Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "IPhone Selector 1.1"
(→I-Card Selector) |
(→I-Card Plug-In) |
||
Line 28: | Line 28: | ||
This component does not require any special relying parties or identity providers and typically works wherever other i-card selectors work too. | This component does not require any special relying parties or identity providers and typically works wherever other i-card selectors work too. | ||
− | |||
[[Image:Shot7.png]] | [[Image:Shot7.png]] | ||
− | |||
[[Image:Shot5.png]] | [[Image:Shot5.png]] | ||
Revision as of 14:32, 18 June 2009
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Contents
Introduction
This solution consists of two projects:
- I-Card Selector (org.eclipse.higgins.iphone.icm) - This is a standalone iPhone application that can be launched both from the iPhone main menu and from a relying party website.
- I-Card Plug-In (org.eclipse.higgins.iphone.ics) - This is an experimental MobileSafari plug-in that can be launched from a relying party website without leaving the browser.
These two components share common configuration settings but are otherwise independent from each other, i.e. you can choose to install just one or both. Both components use the remote I-Card Service Web App for retrieving and managing the user's i-cards.
End-User Perspective
I-Card Selector
The I-Card Selector allows users to manage, preview and delete i-cards, as well as to select and use them at relying parties.
This component only works at relying parties that explicitly support it. See the Relying Parties section of this page for more information.
I-Card Plug-In
The I-Card Plug-In is triggered in the browser by relying party web sites that request i-cards, as well as by identity providers that offer i-cards.
This component does not require any special relying parties or identity providers and typically works wherever other i-card selectors work too.
Deployer Perspective
I-Card Selector
There are three ways of installing the I-Card Selector on your iPhone.
Via App Store
This is the preferred and simplest installation method. The application can be found in the Apple App Store under the name I-Card Manager.
After installation it is initialized with a demo account that contains a few example i-cards. If you have your own i-card account you can configure the I-Card Selector to use it via the iPhone Settings applications.
Via Ad Hoc Method
This is an installation method that involves connecting your iPhone to your PC/Mac and transferring the application via iTunes.
First, you need to download two files:
- The application
- A provisioning profile
Manual Installation
This method requires SSH and SCP access to your iPhone as well as some advanced technical knowledge.
- mkdir the directory /Application/ICardSelector.app/ on your iPhone
- scp and unzip the file icm.tgz from the org.eclipse.higgins.iphone.icm project into that directory
- chown root:admin * in that directory
- reboot the iPhone
I-Card Plug-In
There is currently just on way of installing the I-Card Plug-In on your iPhone.
Manual Installation
This method requires SSH and SCP access to your iPhone as well as some advanced technical knowledge.
- mkdir the directory /System/Library/Internet Plug-Ins/HigginsSelector.webplugin/ on your iPhone
- scp and unzip the file ics.tgz from the org.eclipse.higgins.iphone.ics project into that directory
- chown root:wheel * in that directory
- reboot the iPhone
TODO: Update this.
You need to do the following before either the I-Card Selector or the I-Card Plug-In will work.
- scp the file org.eclipse.higgins.iphoneselector.ICardManager.plist from the org.eclipse.higgins.iphone.icm project into the directory /private/var/mobile/Library/Preferences/
- chown mobile:mobile that file
- unless you want to use the demo account, fill in your own
- I-Card Service URL
- I-Card Service Username
- I-Card Service Password
- reboot the iPhone
You also need an account on a Higgins I-Card Service Web App.
Developer Perspective
Architecture
The I-Card Selector is a standalone iPhone application.
This sequence diagram illustrates a typical flow when the I-Card Selector is launched from a web page:
The I-Card Plug-In is a WebKit plugin for MobileSafari.
Both components are written in Objective C.
Building
The projects are:
- nursery/org.eclipse.higgins.iphone.icm
- nursery/org.eclipse.higgins.iphone.ics
These projects can be checked out from the Eclipse repository at the following SVN URIs:
In order to build the iPhone Selector and I-Card Manager, you need the following:
- A Mac computer
- The Apple iPhone SDK (including Xcode)
- An account with Apple's iPhone Developer Program
You should be able to build both projects normally from within Xcode
Relying Parties
This section describes how relying party websites can use the iPhone I-Card Selector and I-Card Plug-In.
I-Card Selector
The I-Card Selector does NOT recognize the usual <object> tag in i-card relying party websites. Therefore it requires a web page to support the following alternative selector invocation mechanism:
If a web page wishes to accept a security token, it needs to construct a special HTML link whose URI contains
- A custom uri scheme (either icard-http:// or icard-https://)
- An absolute target address where the web page wants to receive the security token
- A policy in the form of the usual <object> tag as a parameter named _policy in the query string
URI Format:
icard-http(s)://www.mysite.com/relyingparty?_policy=%3Cobject.....
Example HTML code for invoking a selector in the usual way:
<form method='post' action='http://xmldap.org/relyingparty/infocard' enctype='application/x-www-form-urlencoded'> <object type="application/x-informationcard" name="xmlToken"> <param name="privacyUrl" value="http://xmldap.org/relyingparty/?privacy.txt"/> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"/> <param name="optionalClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"/> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"/> <param name="privacyVersion" value="1"/> </object> <input type="submit" value="Click here to send an i-card"> </form>
Corresponding HTML code for invoking the selector in the iPhone way:
<a href="icard-https://xmldap.org/relyingparty/infocard?_policy=%3Cobject+type%3D%22application%2Fx-informationcard%22+name%3D%22xmlToken%22%3E%3Cparam+name%3D%22privacyUrl%22+value%3D%22http%3A%2F%2Fxmldap.org%2Frelyingparty%2F%3Fprivacy.txt%22%2F%3E%3Cparam+name%3D%22requiredClaims%22+value%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fprivatepersonalidentifier+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fgivenname+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fsurname+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22%2F%3E%3Cparam+name%3D%22optionalClaims%22+value%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fstreetaddress+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Flocality+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fstateorprovince+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fpostalcode+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fcountry+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fhomephone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fotherphone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fmobilephone+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fdateofbirth+http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fgender%22%2F%3E%3Cparam+name%3D%22tokenType%22+value%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22%2F%3E%3Cparam+name%3D%22privacyVersion%22+value%3D%221%22%2F%3E%3C%2Fobject%3E"> Click here to send an i-card </a>
The good news is that the I-Card Selector will send the security token in the same manner as other selectors do. Therefore a relying party only needs special code where it invokes the I-Card Selector, NOT where it reads and processes the security token.
The I-Card Selector currently does NOT provide a way to import a new i-card into the user's account.
I-Card Plug-In
The I-Card Plug-In does not require any special relying party code. It gets triggered by two events:
- The presence of an HTML <object> tag of type application/x-informationcard in a web page. This will first ask the user to select an i-card and then send a security token. - The download of a .crd file. This will ask the user to import a new i-card into their account.
Therefore, the I-Card Plug-In should work wherever other selectors work too.