Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "IPhone Selector 1.1"
(→I-Card Selector) |
(→I-Card Selector) |
||
| Line 125: | Line 125: | ||
If a web page wishes to accept a security tokens, it needs to construct a special HTML link whose URI contains | If a web page wishes to accept a security tokens, it needs to construct a special HTML link whose URI contains | ||
| − | + | * A custom uri scheme (either '''icard-http://''' or '''icard-https://''') | |
| − | + | * An absolute target address where the web page wants to receive the security token | |
| − | + | * A policy in the form of the usual '''<object>''' tag as a parameter named '''_policy''' in the URI's query string | |
Form of the constructed URI: | Form of the constructed URI: | ||
Revision as of 20:08, 16 June 2009
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Contents
Introduction
This solution consists of two projects:
- I-Card Selector (org.eclipse.higgins.iphone.icm) - This is a standalone iPhone application that can be launched both from the iPhone main menu and from a relying party website.
- I-Card Plug-In (org.eclipse.higgins.iphone.ics) - This is an experimental MobileSafari plug-in that can be launched from a relying party website without leaving the browser.
These two components share common configuration settings but are otherwise independent from each other, i.e. you can choose to install just one or both. Both components use the remote I-Card Service Web App for retrieving and managing the user's i-cards.
End-User Perspective
I-Card Selector
The I-Card Selector allows users to manage, preview and delete i-cards, as well as to select and use them at relying parties.
This component only works at relying parties that explicitly support it. See the Developer section of this page for more information.
I-Card Plug-In
The I-Card Plug-In is triggered in the browser by relying party web sites that request i-cards, as well as by identity providers that offer i-cards.
This component does not require any special relying parties or identity providers and typically works wherever other i-card selectors work too.
Deployer Perspective
I-Card Selector
There are three ways of installing the I-Card Selector on your iPhone.
Via App Store
This is the preferred method. TODO: Add instructions.
Via Ad Hoc Method
TODO: Add instructions.
Manual Installation
This method requires SSH and SCP access to your iPhone as well as some advanced technical knowledge.
- mkdir the directory /Application/ICardSelector.app/ on your iPhone
- scp and unzip the file icm.tgz from the org.eclipse.higgins.iphone.icm project into that directory
- chown root:admin * in that directory
- reboot the iPhone
I-Card Plug-In
There is currently just on way of installing the I-Card Plug-In on your iPhone.
Manual Installation
This method requires SSH and SCP access to your iPhone as well as some advanced technical knowledge.
- mkdir the directory /System/Library/Internet Plug-Ins/HigginsSelector.webplugin/ on your iPhone
- scp and unzip the file ics.tgz from the org.eclipse.higgins.iphone.ics project into that directory
- chown root:wheel * in that directory
- reboot the iPhone
TODO: Update this.
You need to do the following before either the I-Card Selector or the I-Card Plug-In will work.
- scp the file org.eclipse.higgins.iphoneselector.ICardManager.plist from the org.eclipse.higgins.iphone.icm project into the directory /private/var/mobile/Library/Preferences/
- chown mobile:mobile that file
- unless you want to use the demo account, fill in your own
- I-Card Service URL
- I-Card Service Username
- I-Card Service Password
- reboot the iPhone
You also need an account on a Higgins I-Card Service Web App.
Developer Perspective
Architecture
The I-Card Selector is a standalone application.
The I-Card Plug-In is a WebKit plugin for MobileSafari.
Both components are written in Objective C.
Building
The projects are:
- nursery/org.eclipse.higgins.iphone.icm
- nursery/org.eclipse.higgins.iphone.ics
These projects can be checked out from the Eclipse repository at the following SVN URIs:
In order to build the iPhone Selector and I-Card Manager, you need the following:
- A Mac computer
- The Apple iPhone SDK (including Xcode)
- An account with Apple's iPhone Developer Program
You should be able to build both projects normally from within Xcode
Relying Parties
This section describes how relying party websites can use the iPhone I-Card Selector and I-Card Plug-In.
I-Card Selector
The I-Card Selector does NOT recognize the usual <object> tag in i-card relying party websites. Therefore it requires a web page to support the following alternative selector invocation mechanism:
If a web page wishes to accept a security tokens, it needs to construct a special HTML link whose URI contains
- A custom uri scheme (either icard-http:// or icard-https://)
- An absolute target address where the web page wants to receive the security token
- A policy in the form of the usual <object> tag as a parameter named _policy in the URI's query string
Form of the constructed URI:
icard-http(s)://www.mysite.com/relyingparty?_policy=%3Cobject.....
Example HTML code for invoking a selector in the usual way:
<form method='post' action='http://xmldap.org/relyingparty/infocard' enctype='application/x-www-form-urlencoded'>
<object type="application/x-informationcard" name="xmlToken">
<param name="privacyUrl" value="http://xmldap.org/relyingparty/?privacy.txt"/>
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/>
<param name="optionalClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"/>
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"/>
<param name="privacyVersion" value="1"/>
</object>
</form>
Corresponding HTML code for invoking the selector in the iPhone way:
icard-https://xmldap.org/relyingparty/infocard?_policy=%3Cobject+type%3D%22application%2Fx-informationcard%22+name%3D%22xmlToken%22%3E%3Cparam+name%3D%22privacyUrl%22+value%3D%22http%3A%2F%2Fxmldap.org%2Frelyingparty%2F%3Fprivacy.txt%22%2F%3E%3Cparam+name%3D%22requiredClaims%22+value%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fprivatepersonalidentifier+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fgivenname+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fsurname+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22%2F%3E%3Cparam+name%3D%22optionalClaims%22+value%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fstreetaddress+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Flocality+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fstateorprovince+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fpostalcode+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fcountry+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fhomephone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fotherphone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fmobilephone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fdateofbirth+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fgender%22%2F%3E%3Cparam+name%3D%22tokenType%22+value%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22%2F%3E%3Cparam+name%3D%22privacyVersion%22+value%3D%221%22%2F%3E%3C%2Fobject%3E
The good news is that the I-Card Selector will send the security token in the same manner as other selectors do. Therefore a relying party only needs special code where it invokes the I-Card Selector, NOT where it reads and processes the security token.
The I-Card Selector currently does NOT provide a way to import a new i-card into the user's account.
I-Card Plug-In
The I-Card Plug-In does not require any special relying party code. It gets triggered by two events:
- The presence of an HTML <object> tag of type application/x-informationcard in a web page. This will first ask the user to select an i-card and then send a security token. - The download of a .crd file. This will ask the user to import a new i-card into their account.
Therefore, the I-Card Plug-In should work wherever other selectors work too.