DACS_INFOCARD(8) | DACS Web Services Manual | DACS_INFOCARD(8) |
NAME¶
dacs_infocard - Information Card administration
SYNOPSIS¶
dacs_infocard [dacsoptions[1]]
DESCRIPTION¶
This program is part of the DACS suite.
The dacs_infocard web service is used:
Notes
Accounts are accessed through DACS's virtual filestore using item type infocards.
Note
The official nomenclature for claims can be confusing. In an attempt at consistency and simplification, the DACS documentation tries to adhere to the following definitions (with the stated compile-time limits):
Claim
Claim type
Claim URI prefix
Claim URI prefix abbreviation
Claim name
Claim value
OPTIONS¶
Web Service Arguments¶
In addition to the standard CGI arguments[11], dacs_infocard understands the following CGI arguments:
OPERATION
Delete the account associated with USERNAME. This effectively revokes the InfoCard; a self-issued InfoCard may be re-registered, but a managed InfoCard becomes unusable.
Note
The quickest way to delete all accounts is to delete the contents of the infocards item type; e.g., if infocards points to a file, remove the file or copy /dev/null to it.
Disable the account associated with USERNAME. InfoCard-based authentication on this account will fail; this revokes the InfoCard, but in a reversible way. The request is successful if the account is already disabled.
Enable the existing account associated with USERNAME. InfoCard-based authentication on this account will be possible. The request is successful if the account is already enabled.
List all accounts.
Register or re-register the submitted InfoCard. Exactly one set of credentials must accompany the request, and if registration is successful, the submitted InfoCard becomes associated with that identity.
If the submitted token is valid, display each claim (attribute) value associated with the ATTRLIST argument, which consists of zero or more claim names separated by a space. If ATTRLIST is absent or the empty string, all claims in the token are displayed (note that this is not necessarily all of the claims associated with the InfoCard). If any requested claim is not found, the request is ignored (i.e., it is not an error). The privatepersonalidentifier claim is displayed in the friendly identifier syntax rather than as a base-64 encoded string. The InfoCard (self-issued or managed) does not need to be registered at the jurisdiction.
Three syntaxes are recognized for a claim name. Some claims are "predefined" in that they are available in any valid token: issuer, confirm_method, ppid (or privatepersonalidentifier), exponent (self-issued only), and modulus (self-issued only). The second syntax is the full claim URI (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage). The third syntax uses the DACS shorthand: the word "standard" or "dacs", a colon, and the claim name (e.g., standard:webpage). The token is searched for each claim in the ATTRLIST, other than the predefined ones.
Note
Only the full URI syntax can be used to identify claims in an HTML OBJECT's requiredClaims and optionalClaims param tag.
Parse the submitted token and test whether it is valid.
xmlToken
AUXILIARY
FORMAT
USERNAME
For the DELETE, DISABLE, and ENABLE operations, the request must be submitted by the account's owner or the DACS administrator.
Here is an example of a form that might be used to register a self-issued InfoCard:
<form name="reg_form" id="reg_form" method="post" action="/cgi-bin/dacs/dacs_infocard"> <table> <tr> <td>
<img src="/infocards/ic_image.jpg" onClick="reg_form.submit()"/> <object type="application/x-informationCard" name="xmlToken">
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion">
<param name="issuer" value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self">
<param name="requiredClaims"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">
<param name="privacyUrl" value="https://example.com/infocards/privacy_statement.txt">
<param Name="privacyVersion" value="3"> </object> </td> </tr> <tr> <td align="center">
<input type="submit" name="infocard_register" value="Register" id="infocard_register" /> </td> <td> </td> </table> <input type="hidden" name="OPERATION" value="REGISTER"> </form>
FILES¶
dacs_infocard.css[14]
DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.
BUGS¶
The compile-time limits are fairly arbitrary and only exist to thwart abuse. It should probably be possible to specify them at run-time instead.
XML output is not available yet.
Registration of a self-issued InfoCard uses the card's PPID (Private Personal Identifier), which differs for a given InfoCard for different Relying Parties. The specification does not precisely define how two Relying Party endpoints are compared for equality, but if an identity selector decides that a jurisdiction's endpoint has changed (e.g., its domain name has been reconfigured), all self-issued InfoCards previously registered at the jurisdiction will become unusable until they are re-registered.
This functionality should be integrated with dacs_admin(8)[15].
SEE ALSO¶
dacsinfocard(1)[6], dacs.conf(5)[16], dacs_authenticate(8)[17], dacs_managed_infocard(8)[3], Using InfoCards With DACS[18]
AUTHOR¶
Distributed Systems Software (www.dss.ca[19])
COPYING¶
Copyright © 2003-2012 Distributed Systems Software. See the LICENSE[20] file that accompanies the distribution for licensing information.
NOTES¶
- 1.
- dacsoptions
- 2.
- local_infocard_authenticate
- 3.
- dacs_managed_infocard(8)
- 4.
- dacs_sts(8)
- 5.
- INFOCARD_TOKEN_DRIFT_SECS
- 6.
- dacsinfocard(1)
- 7.
- URI
- 8.
- claim types
- 9.
- xs:string
- 10.
- XML characters
- 11.
- standard CGI arguments
- 12.
- dacs(1)
- 13.
- dacs_passwd.dtd
- 14.
- dacs_infocard.css
- 15.
- dacs_admin(8)
- 16.
- dacs.conf(5)
- 17.
- dacs_authenticate(8)
- 18.
- Using InfoCards With DACS
- 19.
- www.dss.ca
- 20.
- LICENSE
08/23/2020 | DACS 1.4.40 |