Invoking Identity Selector
Finally managed to invoke the identity selector and retrieve xmlToken.
Per the docs, these are the steps to infocard-enable your web application
- Add the following tag in your HTML (or .aspx or .jsp) page.
- Enable SSL for your server (I implemented it on IIS as well as Jetty. There are several docs available on the internet to explain the SSL enablement. Drop me a mail if you need details.)
- The client machine should meet the following conditions
- WinXP SP2
- WinFX
- IE 7 Beta (Apparently build 5296 is the only one that works).
Once the above conditions are met, submitting the form on the page should invoke the identity selector.
Except….it didn’t.
I used Java Keytool to generate a certificate and SSL enable my server. And that just doesn’t seem to do the trick. Surfing around, I know others (e.g. Rohan) had similar issues.
I eventually got a cert from a trusted third party (instead of using self issued) and all seems to work fine. Not sure if I messed up in my initial cert installation (I did load it up in every store possible) or if it really needs a third party cert.
Once that was working, got the xmlToken. Looks like this.
Next step: Pass the xmlToken to an STS and get the user data.?
Identity, Uncategorized | Ashish Jain | 
April 1, 2006 12:58 am
Subscribe
In my experience, it does require a cert with a trusted root – self issued certs don’t seem to do the trick at all. A reasonable requirement given its deployment and use-cases, although it would be nice to support self-signed for testing and development purposes.
I posted an overview on how to process the token on my blog if you’re interested: http://xmldap.blogspot.com/2006/03/how-to-consume-tokens-from-infocard.html
- cmort
Hi Ashish,
I ran into problems when using self signed certs too. But here’s the trick…
use openssl to generate and sign the self signed cert.
Do Not use MD5RSA as the Signature Algorithm, use sha1 instead.
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
then navigate to your https:instance
install the cert in your “trusted root ca” list. and “trust” it. Ie. click on the installed cert… then click on advanced.. and then check everything… and save..
Rohan
Chuck and Rohan,
Thanks for the pointers. Let me check it out.
- Ashish.
Hi Ashish,
here’s waht i did to get invoke the identity selector from my server using a self signed cert.
openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
then I copied the server key and cert to my webservers config directory.
cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/
Then changed file access permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
Made a test cert
make testcert
The created my server.pem file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem
restarted the webserver and all was good…
Remember to use sha1rsa as the Signature Algorithm and not md5rsa (which is the default). the Signature Algorithm was key.
I shall be crossposting this on my blog. so other who stumble on it may also find it usefull and save a few bucks by not having to buyy a certificate from a”trusted” authority.
Good work!
Keep up the outstanding work and thank you…