From 6e2a7d8225925fdf39face49bad34ef6d65563c9 Mon Sep 17 00:00:00 2001
From: Enrique de la Hoz <enrique.delahoz@uah.es>
Date: Fri, 13 Feb 2009 16:37:42 +0000
Subject: [PATCH] Infocard module major update

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1270 44740490-163a-0410-bde0-09ae8108e29a
---
 .../config-template/config-login-infocard.php | 232 ++++++---
 .../{logininfocard.php => dict-InfoCard.php}  | 198 ++++++++
 modules/InfoCard/docs/usage.txt               |   5 +-
 .../InfoCard/extra/config-login-infocard.php  | 174 -------
 modules/InfoCard/extra/getinfocard.php        | 198 --------
 modules/InfoCard/extra/mex.php                | 441 ------------------
 modules/InfoCard/extra/tokenservice.php       | 296 ------------
 modules/InfoCard/lib/STS.php                  | 384 +++++++++++++++
 .../templates/default/temp-getcardform.php    |  70 +++
 .../temp-login.php}                           |  17 +-
 modules/InfoCard/www/getcardform.php          | 155 ++++++
 modules/InfoCard/www/login-infocard.php       |   4 +-
 modules/InfoCard/www/mex.php                  | 257 ++++++++++
 .../www/resources/infocard_self_114x80.png    | Bin 0 -> 9302 bytes
 modules/InfoCard/www/tokenservice.php         | 139 ++++++
 15 files changed, 1375 insertions(+), 1195 deletions(-)
 rename modules/InfoCard/dictionaries/{logininfocard.php => dict-InfoCard.php} (61%)
 delete mode 100644 modules/InfoCard/extra/config-login-infocard.php
 delete mode 100644 modules/InfoCard/extra/getinfocard.php
 delete mode 100644 modules/InfoCard/extra/mex.php
 delete mode 100644 modules/InfoCard/extra/tokenservice.php
 create mode 100644 modules/InfoCard/lib/STS.php
 create mode 100644 modules/InfoCard/templates/default/temp-getcardform.php
 rename modules/InfoCard/templates/{login-infocard.php => default/temp-login.php} (86%)
 create mode 100644 modules/InfoCard/www/getcardform.php
 create mode 100644 modules/InfoCard/www/mex.php
 create mode 100644 modules/InfoCard/www/resources/infocard_self_114x80.png
 create mode 100644 modules/InfoCard/www/tokenservice.php

diff --git a/modules/InfoCard/config-template/config-login-infocard.php b/modules/InfoCard/config-template/config-login-infocard.php
index 90ba0f612..3259851ef 100644
--- a/modules/InfoCard/config-template/config-login-infocard.php
+++ b/modules/InfoCard/config-template/config-login-infocard.php
@@ -3,92 +3,142 @@
 /*
 * AUTHOR: Samuel MuĂ±oz Hidalgo
 * EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 1-DEC-08
-* DESCRIPTION: 'login-infocard' module configuration.
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp.
 
 
--server_key:
--server_crt:
--IClogo: InfoCard logo (template's button)
-
-
-Definitions taken from:
+Some definitions were taken from:
 A Guide to Using the Identity Selector
 Interoperability Profile V1.5 within Web
 Applications and Browsers.
 Copyright Microsoft
-"
--issuer (optional)
-	This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
-	specific STS is requested. The special value
-	â€śhttp://schemas.xmlsoap.org/ws/2005/05/identity/issuer/selfâ€ť specifies that the
-	token should come from a Self-issued Identity Provider.
-
--issuerPolicy (optional)
-	This parameter specifies the URL of an endpoint from which the STSâ€™s WS-SecurityPolicy
-	can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
-
--tokenType (optional)
-	This parameter specifies the type of the token to be requested from the STS as a URI. Th
-	parameter can be omitted if the STS and the Web site front-end have a mutual
-	understanding about what token type will be provided or if the Web site is willing to accep
-	any token type.
-
--requiredClaims (optional)
-	This parameter specifies the types of claims that must be supplied by the identity. If
-	omitted, there are no required claims. The value of requiredClaims is a space-separate
-	list of URIs, each specifying a required claim type.
-
--optionalClaims (optional)
-	This parameter specifies the types of optional claims that may be supplied by the identity
-	If omitted, there are no optional claims. The value of optionalClaims is a space-separat
-	list of URIs, each specifying a claim type that can be optionally submitted.
-
--privacyUrl (optional)
-	This parameter specifies the URL of the human-readable Privacy Policy of the site, if
-	provided.
-"
-
-
--Claims supported by the current schema
-	givenname
-	surname
-	emailaddress
-	streetaddress
-	locality
-	stateorprovince
-	postalcode
-	country
-	primaryphone
-	dateofbirth
-	privatepersonalid
-	gender
-	webpage
 
 */
 
 
 $config = array (
 	
-	'server_key' => '/etc/apache2/ssl/idp.key',
-	'server_crt' => '/etc/apache2/ssl/idp.crt',
+//-------------  TEMPLATE OPTIONS ---------------
+	'IClogo' => 'resources/infocard_114x80.png',        //Infocard logo button
+	'help_desk_email_URL' => 'mailto:asd@asd.com',      //Help desk e-mail
+	'contact_info_URL' => 'http://google.es',           //Contact information
+	
+	
+	
+	
+//-------------  CERTIFICATE OPTIONS ---------------
+	
+	/*
+	* USED IN: Relying Party
+	* DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used
+	*  for decrypting the received XML token,
+	*/
+	'idp_key' => '/etc/apache2/ssl/idp.key',
+	
+	
+	/*
+	* USED IN: Relying Party
+	* DESCRIPTION: Only accept tokens signed with this certificate,
+	*  if no certificate is set, it'll be assumed to accept
+	*  a self isued token and accept any token. 
+	*/
 	'sts_crt' => '/etc/apache2/ssl/sts.crt',
 	
-	'IClogo' => 'resources/infocard_114x80.png',
 	
-
+	/*
+	* USED IN: Infocard Generator, STS
+	*	DESCRIPTION: STS certificate for signing Infocards and tokens.
+	*/
+	'sts_key' => '/etc/apache2/ssl/sts.key',
+	
+	
+	/*
+	* USED IN:
+	*	DESCRIPTION: Array of certificates forming a trust chain.  The local signing
+	* certificate is [0], the one that signed that is [1], etc, chaining to a
+	* trust anchor.
+	* HINT: The first one, [0], should be the same as the sts_crt. 
+	*/	
+	'certificates' => array(
+		0 => '/etc/apache2/ssl/sts.crt',
+		1 => '/etc/apache2/ssl/CA.crt'
+	),
+	
+	
+	
+//-------------  DATA (InfoCard) OPTIONS ---------------
+	
+	/*
+	* USED IN: InfoCard Generator, Relying Party and STS
+	*	DESCRIPTION: Infocard information
+	*/
 	'InfoCard' => array(
+		/*
+		*   -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed )
+		* This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
+		* specific STS is requested. The special value
+		* â€śhttp://schemas.xmlsoap.org/ws/2005/05/identity/issuer/selfâ€ť specifies that the
+		* token should come from a Self-issued Identity Provider
+		*/
+		/*
+		* Root of the current InfoCard schema
+		*/
 		'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity',
-		'issuer' => 'https://sts/tokenservice.php',
+		/*
+		*   -issuerPolicy (optional)
+		* This parameter specifies the URL of an endpoint from which the STSâ€™s WS-SecurityPolicy
+		* can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
+		*/
 		'issuerPolicy' => '',
+		/*
+		*   -privacyUrl (optional)
+		* This parameter specifies the URL of the human-readable Privacy Policy of the site, if
+		* provided.
+		*/
 		'privacyURL' => '',
+		/*
+		*   -tokenType (optional)
+		* This parameter specifies the type of the token to be requested from the STS as a URI. Th
+		* parameter can be omitted if the STS and the Web site front-end have a mutual
+		* understanding about what token type will be provided or if the Web site is willing to accep
+		* any token type.
+		*/
 		'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion',
+		
+		/*-Claims supported by the current schema
+			givenname
+			surname
+			emailaddress
+			streetaddress
+			locality
+			stateorprovince
+			postalcode
+			country
+			primaryphone
+			dateofbirth
+			privatepersonalid
+			gender
+			webpage
+		*/
+		
+		/*
+		*   -requiredClaims (optional)
+		* This parameter specifies the types of claims that must be supplied by the identity. If
+		* omitted, there are no required claims. The value of requiredClaims is a space-separate
+		* list of URIs, each specifying a required claim type.
+		*/
 		'requiredClaims' => array(
 			'privatepersonalidentifier' => array('displayTag'=>"Id",         'description'=>"id"),
 			'givenname' =>                 array('displayTag'=>"Given Name", 'description'=>"etc"),
 			'surname' =>                   array('displayTag'=>"Surname",    'description'=>"apellidos"),
 			'emailaddress' =>              array('displayTag'=>"e-mail",     'description'=>"E-mail address")
 		),
+		/*
+		*   -optionalClaims (optional)
+		* This parameter specifies the types of optional claims that may be supplied by the identity
+		* If omitted, there are no optional claims. The value of optionalClaims is a space-separat
+		* list of URIs, each specifying a claim type that can be optionally submitted
+		*/
 		'optionalClaims' => array(
 			'country' => array('displayTag'=>"country", 'description'=>"PaĂs"),
 			'webpage' => array('displayTag'=>"webpage", 'description'=>"PĂˇgina web")
@@ -96,20 +146,58 @@ $config = array (
 	),
 
 
-//STS only
-// array of certificates forming a trust chain.  The local signing
-// certificate is [0], the one that signed that is [1], etc, chaining to a
-// trust anchor.
+
+
+//-------------  WEB PAGES ---------------
 	
-	'CardGenerator' => 'https://idp.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php',
-	'certificates' => array(
-		0 => '/etc/apache2/ssl/sts.crt',
-		1 => '/etc/apache2/ssl/CA.crt'
-	),
+	/*
+	* USED IN: InfoCard Generator, Relying Party (optional form)
+	*	DESCRIPTION: Infocard generator URL, if set it'll  appear a form with username-password authentication in the template
+	*/
+	'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getcardform.php',
+
+
+	/*
+	* USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange)
+	*	DESCRIPTION: Token generator URL
+	*/
+	'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php',
 	
-	'sts_key' => '/etc/apache2/ssl/sts.key',
-	'tokenserviceurl' => 'https://sts/tokenservice.php',
-	'mexurl' => 'https://sts/mex.php',
+	
+	/*
+	* USED IN: InfoCard Generator
+	*	DESCRIPTION: Metadata Exchange URL
+	*/
+	'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php',
+
+
+
+
+//-------------  CREDENTIALS ---------------
+
+	/*
+	* USED IN: InfoCard Generator, Relying Party (optional form)
+	* TYPES: UsernamePasswordCredential, KerberosV5Credential, X509V3Credential, SelfIssuedCredential
+	* DESCRIPTION: How the user will be authenticated
+	* IMPLEMENTED & TESTED: UsernamePasswordCredential, SelfIssuedCredential
+	*/
+	'UserCredential' => 'SelfIssuedCredential',
+
+
+
+
+//-------------  DEBUG ---------------
+
+	/*
+	* USED IN: tokenservice
+	* DESCRIPTION: directory where RSTs and RSTRs will be logged EJ: /tmp.
+	*  If null, logging will be dissabled.
+	*  The directory MUST exists and be accessible to the program, otherwise NO log will be written
+	*  Log files have the form urn:uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.log where X is an hexadecimal digit [0-9|a-f]
+	*/
+	'debugDir' => '/tmp',
+
 );
+ 
 
