity Providers
- http://wag.bandit-project.org Bandit's Wag Identity Provider
- https://higgins.eclipse.org/TokenService
- https://fugenmisp.federationportal.com (not working) FuGen MISP Test IP
- https://wwww.ibmidentitydemo.com IBM IdP (Add to hosts file:165.228.160.239 www.ibmidentitydemo.com)
- https://lost.cac.washington.edu/icard/ Internet2/Shibboleth Identity Provider
- http://www.identityblog.com/humanpresent/humanauth.php IdentityBlog HumanPresent Identity Provider
- http://sts.labs.live.com/ Windows Live Labs Identity Provider
- https://www.pingidentitylabs.com Ping Identity Provider
- http://jpip.verisignlabs.com VeriSign Personal Identity Provider ("identity" card)
- http://jpip.verisignlabs.com VeriSign Personal Identity Provider ("account" card)
- https://sample.identity.wso2.org:9443/cards-download.html WSO2 Identity Provider (Add to hosts file:192.168.101.201 sample.identity.wso2.org)
- http://xmldap.org/sts/cardmanager XMLDAP Identity Provider
Relying Party Sites
- https://woof.bandit-project.org Bandit RP Basic
- https://woof.bandit-project.org Bandit RP Advanced
- (not available) BMC RP
- (not available) CA RP
- https://socialphotos.federationportal.com FuGen SocialPhotos RP
- http://server1.interop.onr.com:8080/RelyingPartyDemoApp/index.jsp Higgins Relying Party
- (no longer available) https://www.ibmidentitydemo.com/ IBM Relying Party (Add to hosts file:165.228.160.239 www.ibmidentitydemo.com in Catalyst interop room)
- https://lost.cac.washington.edu/icard/ Internet2 U of Washington
- http://www.identityblog.com/helloworld/infocard-demo.php IdentityBlog: HelloWorld Token Demo
- http://www.identityblog.com/sts/infocard-demo.php IdentityBlog: HumanPresent Relying Party
- http://sts.labs.live.com/register.aspx Windows Live Labs: Live Labs IdP Relying Party (Sign in link is at the top right, must have a passport account)
- http://relay.labs.live.com/download.aspx Windows Live Labs: Live Labs Managed Card Relying Party
- http://131.107.153.200/ Microsoft test site: Age STS Relying Party
- http://cardspace.textd.net/ Microsoft test site: Fabrikam Friends Relying Party using an EV certificate
- http://demo.netmesh.us/ (not active yet) NetMesh Relying Party
- http://pamelaproject.com/jostest PW-jos Joomla Plugin (16)
- http://pamelaproject.com/wptest PW-wp Wordpress Plugin (uses XHTML, changes content based on cameratype claim)
- http://interop.oracle.com/catalyst Oracle Relying Party
- https://www.pingidentitylabs.com Ping RP
- (not available) Sxip Access RP
- http://jpip.verisignlabs.com VeriSign RP
- https://ww2.wso2.org:3443/identity/ WSO2 Relying Party
- (no longer available) https://sample.identity.wso2.org:9443/javarp/ (Available only at Catalyst interop room) WSO2 Relying Party 2
- https://xmldap.org/relyingparty/ XMLDAP Relying Party
Test Results
Test #1: Importing an i-card
IdP/STS | H1(build 60, 2007-06-27)+ HBX(0.8.3.1) | H2 | H3 |
---|---|---|---|
Success | |||
1, 2 | Working | Working | Working |
4, 7 | ? | ? | Working |
5 | ? | Working | Working mostly (see failure below) |
6 | Not working (see failure below) | Working | Working |
9, 10 | Working | ? | ? |
11 | ? | ? | ? |
12 | Working | ? | Working mostly (see failure below) |
Failure | |||
3 | Unable to test: site not up | Cannot get manged card to view claims in iss
They appear to use http instead of https which fails for all H2 test |
|
5 | No, we hit an issue with an IdP that does not set the AppliesTo: in the card and thus is looking to the IA to do this but it looks like RPPS is not doing this. So we will have cases at the interop where there are AppliesTo: in the card and cases where its not, so we have to be able to pass it on if its there and let the STS do the encryption and the case where its not there is where you will do the encryption. | ||
6 | Unable to test: H1 has no personal cards with which to sign in | ||
8 | Unable to test: this site doesn't appear to issue i-cards | ||
12 | "Failure: java.lang.RuntimeException: Could not process xml token
org.eclipse.higgins.rp.server.impl.Login.doPost(Login.java:215) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803)" |
.