 ?>
\ No newline at end of file
diff --git a/modules/InfoCard/dictionaries/logininfocard.php b/modules/InfoCard/dictionaries/dict-InfoCard.php
similarity index 61%
rename from modules/InfoCard/dictionaries/logininfocard.php
rename to modules/InfoCard/dictionaries/dict-InfoCard.php
index a8525b813..0affd8164 100644
--- a/modules/InfoCard/dictionaries/logininfocard.php
+++ b/modules/InfoCard/dictionaries/dict-InfoCard.php
@@ -44,6 +44,24 @@ $lang = array(
 		'pt' => '',
 		'pt-BR' => '',
 	),
+	'get_IC_link' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Click here to get your InfoCard',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Pinche aquĂ para conseguir su InfoCard',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
 	'form_username' => array (
 		'no' => '',
 		'nn' => '',
@@ -250,6 +268,186 @@ $lang = array(
 		'hu' => 'ElĂ©rĂ©si informĂˇciĂłk',
 		'pt' => 'Contactos',
 		'pt-BR' => 'InformaĂ§Ăµes de Contato',
+	),	
+	'getcardform_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Authentication form',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Formulario de autenticaciĂłn',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_self_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Self-Issued Card form',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Formulario de tarjeta autogestionada',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_self_text' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please, enter a self issued InfoCard in order to link it with the managed one we are generating.',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Por favor, introduzca una InfoCard autogestionada para ligarla a la que vamos a generarle.',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_finished_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Congratulations, your Infocard was succesfully generated',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Enhorabuena, generĂł su Infocard con Ă©xito',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_finished_text' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please follow the next link to get to the login page.',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Siga el siguiente enlace para ir a la pĂˇgina de login',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'NO_password' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please fill in your password',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Introduce una contraseĂ±a',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'NO_user' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please fill in your username',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Introduce tu nombre de usuario',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'Wrong_user_pass' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Wrong username or password',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Usuario o contraseĂ±a invĂˇlidos ',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => '',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => '',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => '',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => '',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
 	),
 
 );
diff --git a/modules/InfoCard/docs/usage.txt b/modules/InfoCard/docs/usage.txt
index c90dbe409..5495a9b94 100644
--- a/modules/InfoCard/docs/usage.txt
+++ b/modules/InfoCard/docs/usage.txt
@@ -9,9 +9,10 @@ Information cards module for simpleSAMLphp
 
 	AUTHOR: Samuel MuĂ±oz Hidalgo
 	EMAIL: samuel.mh@gmail.com
-	LAST REVISION: 22-DEC-08
+	LAST REVISION: 13-FEB-09
 	DESCRIPTION: What you should read before starting doing things.
 
+
 	
 Introduction
 -------------
@@ -25,7 +26,7 @@ RP
 : Acting as a Relying Party, you can accept user authentication through InfoCards comsumming tokens sent by aSTS.
 
 STS
-: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user-password authentication is supported.
+: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported.
 
 InfoCard Generator
 : Your users could request their InfoCard filling a form with their username and password.
diff --git a/modules/InfoCard/extra/config-login-infocard.php b/modules/InfoCard/extra/config-login-infocard.php
deleted file mode 100644
index e94d75742..000000000
--- a/modules/InfoCard/extra/config-login-infocard.php
+++ /dev/null
@@ -1,174 +0,0 @@
-<?php
-
-/*
-* AUTHOR: Samuel MuĂ±oz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp.
-
-
-Some definitions were taken from:
-A Guide to Using the Identity Selector
-Interoperability Profile V1.5 within Web
-Applications and Browsers.
-Copyright Microsoft
-
-*/
-
-
-$config = array (
-	
-//-------------  TEMPLATE OPTIONS ---------------
-	'IClogo' => 'resources/infocard_114x80.png',        //Infocard logo button
-	'help_desk_email_URL' => 'mailto:asd@asd.com',      //Help desk e-mail
-	'contact_info_URL' => 'http://google.es',           //Contact information
-	
-	
-	
-	
-//-------------  CERTIFICATE OPTIONS ---------------
-	
-	/*
-	* USED IN: Relying Party
-	* DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used
-	*  for decrypting the received XML token,
-	*/
-	'idp_key' => '/etc/apache2/ssl/idp.key',
-	
-	
-	/*
-	* USED IN: Relying Party
-	* DESCRIPTION: Only accept tokens signed with this certificate,
-	*  if no certificate is set, it'll be assumed to accept
-	*  a self isued token and accept any token. 
-	*/
-	'sts_crt' => '/etc/apache2/ssl/sts.crt',
-	
-	
-	/*
-	* USED IN: Infocard Generator, STS
-	*	DESCRIPTION: STS certificate for signing Infocards and tokens.
-	*/
-	'sts_key' => '/etc/apache2/ssl/sts.key',
-	
-	
-	/*
-	* USED IN:
-	*	DESCRIPTION: Array of certificates forming a trust chain.  The local signing
-	* certificate is [0], the one that signed that is [1], etc, chaining to a
-	* trust anchor.
-	* HINT: The first one, [0], should be the same as the sts_crt. 
-	*/	
-	'certificates' => array(
-		0 => '/etc/apache2/ssl/sts.crt',
-		1 => '/etc/apache2/ssl/CA.crt'
-	),
-	
-	
-	
-//-------------  DATA (InfoCard) OPTIONS ---------------
-	
-	/*
-	* USED IN: InfoCard Generator, Relying Party and STS
-	*	DESCRIPTION: Infocard information
-	*/
-	'InfoCard' => array(
-		/*
-		*   -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed )
-		* This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
-		* specific STS is requested. The special value
-		* â€śhttp://schemas.xmlsoap.org/ws/2005/05/identity/issuer/selfâ€ť specifies that the
-		* token should come from a Self-issued Identity Provider
-		*/
-		/*
-		* Root of the current InfoCard schema
-		*/
-		'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity',
-		/*
-		*   -issuerPolicy (optional)
-		* This parameter specifies the URL of an endpoint from which the STSâ€™s WS-SecurityPolicy
-		* can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
-		*/
-		'issuerPolicy' => '',
-		/*
-		*   -privacyUrl (optional)
-		* This parameter specifies the URL of the human-readable Privacy Policy of the site, if
-		* provided.
-		*/
-		'privacyURL' => '',
-		/*
-		*   -tokenType (optional)
-		* This parameter specifies the type of the token to be requested from the STS as a URI. Th
-		* parameter can be omitted if the STS and the Web site front-end have a mutual
-		* understanding about what token type will be provided or if the Web site is willing to accep
-		* any token type.
-		*/
-		'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion',
-		
-		/*-Claims supported by the current schema
-			givenname
-			surname
-			emailaddress
-			streetaddress
-			locality
-			stateorprovince
-			postalcode
-			country
-			primaryphone
-			dateofbirth
-			privatepersonalid
-			gender
-			webpage
-		*/
-		
-		/*
-		*   -requiredClaims (optional)
-		* This parameter specifies the types of claims that must be supplied by the identity. If
-		* omitted, there are no required claims. The value of requiredClaims is a space-separate
-		* list of URIs, each specifying a required claim type.
-		*/
-		'requiredClaims' => array(
-			'privatepersonalidentifier' => array('displayTag'=>"Id",         'description'=>"id"),
-			'givenname' =>                 array('displayTag'=>"Given Name", 'description'=>"etc"),
-			'surname' =>                   array('displayTag'=>"Surname",    'description'=>"apellidos"),
-			'emailaddress' =>              array('displayTag'=>"e-mail",     'description'=>"E-mail address")
-		),
-		/*
-		*   -optionalClaims (optional)
-		* This parameter specifies the types of optional claims that may be supplied by the identity
-		* If omitted, there are no optional claims. The value of optionalClaims is a space-separat
-		* list of URIs, each specifying a claim type that can be optionally submitted
-		*/
-		'optionalClaims' => array(
-			'country' => array('displayTag'=>"country", 'description'=>"PaĂs"),
-			'webpage' => array('displayTag'=>"webpage", 'description'=>"PĂˇgina web")
-		),
-	),
-
-
-
-
-//-------------  WEB PAGES ---------------
-	
-	/*
-	* USED IN: InfoCard Generator, Relying Party (optional form)
-	*	DESCRIPTION: Infocard generator URL, if set it'll  appear a form with username-password authentication in the template
-	*/
-//	'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php',
-
-
-	/*
-	* USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange)
-	*	DESCRIPTION: Token generator URL
-	*/
-	'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php',
-	
-	
-	/*
-	* USED IN: InfoCard Generator
-	*	DESCRIPTION: Metadata Exchange URL
-	*/
-	'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php',
-);
-
-?>
\ No newline at end of file
diff --git a/modules/InfoCard/extra/getinfocard.php b/modules/InfoCard/extra/getinfocard.php
deleted file mode 100644
index d1fac6a9a..000000000
--- a/modules/InfoCard/extra/getinfocard.php
+++ /dev/null
@@ -1,198 +0,0 @@
-<?php
-
-
-/*
-* COAUTHOR: Samuel MuĂ±oz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module Infocard generator
-*/
-
-//Generate a raw InfoCard with the given data and the configuration
-//NOTA: hay namespaces totalmente innecesarios desde un punto de vista prĂˇctico xml, estĂˇn cubiertos por el nodo
-//  Signature, pero si no se ponen, la canonicalizaciĂłn de generaciĂłn de firma la de comprobaciĂłn son diferentes
-//	y no funciona.
-//EJ: xmlns="http://www.w3.org/2000/09/xmldsig#" en los nodos Object y SignedInfo
-
-function create_card($ICdata,$ICconfig) {
-		
-	$infocardbuf  = "<Object Id=\"IC01\" xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-	$infocardbuf .= "<InformationCard xml:lang=\"en-us\"  xmlns=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsx=\"http://schemas.xmlsoap.org/ws/2004/09/mex\">";
-
-	//cardId
-	$infocardbuf .= "<InformationCardReference>";	
-	$infocardbuf .= "<CardId>".$ICdata['CardId']."</CardId>"; //xs:anyURI cardId (="$cardurl/$ppid";  $ppid = "$uname-" . time();)
-	$infocardbuf .= "<CardVersion>1</CardVersion>";  //xs:unsignedInt
-	$infocardbuf .= "</InformationCardReference>";
-
-	//cardName
-	$infocardbuf .= "<CardName>".$ICdata['CardName']."</CardName>";
-
-	//image
-	$infocardbuf .= "<CardImage MimeType=\"".mime_content_type($ICdata['CardImage'])."\">";
-	$infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage']));
-	$infocardbuf .= "</CardImage>";
-
-	//issuer - times
-	$infocardbuf .= "<Issuer>".$ICconfig['InfoCard']['issuer']."</Issuer>";
-	$infocardbuf .= "<TimeIssued>".gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'."</TimeIssued>";
-	$infocardbuf .= "<TimeExpires>".$ICdata['TimeExpires']."</TimeExpires>";
-
-	//Token Service List
-	$infocardbuf .= "<TokenServiceList>";	
-		$infocardbuf .= "<TokenService>";
-			$infocardbuf .= "<wsa:EndpointReference>";
-				$infocardbuf .= "<wsa:Address>".$ICconfig['tokenserviceurl']."</wsa:Address>";	
-				$infocardbuf .= "<wsa:Metadata>";
-					$infocardbuf .= "<wsx:Metadata>";
-						$infocardbuf .= "<wsx:MetadataSection>";
-							$infocardbuf .= "<wsx:MetadataReference>";
-								$infocardbuf .= "<wsa:Address>".$ICconfig['mexurl']."</wsa:Address>";
-							$infocardbuf .= "</wsx:MetadataReference>";
-						$infocardbuf .= "</wsx:MetadataSection>";
-					$infocardbuf .= "</wsx:Metadata>";
-				$infocardbuf .= "</wsa:Metadata>";
-			$infocardbuf .= "</wsa:EndpointReference>";
-
-
-
-			/*Types of User Credentials 
-			* UsernamePasswordCredential
-			* KerberosV5Credential
-			* X509V3Credential
-			* SelfIssuedCredential
-			*/
-			$infocardbuf .= "<UserCredential>";
-					$infocardbuf .= "<DisplayCredentialHint>".$ICdata['DisplayCredentialHint']."</DisplayCredentialHint>";
-			switch($ICdata['UserCredential']){
-				case "UsernamePasswordCredential":
-					$infocardbuf .= "<UsernamePasswordCredential>";
-						$infocardbuf .= "<Username>".$ICdata['UserName']."</Username>";
-					$infocardbuf .= "</UsernamePasswordCredential>";
-					break;
-				case "KerberosV5Credential":
-					$infocardbuf .= "<KerberosV5Credential/>";
-					break;
-				case "X509V3Credential":
-					$infocardbuf .= "<X509V3Credential>";
-						$infocardbuf .= "<ds:X509Data>";
-							$infocardbuf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1\" EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary">
-							/*This element provides a key identifier for the X.509 certificate based on the SHA1 hash
-							of the entire certificate content expressed as a â€śthumbprint.â€ť Note that the extensibility
-							point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child
-							element.*/ 
-							$infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary;
-							$infocardbuf .= "</wsse:KeyIdentifier>";
-						$infocardbuf .= "</ds:X509Data>";
-					$infocardbuf .= "</X509V3Credential>"; 
-					break;
-				default: //SelfIssuedCredential
-					$infocardbuf .= "<SelfIssuedCredential>";
-						$infocardbuf .= "<PrivatePersonalIdentifier>";
-							$infocardbuf .= $ICdata['PPID']; //xs:base64binary;
-							$infocardbuf .= "</PrivatePersonalIdentifier>";
-					$infocardbuf .= "</SelfIssuedCredential> ";
-					break;
-			}
-			$infocardbuf .= "</UserCredential>";
-
-		$infocardbuf .= "</TokenService>";
-	$infocardbuf .= "</TokenServiceList>";
-
-
-	//Tokentype
-	$infocardbuf .= "<SupportedTokenTypeList>";
-		$infocardbuf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>";
-	$infocardbuf .= "</SupportedTokenTypeList>";
-    
-	//Claims
-	$infocardbuf .= "<SupportedClaimTypeList>";
-	$url = $ICconfig['InfoCard']['schema']."/claims/";
-	foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) {  
-		$infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">";
-			$infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>";
- 			$infocardbuf .= "<Description>".$data['description']."</Description>";
-		$infocardbuf .= "</SupportedClaimType>";
-	}
-	foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) {  
-		$infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">";
-			$infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>";
- 			$infocardbuf .= "<Description>".$data['description']."</Description>";
-		$infocardbuf .= "</SupportedClaimType>";
-	}	
-	$infocardbuf .= "</SupportedClaimTypeList>";
-
-	//Privacy URL
- 	$infocardbuf .= "<PrivacyNotice>".$ICconfig['InfoCard']['privacyURL']."</PrivacyNotice>";
-
-	$infocardbuf .= "</InformationCard>";
-	$infocardbuf .= "</Object>";
-	
-  $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf);
-	
-	//construct a SignedInfo block
-	$signedinfo  = "<SignedInfo  xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-		$signedinfo .= "<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>";
-		$signedinfo .= "<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>";
-		$signedinfo .= "<Reference URI=\"#IC01\">";
-			$signedinfo .= "<Transforms>";
-				$signedinfo .= "<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>";
-			$signedinfo .= "</Transforms>";
-			$signedinfo .= "<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>";
-			$signedinfo .= "<DigestValue>".base64_encode(sha1($canonicalbuf, TRUE))."</DigestValue>";
-		$signedinfo .= "</Reference>";
-	$signedinfo .= "</SignedInfo>";
-
-  $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
-
-	$signature = '';
-	$privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key']));
-	openssl_sign($canonicalbuf, &$signature, $privkey);
-	openssl_free_key($privkey);
-	$infocard_signature = base64_encode($signature);
-	
-	//Envelope
-	$buf = "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-		$buf .= $signedinfo;
-		$buf .= "<SignatureValue>".$infocard_signature."</SignatureValue>";
-		$buf .= "<KeyInfo>";
-			$buf .= "<X509Data>";
-		// signing certificate(s)
-		foreach ($ICconfig['certificates'] as $idx=>$cert)
-				$buf .= "<X509Certificate>".sspmod_InfoCard_Utils::takeCert($cert)."</X509Certificate>";
-			$buf .= "</X509Data>";
-		$buf .= "</KeyInfo>";
-		$buf .= $infocardbuf;
-	$buf .= "</Signature>";
-
-	return $buf;
-}
-
-
-
-$username = $_POST['username'];
-$password = $_POST['password'];
-
-if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){
-	
-	$config = SimpleSAML_Configuration::getInstance();
-	$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
-	$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
-	$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
-	$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
-	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
-	$ICconfig['certificates'] = $autoconfig->getValue('certificates');
-	
-	$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username);	
-	
-	$IC = create_card($ICdata,$ICconfig);