Test #2: Signing in to RP site
IdP/STS | RP site | H1(build 60, 2007-06-27)+ HBX(0.8.3.1) | H2 | H3 |
---|---|---|---|---|
Success | ||||
1, 2, 16, 17, 24 | Working | Working | Working | |
5, 6 | Working | Working | ||
8, 10, 21 | Working | ? | ||
7 | ? | Working (Managed and Personal) | Working (Managed) | |
9 | ? | Working (Managed and Personal) | Working (Managed) | |
11 | ? | ? | ||
12 | ? | ? | ||
13 | ? | Fails (see below) | ||
22 | ? | Working | ||
Failure | ||||
5 | Fails | |||
6 | Fails, no XmlToken was supplied to the server | |||
11 | not attempted: requires sts.livelabs nickname in a personal card | |||
14 | A purple message box pops up saying "A problem occurred: Undefined" | Site doesn't recognize Higgins IA | ||
18 | Get error: "Authentication failed. The Oracle SSO authentication system has hit an error. Please try logging in again." | Not working, seems to be an Oracle issue | ||
19 | Does not recognize the Higgins IA | ? | ? | |
8 | Working with Higgins Managed card. Not working with a UW managed card, we hit an issue with an IdP that does not set the AppliesTo: in the card and thus is looking to the IA to do this but it looks like RPPS is not doing this. So we will have cases at the interop where there are AppliesTo: in the card and cases where its not, so we have to be able to pass it on if its there and let the STS do the encryption and the case where its not there is where you will do the encryption. | |||
11 | Site does not recognize Higgins IA | |||
12 | Site does not recognize Higgins IA | |||
13 | Need DOB Claim, still not working even though Mike has added claim, the Higgins IA is not showing a matching card |
.
Test #3: (specific combinations of #1 and #2 above)
Steps
- Get m-card from IdP
- Import into IA
- Sign in to RP
IdP/STS | RP site | H1(build 60, 2007-06-27)+ HBX(0.8.3.1) | H2 | H3 |
---|---|---|---|---|
6 | 9 | Fails | ||
1 | 8 | Accepts any cards, doesn't recognize the issuer but does validate and print claims | ||
1 | 10 | ISS never comes up. | ||
1 | 12 | Got their card, appears to fail because the use http instead of https with their sts | ||
1 | 13 | Selector doesn't support RP STS yet | ||
1 | 14, 16, 17 | Managed card works | ||
1 | 15 | not active yet | ||
1 | 18, 19, 24 | Managed and personal card works | ||
1 | 20 | No errors reported at ISS but prompts for basic auth after infocard is submited. | ||
1 | 21 | Not yet ready | ||
1 | 22, 23 | Must be tested from interop room | ||
2 | 1 | 1 2 | ||
2 | 2 | 1 2 | ||
2 | 6 | Fails. I tried to back a managed card with a personal card and get error 51968. Managed cards cannot be imphiggins.eclipse.org is listed as the issuer, but that is a non-existent site. | ||
5 | 8 | Accepts any cards. | ||
6 | 10 | works | ||
12 | 24 | Fails! |
Notes:
- import works. sign-in gets error: Error decrypting encrypted token
Known bugs
- If HBX displays an alert box "Alert:TypeError:soap.getRPPSService() has no properties", restart Firefox
Reference
- The "hosts" file is located in %SystemRoot%\System32\Drivers\Etc folder on a Windows computer.