-	header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\"");
-	header('Content-Type: application/x-informationcard');
-	header('Content-Length:'.strlen($IC));
-}else{
-	$IC = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\"><head><title>ERROR!</title></head><body><h1>Wrong credentials!</h1> Could not authenticate you</body></html>";
-}
-
-echo $IC;
-?>
diff --git a/modules/InfoCard/extra/mex.php b/modules/InfoCard/extra/mex.php
deleted file mode 100644
index ba7f3908c..000000000
--- a/modules/InfoCard/extra/mex.php
+++ /dev/null
@@ -1,441 +0,0 @@
-<?php
-/*
- *   Copyright (C) 2007 Carillon Information Security Inc.
- *
- * WS-MetadataExchange responder for the Carillon STS.  Everything is
- * pretty much hard-coded -- the only things that get customized are the
- * tokenservice URL and the certificate.
- *
- */
- 
-/*
-* COAUTHOR: Samuel MuĂ±oz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module metadata exchange
-*/
-
-
-$method = $_SERVER["REQUEST_METHOD"];
-if ($method == "POST")
-    $use_soap = true;
-else
-    $use_soap = false;
-
-if ($use_soap)
-    Header('Content-Type: application/soap+xml;charset=utf-8');
-else
-    Header('Content-Type: application/xml;charset=utf-8');
-
-$config = SimpleSAML_Configuration::getInstance();
-$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
-$ICconfig['certificates'] = $autoconfig->getValue('certificates');
-
-
-// Grab the important parts of the token request.  That's pretty much just
-// the request ID.
-$request_id = '';
-if ($use_soap && strlen($HTTP_RAW_POST_DATA))
-{
-    $token = new DOMDocument();
-    $token->loadXML($HTTP_RAW_POST_DATA);
-    $doc = $token->documentElement;
-    $elements = $doc->getElementsByTagname('MessageID');
-    $request_id = $elements->item(0)->nodeValue;
-}
-
-$buf = '<?xml version="1.0"?>';
-
-if ($use_soap)
-{
-    $buf .= '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">';
-    $buf .= '<s:Header>';
-    $buf .= '<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse</a:Action>';
-    if ($request_id)
-        $buf .= "<a:RelatesTo>$request_id</a:RelatesTo>";
-    $buf .= '</s:Header>';
-    $buf .= '<s:Body>';
-}
-$buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">';
-$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust">';
-$buf .= '<wsdl:types>';
-$buf .= '<xsd:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">';
-$buf .= '<xsd:import namespace="http://schemas.microsoft.com/Message"/>';
-$buf .= '</xsd:schema>';
-$buf .= '</wsdl:types>';
-$buf .= '<wsdl:message name="IWSTrustContract_Cancel_InputMessage">';
-$buf .= '<wsdl:part xmlns:q1="http://schemas.microsoft.com/Message" name="request" type="q1:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Cancel_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q2="http://schemas.microsoft.com/Message" name="CancelResult" type="q2:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Issue_InputMessage">';
-$buf .= '<wsdl:part xmlns:q3="http://schemas.microsoft.com/Message" name="request" type="q3:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Issue_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q4="http://schemas.microsoft.com/Message" name="IssueResult" type="q4:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Renew_InputMessage">';
-$buf .= '<wsdl:part xmlns:q5="http://schemas.microsoft.com/Message" name="request" type="q5:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Renew_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q6="http://schemas.microsoft.com/Message" name="RenewResult" type="q6:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Validate_InputMessage">';
-$buf .= '<wsdl:part xmlns:q7="http://schemas.microsoft.com/Message" name="request" type="q7:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Validate_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q8="http://schemas.microsoft.com/Message" name="ValidateResult" type="q8:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:portType name="IWSTrustContract">';
-$buf .= '<wsdl:operation name="Cancel">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" message="tns:IWSTrustContract_Cancel_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel" message="tns:IWSTrustContract_Cancel_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Issue">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:IWSTrustContract_Issue_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:IWSTrustContract_Issue_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Renew">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" message="tns:IWSTrustContract_Renew_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew" message="tns:IWSTrustContract_Renew_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Validate">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" message="tns:IWSTrustContract_Validate_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate" message="tns:IWSTrustContract_Validate_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '</wsdl:portType>';
-$buf .= '</wsdl:definitions>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://tempuri.org/">';
-$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:i0="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" name="STS" targetNamespace="http://tempuri.org/">';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:TransportToken>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:RequireThumbprintReference/>';
-$buf .= '<sp:WssX509V3Token10/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:X509Token>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:TransportToken>';
-$buf .= '<sp:AlgorithmSuite>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:Basic128/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:AlgorithmSuite>';
-$buf .= '<sp:Layout>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:Strict/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Layout>';
-if ($_GET['auth'] == 'x509')
-    $buf .= '<sp:IncludeTimestamp/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:TransportBinding>';
-
-// is this metadata for an infocard that wants an x509-authenticated 
-// token, or a username/password token?
-if ($_GET['auth'] == 'x509')
-{
-    $buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:RequireThumbprintReference/>';
-    $buf .= '<sp:WssX509V3Token10/>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:X509Token>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:EndorsingSupportingTokens>';
-}
-else
-{
-    $buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:WssUsernameToken10/>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:UsernameToken>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:SignedSupportingTokens>';
-}
-
-$buf .= '<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:MustSupportRefKeyIdentifier/>';
-$buf .= '<sp:MustSupportRefIssuerSerial/>';
-$buf .= '<sp:MustSupportRefThumbprint/>';
-$buf .= '<sp:MustSupportRefEncryptedKey/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Wss11>';
-$buf .= '<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:MustSupportIssuedTokens/>';
-$buf .= '<sp:RequireServerEntropy/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Trust10>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<mssp:RsaToken xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true"/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:EndorsingSupportingTokens>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsdl:import namespace="http://schemas.xmlsoap.org/ws/2005/02/trust" location=""/>';
-$buf .= '<wsdl:types/>';
-$buf .= '<wsdl:binding name="CustomBinding_IWSTrustContract" type="i0:IWSTrustContract">';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_policy"/>';
-$buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>';
-$buf .= '<wsdl:operation name="Cancel">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Issue">';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_policy"/>';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Renew">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Validate">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '</wsdl:binding>';
-$buf .= '<wsdl:service name="STS">';
-$buf .= '<wsdl:port name="CustomBinding_IWSTrustContract" binding="tns:CustomBinding_IWSTrustContract">';
-$buf .= "<soap12:address location=\"".$ICconfig['tokenserviceurl']."\"/>";
-$buf .= '<wsa10:EndpointReference>';
-$buf .= "<wsa10:Address>".$ICconfig['tokenserviceurl']."</wsa10:Address>";
-$buf .= '<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">';
-$buf .= '<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">';
-$buf .= '<X509Data>';
-$buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]).'</X509Certificate>';
-$buf .= '</X509Data>';
-$buf .= '</KeyInfo>';
-$buf .= '</Identity>';
-$buf .= '</wsa10:EndpointReference>';
-$buf .= '</wsdl:port>';
-$buf .= '</wsdl:service>';
-$buf .= '</wsdl:definitions>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://www.w3.org/2001/XMLSchema" Identifier="http://schemas.microsoft.com/Message">';
-$buf .= '<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://schemas.microsoft.com/Message" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/Message">';
-$buf .= '<xs:complexType name="MessageBody">';
-$buf .= '<xs:sequence>';
-$buf .= '<xs:any minOccurs="0" maxOccurs="unbounded" namespace="##any"/>';
-$buf .= '</xs:sequence>';
-$buf .= '</xs:complexType>';
-$buf .= '</xs:schema>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '</Metadata>';
-
-if ($use_soap)
-{
-    $buf .= '</s:Body>';
-    $buf .= '</s:Envelope>';
-}
-
-
-
-print($buf);
-
-?>
diff --git a/modules/InfoCard/extra/tokenservice.php b/modules/InfoCard/extra/tokenservice.php
deleted file mode 100644
index 7b6267c97..000000000
--- a/modules/InfoCard/extra/tokenservice.php
+++ /dev/null
@@ -1,296 +0,0 @@
-<?php
-/*
- *   Copyright (C) 2007 Carillon Information Security Inc.
- *
- * Token responder for the Carillon STS.  Accepts a SOAP token request from
- * a relying party (or an infocard client, more likely) and produces a
- * token with the proper attributes, as stored in the database of issued
- * infocards.
- *
- */
-
-/*
-* COAUTHOR: Samuel MuĂ±oz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module token generator
-*/
-
-
-
-// Windows CardSpace doesn't support using the infocard's certificate as
-// the SSL cert for transport binding... so we make it sign a timestamp in
-// the token request, and validate the signature on that.
-function validate_embedded_cert()
-{
-    global $doc, $row;
-    global $db_usertable;
-    global $uidnum, $uname, $fullname;
-    global $HTTP_RAW_POST_DATA;
-
-    // FIXME: Add error checking to this!
-
-    // get the signed part (the timestamp) in a horribly cheating way for
-    // now
-    // first grab the namespace for u
-    $begin = 'xmlns:u="';
-    $end = 'xsd"';
-    $xmlnsu = $HTTP_RAW_POST_DATA;
-    $xmlnsu = substr($xmlnsu, strpos($xmlnsu, $begin));
-    $xmlnsu = substr($xmlnsu, 0, strpos($xmlnsu, $end)+strlen($end));
-    $begin = '<u:Timestamp ';
-    $end = '</u:Timestamp>';
-    $tmp = $HTTP_RAW_POST_DATA;
-    $tmp = substr($tmp, strpos($tmp, $begin));
-    $tmp = substr($tmp, 0, strpos($tmp, $end)+strlen($end));
-    $tmp1 = substr($tmp, 0, strpos($tmp, ' '));
-    $tmp2 = substr($tmp, strpos($tmp, ' ')+1);
-    $timestamp = $tmp1." $xmlnsu ".$tmp2;
-
-    // canonicalize the timestamp and digest it
-    $canonical_timestamp = sspmod_InfoCard_Utils::canonicalize($timestamp);
-    $myhash = sha1($canonical_timestamp,TRUE);
-    $mydigest = base64_encode($myhash);
-
-    // grab the digest from the request
-    $elements = $doc->getElementsByTagname('DigestValue');
-    $request_digest = $elements->item(0)->nodeValue;
-
-    // if the digests don't match, we fail
-    if ($mydigest != $request_digest)
-        return false;
-
-    // get the SignedInfo in a horribly cheating way for now
-    $begin = '<SignedInfo';
-    $end = '</SignedInfo>';
-    $sinfo = $HTTP_RAW_POST_DATA;
-    $sinfo = substr($sinfo, strpos($sinfo, $begin));
-    $sinfo = substr($sinfo, 0, strpos($sinfo, $end)+strlen($end));
-
-    // grab the signing certificate and PEM-encode it to satisfy openssl
-    $elements = $doc->getElementsByTagname('BinarySecurityToken');
-    $cert = $elements->item(0)->nodeValue;
-    $certpem = "-----BEGIN CERTIFICATE-----\n";
-    $offset = 0;
-    while ($segment=substr($cert, $offset, 64))
-    {
-        $certpem .= $segment."\n";
-        $offset += 64;
-    }
-    $certpem .= "-----END CERTIFICATE-----\n";
-
-    $pubkey = openssl_pkey_get_public($certpem);
-
-    // canonicalize the signed info
-    $canonical_sinfo = sspmod_InfoCard_Utils::canonicalize($sinfo);
-
-    // grab the signature from the request
-    $elements = $doc->getElementsByTagname('SignatureValue');
-    $request_sig = $elements->item(0)->nodeValue;
-
-    $request_sig = base64_decode($request_sig);
-
-    // try to verify the signature... if we can't, we fail.
-    if (openssl_verify($canonical_sinfo, $request_sig, $pubkey) == false)
-        return false;
-
-    // so, the signature is OK.  Was it the right cert?  Check its
-    // thumbprint against the cert we recorded in the infocard...
-    $thumb = sspmod_InfoCard_Utils::thumbcert($cert);
-    if ($row['x509thumb'] != $thumb)
-        return false;
-
-    // at this point we've succeeded, but we need to populate some fields
-    // based on the usertable to create a card...
-    $arr = openssl_x509_parse($certpem);
-    $who = $arr['subject']['CN'];
-    $query = "SELECT * FROM $db_usertable WHERE full_name='$who'";
-    $userrow = pg_fetch_assoc(do_query($query));
-    if ($userrow['status'] == "1")
-    {
-        $uidnum = $userrow['id'];
-        $uname = $userrow['userid'];
-        $fullname = $userrow['full_name'];
-        return true;
-    }
-    return false;
-}
-
-
-
-/*
-* claimValues ( 'claim'('value','displayTag'), 'claim'('value','displayTag'), ... )
-*/
-function create_token($claimValues,$config){
-    // build a SAML assertion
-    $now = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z';
-    $later = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z';
-    $assertionid = uniqid('uuid-');
-
-    $saml = "<saml:Assertion MajorVersion=\"1\" MinorVersion=\"0\" AssertionID=\"$assertionid\" Issuer=\"".$config['issuer']."\" IssueInstant=\"$now\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\">";
-    $saml .= "<saml:Conditions NotBefore=\"$now\" NotOnOrAfter=\"$later\" />";
-
-    $saml .= "<saml:AttributeStatement>";
-    $saml .= "<saml:Subject>";
-    $saml .= "<saml:SubjectConfirmation>";
-    $saml .= "<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>";
-    
-    // proof key
-    $saml .= "<dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $saml .= "<dsig:X509Data>";
-    $saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>";
-    $saml .= "</dsig:X509Data>";
-    $saml .= "</dsig:KeyInfo>";
-
-    $saml .= "</saml:SubjectConfirmation>";
-    $saml .= "</saml:Subject>";
-
-		
-		foreach ($claimValues as $claim=>$data) {  
-        $saml .= "<saml:Attribute AttributeName=\"$claim\" AttributeNamespace=\"".$config['InfoCard']['schema']."/claims\">";
-        $saml .= "<saml:AttributeValue>".$data['value']."</saml:AttributeValue>";
-        $saml .= "</saml:Attribute>";
-    }
-
-    $saml .= "</saml:AttributeStatement>";
-
-
-    // calculate the digest for the signature...
-    $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml."</saml:Assertion>");
-    $myhash = sha1($canonicalbuf,TRUE);
-    $samldigest = base64_encode($myhash);
-
-
-    // construct a SignedInfo block
-    $signedinfo = "<dsig:SignedInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $signedinfo .= "<dsig:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />";
-    $signedinfo .= "<dsig:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />";
-    $signedinfo .= "<dsig:Reference URI=\"#$assertionid\">";
-    $signedinfo .= "<dsig:Transforms>";
-    $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" />";
-    $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />";
-    $signedinfo .= "</dsig:Transforms>";
-    $signedinfo .= "<dsig:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />";
-    $signedinfo .= "<dsig:DigestValue>$samldigest</dsig:DigestValue>";
-    $signedinfo .= "</dsig:Reference>";
-    $signedinfo .= "</dsig:SignedInfo>";
-
-    // compute the signature of hte canonicalized digest
-    $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
-		$privkey = openssl_pkey_get_private(file_get_contents($config['sts_key']));
-    $signature = '';
-    openssl_sign($canonicalbuf, &$signature, $privkey);
-    openssl_free_key($privkey);
-    $samlsignature = base64_encode($signature);
-
-	
-    // now put it all together
-    $saml .= "<dsig:Signature xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $saml .= $signedinfo;
-    $saml .= "<dsig:SignatureValue>$samlsignature</dsig:SignatureValue>";
-
-    $saml .= "<dsig:KeyInfo>";
-   	$saml .= "<dsig:X509Data>";
-  	$saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>";
-   	$saml .= "</dsig:X509Data>";
-    $saml .= "</dsig:KeyInfo>";
-    $saml .= "</dsig:Signature>";
-
-    $saml .= "</saml:Assertion>";
-
-
-    // cram the SAML assertion in a SOAP envelope
-    $buf = '<?xml version="1.0"?>';
-    $buf .= "<soap:Envelope xmlns:ic=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">";
-    if ($include_timestamp) {
-        $buf .= "<soap:Header>";
-        $buf .= "<wsse:Security>";
-        $buf .= "<wsu:Timestamp>";
-        $buf .= "<wsu:Created>$now</wsu:Created>";
-        $buf .= "<wsu:Expires>$later</wsu:Expires>";
-        $buf .= "</wsu:Timestamp>";
-        $buf .= "</wsse:Security>";
-        $buf .= "</soap:Header>";
-    } else
-        $buf .= "<soap:Header />";
-
-    $buf .= "<soap:Body>";
-    $buf .= "<wst:RequestSecurityTokenResponse Context=\"ProcessRequestSecurityToken\">";
-    $buf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>";
-    $buf .= "<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>";
-    $buf .= "<wst:RequestedSecurityToken>";
-
-    $buf .= $saml;
-
-    $buf .= "</wst:RequestedSecurityToken>";
-
-    // references
-    $buf .= "<wst:RequestedAttachedReference>";
-    $buf .= "<wsse:SecurityTokenReference>";
-    $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>";
-    $buf .= "</wsse:SecurityTokenReference>";
-    $buf .= "</wst:RequestedAttachedReference>";
-    $buf .= "<wst:RequestedUnattachedReference>";
-    $buf .= "<wsse:SecurityTokenReference>";
-    $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>";
-    $buf .= "</wsse:SecurityTokenReference>";
-    $buf .= "</wst:RequestedUnattachedReference>";
-
-    // display token
-    $buf .= "<ic:RequestedDisplayToken>";
-    $buf .= "<ic:DisplayToken xml:lang=\"en\">";
-    
-    foreach ($claimValues as $claim=>$data) { 
-        $buf .= "<ic:DisplayClaim Uri=\"".$config['InfoCard']['schema']."/claims/".$claim."\">";
-        $buf .= "<ic:DisplayTag>".$data['displayTag']."</ic:DisplayTag>";
-        $buf .= "<ic:DisplayValue>".$data['value']."</ic:DisplayValue>";
-        $buf .= "</ic:DisplayClaim>";
-    }
-
-    $buf .= "</ic:DisplayToken>";
-    $buf .= "</ic:RequestedDisplayToken>";
-
-    // the end
-    $buf .= "</wst:RequestSecurityTokenResponse>";
-    $buf .= "</soap:Body>";
-    $buf .= "</soap:Envelope>";
-
-    return $buf;
-}
-
-
-
-
-// grab the important parts of the token request.  these are the username,
-// password, and cardid.
-
-Header('Content-Type: application/soap+xml;charset=utf-8');
-
-
-$token = new DOMDocument();
-$token->loadXML($HTTP_RAW_POST_DATA);
-$doc = $token->documentElement;
-$username = $doc->getElementsByTagname('Username')->item(0)->nodeValue;
-$password = $doc->getElementsByTagname('Password')->item(0)->nodeValue;
-$cardId  =  $doc->getElementsByTagname('CardId')->item(0)->nodeValue;
-
-
-if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){
-	$config = SimpleSAML_Configuration::getInstance();
-	$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
-	$ICconfig['issuer'] = $autoconfig->getValue('issuer');
-	$ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt');
-	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
-	
-	$requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType'));
-	$claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims);
-	$buf = create_token($claimValues,$ICconfig);
-	Header('Content-length: '.strlen($buf)+1);
-	print($buf);
-}else{
-	$bad = true;
-	print("");
-}
-
-?>
\ No newline at end of file
diff --git a/modules/InfoCard/lib/STS.php b/modules/InfoCard/lib/STS.php
new file mode 100644
index 000000000..9d8d137a7
--- /dev/null
+++ b/modules/InfoCard/lib/STS.php
@@ -0,0 +1,384 @@
+<?php
+/*
+* COAUTHOR: Samuel MuĂ±oz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: Things the STS can do
+*		- InfoCard issue
+*		- Error response (if the user send us wrong credentials)
+*		- Request Security Token Response
+*/
+
+class sspmod_InfoCard_STS {
+
+
+/*
+* USED IN: www/getcardform.php
+* INPUT: data and configuration
+* OUTPUT; a custom error message for the identity selector
+*/
+	static public function createCard($ICdata,$ICconfig) {
+		
+		$infocardbuf  = '<Object Id="IC01" xmlns="http://www.w3.org/2000/09/xmldsig#">';
+		$infocardbuf .= '<InformationCard xml:lang="en-us"  xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">';
+	
+		//cardId
+		$infocardbuf .= '<InformationCardReference>';	
+			$infocardbuf .= '<CardId>'.$ICdata['CardId'].'</CardId>'; //xs:anyURI cardId (="$cardurl/$ppid";  $ppid = "$uname-" . time();)
+			$infocardbuf .= '<CardVersion>1</CardVersion>';  //xs:unsignedInt
+		$infocardbuf .= '</InformationCardReference>';
+	
+		//cardName
+		$infocardbuf .= '<CardName>'.$ICdata['CardName'].'</CardName>';
+	
+		//image
+		$infocardbuf .= '<CardImage MimeType="'.mime_content_type($ICdata['CardImage']).'">';
+			$infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage']));
+		$infocardbuf .= '</CardImage>';
+	
+		//issuer - times
+		$infocardbuf .= '<Issuer>'.$ICconfig['InfoCard']['issuer'].'</Issuer>';
+		$infocardbuf .= '<TimeIssued>'.gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'.'</TimeIssued>';
+		$infocardbuf .= '<TimeExpires>'.$ICdata['TimeExpires'].'</TimeExpires>';
+	
+		//Token Service List
+		$infocardbuf .= '<TokenServiceList>';	
+			$infocardbuf .= '<TokenService>';
+				$infocardbuf .= '<wsa:EndpointReference>';
+					$infocardbuf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>';	
+					$infocardbuf .= '<wsa:Metadata>';
+						$infocardbuf .= '<wsx:Metadata>';
+							$infocardbuf .= '<wsx:MetadataSection>';
+								$infocardbuf .= '<wsx:MetadataReference>';
+									$infocardbuf .= '<wsa:Address>'.$ICconfig['mexurl'].'</wsa:Address>';
+								$infocardbuf .= '</wsx:MetadataReference>';
+							$infocardbuf .= '</wsx:MetadataSection>';
+						$infocardbuf .= '</wsx:Metadata>';
+					$infocardbuf .= '</wsa:Metadata>';
+				$infocardbuf .= '</wsa:EndpointReference>';
+	
+	
+	
+				/*Types of User Credentials 
+				*  Supported: UsernamePasswordCredential, SelfIssuedCredential
+				*  Unsupported: KerberosV5Credential, X509V3Credential
+				*/
+				$infocardbuf .= '<UserCredential>';
+						$infocardbuf .= '<DisplayCredentialHint>'.$ICdata['DisplayCredentialHint'].'</DisplayCredentialHint>';
+				switch($ICconfig['UserCredential']){
+					case 'UsernamePasswordCredential':
+						$infocardbuf .= '<UsernamePasswordCredential>';
+							$infocardbuf .= '<Username>'.$ICdata['UserName'].'</Username>';
+						$infocardbuf .= '</UsernamePasswordCredential>';
+						break;
+					case 'KerberosV5Credential':
+						$infocardbuf .= '<KerberosV5Credential/>';
+						break;
+					case 'X509V3Credential':
+						$infocardbuf .= '<X509V3Credential>';
+							$infocardbuf .= '<ds:X509Data>';
+								$infocardbuf .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary">';
+								/*This element provides a key identifier for the X.509 certificate based on the SHA1 hash
+								of the entire certificate content expressed as a â€śthumbprint.â€ť Note that the extensibility
+								point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child
+								element.*/ 
+								$infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary;
+								$infocardbuf .= '</wsse:KeyIdentifier>';
+							$infocardbuf .= '</ds:X509Data>';
+						$infocardbuf .= '</X509V3Credential>';
+						break;
+					case 'SelfIssuedCredential':
+						$infocardbuf .= '<SelfIssuedCredential>';
+							$infocardbuf .= '<PrivatePersonalIdentifier>';
+								$infocardbuf .= $ICdata['PPID']; //xs:base64binary;
+								$infocardbuf .= '</PrivatePersonalIdentifier>';
+						$infocardbuf .= '</SelfIssuedCredential> ';
+						break;
+					default:
+						break;
+				}
+				$infocardbuf .= '</UserCredential>';
+	
+			$infocardbuf .= '</TokenService>';
+		$infocardbuf .= '</TokenServiceList>';
+	
+	
+		//Tokentype
+		$infocardbuf .= '<SupportedTokenTypeList>';
+			$infocardbuf .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>';
+		$infocardbuf .= '</SupportedTokenTypeList>';
+			
+		//Claims
+		$infocardbuf .= '<SupportedClaimTypeList>';
+		$url = $ICconfig['InfoCard']['schema'].'/claims/';
+		foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) {  
+			$infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">';
+				$infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>';
+				$infocardbuf .= '<Description>'.$data['description'].'</Description>';
+			$infocardbuf .= '</SupportedClaimType>';
+		}
+		foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) {  
+			$infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">';
+				$infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>';
+				$infocardbuf .= '<Description>'.$data['description'].'</Description>';
+			$infocardbuf .= '</SupportedClaimType>';
+		}	
+		$infocardbuf .= '</SupportedClaimTypeList>';
+	
+		//Privacy URL
+		$infocardbuf .= '<PrivacyNotice>'.$ICconfig['InfoCard']['privacyURL'].'</PrivacyNotice>';
+	
+		$infocardbuf .= '</InformationCard>';
+		$infocardbuf .= '</Object>';
+				
+		
+		$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf);
+		
+		//construct a SignedInfo block
+		$signedinfo  = '<SignedInfo  xmlns="http://www.w3.org/2000/09/xmldsig#">';
+			$signedinfo .= '<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>';
+			$signedinfo .= '<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>';
+			$signedinfo .= '<Reference URI="#IC01">';
+				$signedinfo .= '<Transforms>';
+					$signedinfo .= '<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>';
+				$signedinfo .= '</Transforms>';
+				$signedinfo .= '<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>';
+				$signedinfo .= '<DigestValue>'.base64_encode(sha1($canonicalbuf, TRUE)).'</DigestValue>';
+			$signedinfo .= '</Reference>';
+		$signedinfo .= '</SignedInfo>';
+	
+		$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
+	
+		$signature = '';
+		$privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key']));
+		openssl_sign($canonicalbuf, &$signature, $privkey);
+		openssl_free_key($privkey);
+		$infocard_signature = base64_encode($signature);
+		
+		//Envelope
+		$buf = '<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">';
+			$buf .= $signedinfo;
+			$buf .= '<SignatureValue>'.$infocard_signature.'</SignatureValue>';
+			$buf .= '<KeyInfo>';
+				$buf .= '<X509Data>';
+			// signing certificate(s)
+			foreach ($ICconfig['certificates'] as $idx=>$cert)
+					$buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($cert).'</X509Certificate>';
+				$buf .= '</X509Data>';
+			$buf .= '</KeyInfo>';
+			$buf .= $infocardbuf;
+		$buf .= '</Signature>';
+	
+		return $buf;
+	}
+
+
+
+
+/*
+* USED IN: www/tokenservice.php
+* INPUT: error message, uuid of the RST
+* OUTPUT; a custom error message for the identity selector
+*/
+	static public function errorMessage($msg,$relatesto){
+		$buf = '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">';
+			$buf .= '<s:Header>';
+				$buf .= '<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>';
+				$buf .= '<a:RelatesTo>'.$relatesto.'</a:RelatesTo>';
+			$buf .= '</s:Header>';
+			$buf .= '<s:Body>';
+				$buf .= '<s:Fault>';
+					$buf .= '<s:Code>';
+						$buf .= '<s:Value xmlns:a="http://www.w3.org/2003/05/soap-envelope">';
+							$buf .= 'a:Sender';
+						$buf .= '</s:Value>';
+						$buf .= '<s:Subcode>';
+							$buf .= '<s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/05/identity">';
+								$buf .= 'a:MissingAppliesTo';
+						$buf .= '</s:Value>';
+						$buf .= '</s:Subcode>';
+					$buf .= '</s:Code>';
+					$buf .= '<s:Reason>';
+						$buf .= '<s:Text xml:lang="en">';
+							$buf .= $msg;
+						$buf .= '</s:Text>';
+					$buf .= '</s:Reason>';
+				$buf .= '</s:Fault>';
+			$buf .= '</s:Body>';
+		$buf .= '</s:Envelope>';
+		return $buf;
+	}
+
+
+
+/*
+* USED IN: www/tokenservice.php
+* INPUT: claims value, configuration, uuid of the RST
+* OUTPUT; a security token for the identity selector
+*/
+	static public function createToken($claimValues,$config,$relatesto){
+		$assertionid = uniqid('uuid-');
+		$created = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z';
+		$expires = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z';
+		
+
+		//SOAP ENVELOPE
+		$env = '<?xml version="1.0"?>';
+		$env .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing"  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:xenc="http://www.w3.org/2001/04/xmlenc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">';
+	
+			$env .= '<S:Header>';
+				$env .= '<wsa:Action wsu:Id="_1">';
+					$env .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue';
+				$env .= '</wsa:Action>';
+				$env .= '<wsa:RelatesTo wsu:Id="_2">';
+					$env .= $relatesto;
+				$env .= '</wsa:RelatesTo>';
+				$env .= '<wsa:To wsu:id="_3">';
+					$env .= 'http://www.w3.org/2005/08/addressing/anonymous';
+				$env .= '</wsa:To>';
+				$env .= '<wsse:Security S:mustUnderstand="1">';
+					$env .= '<wsu:Timestamp wsu:Id="_6">';
+						$env .= '<wsu:Created>'.$created.'</wsu:Created>';
+						$env .= '<wsu:Expires>'.$expires.'</wsu:Expires>';
+					$env .= '</wsu:Timestamp>';
+				$env .= '</wsse:Security>';
+			$env .= '</S:Header>';
+			
+			
+			$env .= '<S:Body wsu:Id="_10">';
+				//RequestSecurityTokenResponse
+				$env .= sspmod_InfoCard_STS::RequestSecurityTokenResponse($claimValues,$config,$assertionid,$created,$expires);
+			$env .= '</S:Body>';
+		$env .= '</S:Envelope>';
+				
+		return $env;
+	}
+
+
+
+/*
+* USED IN: createToken
+* INPUT: claims value, configuration, uuid, times
+* OUTPUT; returns the <wst:RequestSecurityTokenResponse>' of the RSTR
+*/
+	static private function RequestSecurityTokenResponse ($claimValues,$config,$assertionid,$created,$expires){
+		$tr = '<wst:RequestSecurityTokenResponse>';
+			$tr .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>';
+			$tr .= '<wst:LifeTime>';
+				$tr .= '<wsu:Created>'.$created.'</wsu:Created>';
+				$tr .= '<wsu:Expires>'.$expires.'</wsu:Expires>';
+			$tr .= '</wst:LifeTime>';
+			
+			//Encrypted token: SAML assertion
+			$tr .= '<wst:RequestedSecurityToken>';
+				$tr .= sspmod_InfoCard_STS::saml_assertion($claimValues,$config,$assertionid,$created,$expires);
+			$tr .= '</wst:RequestedSecurityToken>';
+			
+			//RequestedAattachedReference
+			$tr .= '<wst:RequestedAttachedReference>';
+				$tr .= '<wsse:SecurityTokenReference>';
+					$tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">';
+						$tr .= $assertionid;
+					$tr .= '</wsse:KeyIdentifier>';
+				$tr .= '</wsse:SecurityTokenReference>';
+			$tr .= '</wst:RequestedAttachedReference>';
+			
+			//RequestedUnattachedReference
+			$tr .= '<wst:RequestedUnattachedReference>';
+				$tr .= '<wsse:SecurityTokenReference>';
+					$tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">';
+						$tr .= $assertionid;
+					$tr .= '</wsse:KeyIdentifier>';
+				$tr .= '</wsse:SecurityTokenReference>';
+			$tr .= '</wst:RequestedUnattachedReference>';
+	
+			//RequestedDisplayToken
+			$tr .= '<ic:RequestedDisplayToken>';
+				$tr .= '<ic:DisplayToken xml:lang="en-us">';
+				foreach ($claimValues as $claim=>$data) {
+					$tr .= '<ic:DisplayClaim Uri="'.$config['InfoCard']['schema'].'/claims/'.$claim.'">';
+						$tr .= '<ic:DisplayTag>'.$data['displayTag'].'</ic:DisplayTag>';
+						$tr .= '<ic:DisplayValue>'.$data['value'].'</ic:DisplayValue>';
+					$tr .= "</ic:DisplayClaim>";
+				}
+				$tr .= '</ic:DisplayToken>';
+			$tr .= '</ic:RequestedDisplayToken>';
+		$tr .= '</wst:RequestSecurityTokenResponse>';
+		return $tr;
+	}
+
+
+
+
+/*
+* USED IN: RequestSecurityTokenResponse
+* INPUT: claims value, configuration, uuid, times
+* OUTPUT; STS Signed SAML assertion
+*/
+	static private function saml_assertion($claimValues,$config,$assertionid,$created,$expires){
+		$saml = '<saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="'.$assertionid.'" Issuer="'.$config['issuer'].'" IssueInstant="'.$created.'" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">';
+			$saml .= '<saml:Conditions NotBefore="'.$created.'" NotOnOrAfter="'.$expires.'" />';
+			$saml .= '<saml:AttributeStatement>';
+				$saml .= '<saml:Subject>';
+					$saml .= '<saml:SubjectConfirmation>';
+						$saml .= '<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>';
+						// proof key
+						$saml .= '<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">';
+							$saml .= '<dsig:X509Data>';
+								$saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>';
+							$saml .= '</dsig:X509Data>';
+						$saml .= '</dsig:KeyInfo>';
+					$saml .= '</saml:SubjectConfirmation>';
+				$saml .= '</saml:Subject>';
+				foreach ($claimValues as $claim=>$data) {
+					$saml .= '<saml:Attribute AttributeName="'.$claim.'" AttributeNamespace="'.$config['InfoCard']['schema'].'/claims">';
+						$saml .= '<saml:AttributeValue>'.$data['value'].'</saml:AttributeValue>';
+					$saml .= '</saml:Attribute>';
+				}
+			$saml .= '</saml:AttributeStatement>';
+	
+			//Pure SAML Assertion digest
+			$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml.'</saml:Assertion>');
+			$myhash = sha1($canonicalbuf,TRUE);
+			$samldigest = base64_encode($myhash);
+	
+			//Digest block
+			$signedinfo = '<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" >';
+				$signedinfo .= '<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />';
+				$signedinfo .= '<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />';
+				$signedinfo .= '<dsig:Reference URI="#'.$assertionid.'">';
+					$signedinfo .= '<dsig:Transforms>';
+						$signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />';
+						$signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />';
+					$signedinfo .= '</dsig:Transforms>';
+					$signedinfo .= '<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />';
+					$signedinfo .= '<dsig:DigestValue>'.$samldigest.'</dsig:DigestValue>';
+				$signedinfo .= '</dsig:Reference>';
+			$signedinfo .= '</dsig:SignedInfo>';
+			
+			//Signature of the digest
+			$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
+			$privkey = openssl_pkey_get_private(file_get_contents($config['sts_key']));
+			$signature = '';
+			openssl_sign($canonicalbuf, &$signature, $privkey);
+			openssl_free_key($privkey);
+			$samlsignature = base64_encode($signature);
+	
+			//Signature block
+			$saml .= '<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">';
+				$saml .= $signedinfo;
+				$saml .= '<dsig:SignatureValue>'.$samlsignature.'</dsig:SignatureValue>';
+				$saml .= '<dsig:KeyInfo>';
+					$saml .= '<dsig:X509Data>';
+						$saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>';
+					$saml .= '</dsig:X509Data>';
+				$saml .= '</dsig:KeyInfo>';
+			$saml .= '</dsig:Signature>';
+		$saml .= '</saml:Assertion>';
+		return $saml;
+	}
+	
+
+}
+
+?>
\ No newline at end of file
diff --git a/modules/InfoCard/templates/default/temp-getcardform.php b/modules/InfoCard/templates/default/temp-getcardform.php
new file mode 100644
index 000000000..bf8f728ec
--- /dev/null
+++ b/modules/InfoCard/templates/default/temp-getcardform.php
@@ -0,0 +1,70 @@
+<?php
+/*
+* AUTHOR: Samuel MuĂ±oz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 22-DEC-08
+* DESCRIPTION: InfoCard module template.
+*/
+	$this->includeAtTemplateBase('includes/header.php'); 
+	if (!array_key_exists('icon', $this->data)) $this->data['icon'] = 'lock.png';
+	if (isset($this->data['error'])) { ?>
+		<div style="border-left: 1px solid #e8e8e8; border-bottom: 1px solid #e8e8e8; background: #f5f5f5">
+		<img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
+		<h2><?php echo $this->t('error_header'); ?></h2>
+		
+		<p><?php echo $this->t($this->data['error']); ?> </p>
+		</div>
+	<?php } ?>
+
+
+<!-- 	GET INFOCARD SECTION -->
+	<?php
+		if (strcmp($this->data['CardGenerator'],'')>0) {
+		
+			if(strcmp($this->data['form'],"validate")==0){
+				echo '<h2>'.$this->t('getcardform_title').'</h2>';
+				echo '<form action = ?AuthState='.$this->data['stateparams']['AuthState']." method='post'>";
+					echo '<table border="0">';
+					echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>";
+					echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>";
+					echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>";
+					echo "<input type='hidden' name='form' value='".$this->data['form']."'/>";
+				echo '</table>';
+				echo '</form>';
+				
+			} else if(strcmp($this->data['form'],"selfIssued")==0){ //ASK FOR A SELF-ISSUED CARD
+				echo '<h2>'.$this->t('getcardform_self_title').'</h2>';
+				echo '<p>'.$this->t('getcardform_self_text').'</p>';
+				echo	'<form name="ctl00" id="ctl00" method="post" action="?AuthState='.$this->data['stateparams']['AuthState'].'">';
+					echo	'<OBJECT type="application/x-informationCard" name="xmlToken">';
+						echo '<PARAM Name="issuer" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />';
+						if ($this->data['InfoCard']['issuerPolicy']!='') echo '<PARAM Name="issuerPolicy" Value="'.$this->data['InfoCard']['issuerPolicy']."\">\n";
+						if ($this->data['InfoCard']['tokenType']!='') echo '<PARAM Name="tokenType" Value="'.$this->data['InfoCard']['tokenType']."\">\n";
+						if ($this->data['InfoCard']['privacyURL']!='') echo '<PARAM Name="privacyUrl" Value="'.$this->data['InfoCard']['privacyURL']."\">\n";
+						if ($this->data['InfoCard']['privacyVersion']!='')echo '<PARAM Name="privacyVersion" Value="'.$this->data['InfoCard']['privacyVersion']."\">\n";
+						echo '<PARAM Name="requiredClaims" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">';
+					echo '</OBJECT>';
+					echo "<input type='hidden' name='username' value='".$this->data['username']."'/>";
+					echo "<input type='hidden' name='password' value='".$this->data['password']."'/>";
+					echo "<input type='hidden' name='form' value='".$this->data['form']."'/>";
+					echo "<input type='image' src='resources/infocard_self_114x80.png' style='cursor:pointer' />";
+				echo '</form>';
+			} else {
+				echo '<h2>'.$this->t('getcardform_finished_title').'</h2>';
+				echo '<p>'.$this->t('getcardform_finished_text').'</p>';
+				echo '<p> <a href="login-infocard.php?AuthState='.$this->data['stateparams']['AuthState'].'">LOGIN</a></p>';
+			}
+		}
+  ?>
+	 
+<!-- 	 HELP SECTION -->
+	<h2><?php echo $this->t('help_header'); ?></h2>	
+	<p><?php echo $this->t('help_text'); ?></p>
+	<?php
+		if ((array_key_exists('contact_info_URL',$this->data)) && ($this->data['contact_info_URL']!=null)) 
+			echo "<p><a href='".$this->data['contact_info_URL']."'>".$this->t('contact_info')."</a><p/>";
+		if ((array_key_exists('help_desk_email_URL',$this->data)) && ($this->data['help_desk_email_URL']!=null)) 
+			echo "<p><a href='".$this->data['help_desk_email_URL']."'>".$this->t('help_desk_email')."</a></p>";
+	?>
+	
+<?php $this->includeAtTemplateBase('includes/footer.php'); ?> 
diff --git a/modules/InfoCard/templates/login-infocard.php b/modules/InfoCard/templates/default/temp-login.php
similarity index 86%
rename from modules/InfoCard/templates/login-infocard.php
rename to modules/InfoCard/templates/default/temp-login.php
index 48821e7e8..70cd74f74 100644
--- a/modules/InfoCard/templates/login-infocard.php
+++ b/modules/InfoCard/templates/default/temp-login.php
@@ -21,6 +21,7 @@
 	<p><?php echo $this->t('user_IC_text'); ?></p>
 	
 	<form name="ctl00" id="ctl00" method="post" action="?AuthState=<?php echo $this->data['stateparams']['AuthState']?>">
+
 <!--		<ic:informationCard xmlns:ic="<?php echo $this->data['InfoCard']['schema'] ?>" name="xmlToken" 
 			issuer="<?php echo $this->data['InfoCard']['issuer']; ?>"
 			<?php 
@@ -62,16 +63,12 @@
 	</form>
 	
 <!-- 	GET INFOCARD SECTION -->
-	<?php if (strcmp($this->data['CardGenerator'],'')>0) {
-	echo '<h2>'.$this->t('get_IC').'</h2>';
-	echo "<form action=\"". $this->data['CardGenerator'] ."\" method='post'>";
-		echo '<table border="0">';
-		echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>";
-		echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>";
-		echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>";
-	echo '</table>';
-	echo '</form>';
-	 } ?>
+	<?php
+		if (strcmp($this->data['CardGenerator'],'')>0) {
+			echo '<h2>'.$this->t('get_IC').'</h2>';
+			echo '<a href="'.$this->data['CardGenerator'].'?AuthState='.$this->data['stateparams']['AuthState'].'">'.$this->t('get_IC_link').'</a>';
+	 	}
+	?>
 	 
 <!-- 	 HELP SECTION -->
 	<h2><?php echo $this->t('help_header'); ?></h2>	
diff --git a/modules/InfoCard/www/getcardform.php b/modules/InfoCard/www/getcardform.php
new file mode 100644
index 000000000..992af0f57
--- /dev/null
+++ b/modules/InfoCard/www/getcardform.php
@@ -0,0 +1,155 @@
+<?php
+
+/*
+* AUTHOR: Samuel MuĂ±oz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION:
+*		Pretty form to get a managed InfoCard
+*		User flow controller.
+*		Displays the template and request a non null xmlToken
+*/
+
+
+/* Load the configuration. */
+$config = SimpleSAML_Configuration::getInstance();
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+
+$Infocard =   $autoconfig->getValue('InfoCard');
+
+
+/* Load the session of the current user. */
+$session = SimpleSAML_Session::getInstance();
+if($session == NULL) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOSESSION');
+}
+
+if (!array_key_exists('AuthState', $_REQUEST)) {
+SimpleSAML_Logger::debug('NO AUTH STATE');
+SimpleSAML_Logger::debug('ERROR: NO AUTH STATE');
+	throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
+} else {
+	$authStateId = $_REQUEST['AuthState'];
+SimpleSAML_Logger::debug('AUTH STATE:  '.$authStateId);
+}
+
+$username = null;
+$password = null;
+
+$state = "validate";
+if(array_key_exists('form', $_POST) && ($_POST['form']!=NULL)  ) {
+	if(array_key_exists('username', $_POST) && ($_POST['username']!=NULL)  ) {
+		if(array_key_exists('password', $_POST) && ($_POST['password']!=NULL)  ) {
+			//Validation: Username/Password
+			$username = $_POST['username'];
+			$password = $_POST['password'];
+			if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),'UsernamePasswordCredential')){
+				$userCredential =   $autoconfig->getValue('UserCredential');
+				if (strcmp($userCredential,'UsernamePasswordCredential')==0){
+					
+					$ICconfig['InfoCard'] = $Infocard;
+					$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
+					$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+					$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
+					$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+					$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+					$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+					
+					$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential);
+					$IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig);
+					header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\"");
+					header('Content-Type: application/x-informationcard');
+					header('Content-Length:'.strlen($IC));
+					echo $IC;
+					$state = 'end';
+				}else if (strcmp($userCredential,'SelfIssuedCredential')==0){
+					/*
+					* VERY IMPORTANT:
+					* The STS is acting as a Relying Party to get the PPID in order to generate a
+					*  managed card with a self issued credential, that's why we use the STS
+					*  certificate private key to decrypt the token.
+					*/
+					if(array_key_exists('xmlToken', $_POST) && ($_POST['xmlToken']!=NULL)  ) {
+						SimpleSAML_Logger::debug('HAY XML TOKEN');
+						$token = new sspmod_InfoCard_RP_InfoCard();
+						$idp_key = $autoconfig->getValue('sts_key');
+						$token->addIDPKey($idp_key);
+						$token->addSTSCertificate('');	
+						$claims = $token->process($_POST['xmlToken']);
+						if(($claims->isValid()) && ($claims->privatepersonalidentifier!=NULL)) {
+							$ppid = $claims->privatepersonalidentifier;
+							$ICconfig['InfoCard'] = $Infocard;
+							$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
+							$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+							$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
+							$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+							$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+							$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+							
+							$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential,$ppid);	
+							$IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig);
+							header('Content-Disposition: attachment; filename="'.$ICdata['CardName'].'.crd"');
+							header('Content-Type: application/x-informationcard');
+							header('Content-Length:'.strlen($IC));
+							echo $IC;
+							$state = 'end';
+						}else {
+							SimpleSAML_Logger::debug('Wrong Self-Issued card');
+							$error = 'wrong_IC';
+							$state = "selfIssued";
+						}
+					}else{
+						SimpleSAML_Logger::debug('NO HAY XML TOKEN');
+						$error = NULL;
+						$state = "selfIssued";
+					}
+				}else{
+					SimpleSAML_Logger::debug('CONFIGURATION ERROR: UserCredential '.$userCredential.' NOT SUPPORTED');
+				}
+			}else{
+				$error = 'Wrong_user_pass';
+				SimpleSAML_Logger::debug('WRONG username or password');
+			}
+		}else{
+			$error = 'NO_password';
+			SimpleSAML_Logger::debug('NO PASSWORD');
+		}
+	}else {
+		$error = 'NO_user';
+		SimpleSAML_Logger::debug('NO USERNAME');
+	}
+}else{
+	$error = NULL;
+}
+
+
+unset($_POST); //Show the languages bar if reloaded
+
+$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-getcardform.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario)
+$t->data['header'] = 'simpleSAMLphp: Get your Infocard';
+$t->data['stateparams'] = array('AuthState' => $authStateId);
+
+
+$t->data['InfoCard'] = $Infocard;
+
+$cardGenerator =   $autoconfig->getValue('CardGenerator');
+$t->data['CardGenerator'] = $cardGenerator;
+
+$help_desk_email_URL = $autoconfig->getValue('help_desk_email_URL');
+$t->data['help_desk_email_URL'] = $help_desk_email_URL;
+
+$contact_info_URL = $autoconfig->getValue('contact_info_URL');
+$t->data['contact_info_URL'] = $contact_info_URL;
+
+$t->data['error'] = $error;
+$t->data['form'] = $state;
+
+//For testing purposes
+$t->data['username']=$username;
+$t->data['password']=$password;
+
+
+
+$t->show();
+exit();
+?>
\ No newline at end of file
diff --git a/modules/InfoCard/www/login-infocard.php b/modules/InfoCard/www/login-infocard.php
index d33c7dbb7..af12e8f85 100644
--- a/modules/InfoCard/www/login-infocard.php
+++ b/modules/InfoCard/www/login-infocard.php
@@ -3,7 +3,7 @@
 /*
 * AUTHOR: Samuel MuĂ±oz Hidalgo
 * EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
+* LAST REVISION: 13-FEB-09
 * DESCRIPTION:
 *		User flow controller.
 *		Displays the template and request a non null xmlToken
@@ -52,7 +52,7 @@ SimpleSAML_Logger::debug('NO HAY XML TOKEN');
 unset($_POST); //Show the languages bar if reloaded
  
 //Login Page
-$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:login-infocard.php', 'InfoCard:logininfocard'); //(configuracion, template, diccionario)
+$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-login.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario)
 $t->data['header'] = 'simpleSAMLphp: Infocard login';
 $t->data['stateparams'] = array('AuthState' => $authStateId);
 $t->data['IClogo'] = $IClogo;
diff --git a/modules/InfoCard/www/mex.php b/modules/InfoCard/www/mex.php
new file mode 100644
index 000000000..43c6554c6
--- /dev/null
+++ b/modules/InfoCard/www/mex.php
@@ -0,0 +1,257 @@
+<?php
+
+/*
+* AUTHOR: Samuel MuĂ±oz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: InfoCard module metadata exchange (POLICY)
+*/
+
+
+$method = $_SERVER["REQUEST_METHOD"];
+
+if ($method == "POST"){
+	$use_soap = true;
+	Header('Content-Type: application/soap+xml;charset=utf-8');
+}else{
+	$use_soap = false;
+	Header('Content-Type: application/xml;charset=utf-8');
+}
+
+
+$config = SimpleSAML_Configuration::getInstance();
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+
+
+// Grab the important parts of the token request.  That's pretty much just
+// the request ID.
+$request_id = '';
+if ($use_soap && strlen($HTTP_RAW_POST_DATA))
+{
+    $token = new DOMDocument();
+    $token->loadXML($HTTP_RAW_POST_DATA);
+    $doc = $token->documentElement;
+    $elements = $doc->getElementsByTagname('MessageID');
+    $request_id = $elements->item(0)->nodeValue;
+}
+
+$buf = '<?xml version="1.0"?>';
+
+$buf .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">';
+
+	$buf .= '<S:Header>';
+		$buf .= '<wsa:Action S:mustUnderstand="1">';
+			$buf .= 'http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse';
+		$buf .= '</wsa:Action>';
+		$buf .= '<wsa:RelatesTo>';
+			$buf .= $request_id;
+		$buf .= '</wsa:RelatesTo>';
+	$buf .= '</S:Header>';
+	
+	$buf .= '<S:Body>';	
+		$buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex">';
+		
+			$buf .= '<MetadataSection Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">';
+				$buf .= '<wsdl:definitions name="STS_wsdl" targetNamespace="'.$ICconfig['tokenserviceurl'].'" xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:q1="'.$ICconfig['tokenserviceurl'].'">';
+				
+					$buf .= '<wsdl:types>';
+						$buf .= '<xs:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">';
+							$buf .= '<xs:import schemaLocation="" namespace="'.$ICconfig['tokenserviceurl'].'"/>';
+						$buf .= '</xs:schema>';
+					$buf .= '</wsdl:types>';
+				
+					$buf .= '<wsdl:message name="RequestSecurityTokenMsg">';
+						$buf .= '<wsdl:part name="request" type="q1:MessageBody" />';
+					$buf .= '</wsdl:message>';
+					$buf .= '<wsdl:message name="RequestSecurityTokenResponseMsg">';
+						$buf .= '<wsdl:part name="response" type="q1:MessageBody" />';
+					$buf .= '</wsdl:message>';
+					
+					$buf .= '<wsdl:portType name="SecurityTokenService">';
+						$buf .= '<wsdl:operation name="Issue">';
+							$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:RequestSecurityTokenMsg">';
+							$buf .= '</wsdl:input>';
+							$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:RequestSecurityTokenResponseMsg">';
+							$buf .= '</wsdl:output>';
+						$buf .= '</wsdl:operation>';
+					$buf .= '</wsdl:portType>';
+					
+					$buf .= '<wsp:Policy wsu:Id="STS_endpoint_policy">';
+						$buf .= '<wsp:ExactlyOne>';
+							$buf .= '<wsp:All>';
+								$buf .= '<ic:RequireFederatedIdentityProvisioning />';
+								$buf .= '<sp:TransportBinding>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:TransportToken>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:HttpsToken RequireClientCertificate="false" />';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:TransportToken>';
+										$buf .= '<sp:AlgorithmSuite>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:Basic256/>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:AlgorithmSuite>';
+										$buf .= '<sp:Layout>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:Strict/>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:Layout>';
+										$buf .= '<sp:IncludeTimestamp/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:TransportBinding>';
+								
+								// Authentication token assertion
+								switch($ICconfig['UserCredential']){
+									case "UsernamePasswordCredential":
+										$buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:WssUsernameToken10/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:UsernameToken>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:SignedSupportingTokens>';
+										break;
+									case "KerberosV5Credential":
+										$buf .= '<sp:ProtectionToken>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp: WssGssKerberosV5ApReqToken11/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:KerberosToken>';
+											$buf .= '<wsp:Policy>';
+										$buf .= '</sp:ProtectionToken>';
+										break;
+									case "X509V3Credential":
+										$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:WssX509V3Token10/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:X509Token>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:EndorsingSupportingTokens>';
+										break;
+									case "SelfIssuedCredential":
+										$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<sp:Issuer>';
+														$buf .= '<wsa:Address>';
+															$buf .= 'http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self';
+														$buf .= '</wsa:Address>';
+													$buf .= '</sp:Issuer>';
+													$buf .= '<sp:RequestSecurityTokenTemplate>';
+														$buf .= '<wst:TokenType>';
+															$buf .= 'urn:oasis:names:tc:SAML:1.0:assertion';
+														$buf .= '</wst:TokenType>';
+														$buf .= '<wst:KeyType>';
+															$buf .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey';
+														$buf .= '</wst:KeyType>';
+														$buf .= '<wst:Claims xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">';
+															$buf .= '<ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"/>';
+														$buf .= '</wst:Claims>';
+													$buf .= '</sp:RequestSecurityTokenTemplate>';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:RequireInternalReference/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:IssuedToken>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:EndorsingSupportingTokens>';
+										break;
+									default:
+										break;
+								}
+								
+								$buf .= '<sp:Wss11>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:MustSupportRefThumbprint/>';
+										$buf .= '<sp:MustSupportRefEncryptedKey/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:Wss11>';
+								$buf .= '<sp:Trust10>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:RequireClientEntropy/>';
+										$buf .= '<sp:RequireServerEntropy/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:Trust10>';
+								$buf .= '<wsaw:UsingAddressing wsdl:required="true" />';
+							$buf .= '</wsp:All>';
+						$buf .= '</wsp:ExactlyOne>';
+					$buf .= '</wsp:Policy>';
+					
+					$buf .= '<wsdl:binding name="Transport_binding" type="tns:SecurityTokenService">';
+						$buf .= '<wsp:PolicyReference URI="#STS_endpoint_policy"/>';
+							$buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>';
+							$buf .= '<wsdl:operation name="Issue">';
+								$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>';
+								$buf .= '<wsdl:input>';
+									$buf .= '<soap12:body use="literal"/>';
+								$buf .= '</wsdl:input>';
+								$buf .= '<wsdl:output>';
+									$buf .= '<soap12:body use="literal"/>';
+								$buf .= '</wsdl:output>';
+							$buf .= '</wsdl:operation>';
+					$buf .= '</wsdl:binding>';
+				
+					$buf .= '<wsdl:service name="STS_0">';
+						$buf .= '<wsdl:port name="STS_0_port" binding="tns:Transport_binding">';
+							$buf .= '<soap12:address location="'.$ICconfig['tokenserviceurl'].'" />';
+							$buf .= '<wsa:EndpointReference>';
+								$buf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>';
+								$buf .= '<wsid:Identity>';
+									$buf .= '<ds:KeyInfo>';
+										$buf .= '<ds:X509Data>';
+											$buf .= '<ds:X509Certificate>';
+												$buf .= sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]);
+											$buf .='</ds:X509Certificate>';
+										$buf .= '</ds:X509Data>';
+									$buf .= '</ds:KeyInfo>';
+								$buf .= '</wsid:Identity>';
+							$buf .= '</wsa:EndpointReference>';
+						$buf .= '</wsdl:port>';
+					$buf .= '</wsdl:service>';
+					
+				$buf .= '</wsdl:definitions>';
+			$buf .= '</MetadataSection>';
+		
+		
+			$buf .= '<MetadataSection Dialect="http://www.w3.org/2001/XMLSchema" Identifier="'.$ICconfig['tokenserviceurl'].'">';
+				$buf .= '<xs:schema xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="'.$ICconfig['tokenserviceurl'].'">';
+					$buf .= '<xs:complexType name="MessageBody">';
+						$buf .= '<xs:sequence>';
+							$buf .= '<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>';
+						$buf .= '</xs:sequence>';
+					$buf .= '</xs:complexType>';
+				$buf .= '</xs:schema>';
+			$buf .= '</MetadataSection>';
+		
+		$buf .= '</Metadata>';	
+	$buf .= '</S:Body>';
+	
+$buf .= '</S:Envelope>';
+
+
+print($buf);
+
+?>
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/modules/InfoCard/www/resources/infocard_self_114x80.png b/modules/InfoCard/www/resources/infocard_self_114x80.png
new file mode 100644
index 0000000000000000000000000000000000000000..9351cbcebdace06d93a7a5d00287732823bc676f
GIT binary patch
literal 9302
zcmV-cB&pkpP)<h;3K|Lk000e1NJLTq0043T002-31^@s6#knCs00001b5ch_0Itp)
z=>Px#24YJ`L;wH)0002_L%V+f000SaNLh0L01FcU01FcV0GgZ_00007bV*G`2iXA*
z3p5Swl-X|p03ZNKL_t(|+U<RNlvKsJ@2_h24D+6z5f~Uy1_XI2h&&aE7(_87SHjVA
z%)>~|G0BM`#&d7(O5#bB!~|~=*SfeQ$vxK>oEY`Q7is`ekr9=*pn&q88RR((^JJdg
zy{qmYd)MAy)vnz=+_mog>+H39b$9JY@2=neUcc|FDux`}19Ml7aEh=fQHn)Q39jY|
zB=Miy|MN{`(3a^yt=olKw;QXL*Dh_(c09`lU|uDb4H$$a!$%B9<)BJb4!i_KB}HHi
zkkY?^e+4NKwA20c7~65ScH4Q{aq7;c<)6qb|56(NSjO~%e;mC>^Zv|xwf#@qf3Tfn
z>$~pGZnT_lM$7pYoNPFWz9y_nw_@4yO-qmW8_1t8Sb29rHCBuoUz5CI;uT2b<$*CE
zl}e$lr8Rm52{6t8FmTSa?*P0uf1i}$cg6t57#K6#ng1u5cOCzFj4?3(nvDCO{cBi(
zvfL;A&ZL0=)33qEXWN5jUYBt|iY&h`0B}IM{t4W2oQys!=~Nm=K0A!MgAHxHCvpF;
zH!NM96Uc|Yy7HOi$igMp%$ka1WjRu*6pkD|goa~v=<e!@KG6)|jswm)9LIsf9XJUG
zj^luH2M*`p{&%&XCmcA8gR8cL-_ALlgaghTBohAlYM;Y{Yp8b4IXLGYkPHE^^p7#7
zH_-3FG5*71J0>`mJ}l}OMtk1}Kmt-q?{W+fLVAD*)nC&496TW2cg6tW`p3dMUP`HH
zgpRg$e6-~wv>oqR^~+b5ew*UvXdo_L`OKg(WlOHRaW;xei*WeRL45fBW;C8TgLEn#
zg`NS7aldnU2qIUV?*qUIkUkIrFx&v&@xkN<_!LO>&bTl6J{UF-83BkB5dC)AW*!6R
zZOoTCrZfTzk(CHR1oyR+0)c=SKrg}vAP{UxB$r9QO+vT=5<o#=A%>3_j@HhmtEXKu
zFZte~bsHi;{`{7ecUO)nTsC{&Y~<zVVdwU(ICS6uge$B7Ds{&d7*r}rX9xQTpxkKZ
z1o#kau7R)4qwQ2G0+nk@5S1!*3^R^_Me^t|jM!xgHU)`*NF_`GDwSjgk}EYkDTEBA
zRLJ06NblulG7wTAe?UHl4zEU2`{`NJ%WiJid~Dq(ftG$??#dAb!?9xObyJbZ%frrX
zTXDRuUi(9u{gD7T183ZOIa~*kdEd=_oO3W=9nzQMc<qkX=4i(-M$Tb8RHH1E#t4We
zK+K{(HRp<`SZ24m3@ilB2L}w0ER;m0GHs4p@S_S;Q-vx!s#LTTkU~HRfpjX3-rip1
z56Htcv!<e87*;%R<I3^?$h-<H8#TTrSzb|&BZm*-czu1m2k37UB>I{0XdCx|iX87t
zsi#IQ0CUIMrmIn=d!NksYyit_9;>Nh4X_z>srP<T>Rlv4M}^uwPYPvdN`(SXX$DC(
zY+yq@JL{=cA%yo?2=w*#A=Q^cva%ePjTxTIOJW58um|R@EH4?0wwrIe8B$8Ded9G`
zls&Y$^$dQehK>qn7L{sKr>5FWIL3Z%v5kH^IX9<sW3g|#b84th#Mng{s$uUl)1*z=
zG^y002!T`%P5`2Ecvy&<aHZDI>H+ZH1%&iKbTclb6mVS^LI?;UQJzequeTSQ)@?%P
zAtbp|h$U6kRmjWFLqmO?2O`T7crvC-m+~}?wouv(NppDg*x+S3p0+biq$E_0Oxi)z
zfQj*9ZPFZuKZe>R=SdKIMnfAG+Cnf1#)--#AZlTX^g<HP-b&BG5yF#3Um}GNkW#{R
zJwW^VdQn(ZgsSQ)@BvuFonp)#JhTc@0u6O_x@wC2Q5M=iszSLZG0Xxc4;&iZ{skaA
zy4}>kcXV}ZIwBFrg~d27CK%a{;mmFqVc0(Dt5;??I}*gfA)Y8?0G=kP>O5Z!3uPA-
znB?WUp1qV(pu4LJi~)m(Rv}S}MTtZi=9X8KA)QX4y{*k2JO}ZjuHs@P(BXz7WS6u!
ziB;{4v_(8rN&4G#PMF^L%=jO$saV5yGI|{n^U;7kI9}?&C^f0>NkZ!9sL(?AKgUCG
zrLRtf6h5Gy@pYAC`r$|>lYtNd<rQUcig9&<=OI~^EJssgW5ivjU@EB?dRY~&UpO75
z6(ykxk`l}h2bh#zJLl1M6*5Q(=G!_iCgb*YUyW<+>gD$~v+-s&t}KrCGdV#UUuN=j
z+0M7|kiwvQI1k(W&tB-l(bt_u!@jd<JJ$&zLaCJGC48w&rBWzMmcuDP4Ugq{h)QL|
zuFYOJ9i`<(!HqD+Jb(y*8i=Z${Amh?0tyPyAn@kFIa<3-RqDnp9z+v>xcz~2$>?>=
z&o*Gq2f^<X4Mfg$V10?tD{ye>gu$9R4J6U9mD;mG)kp+HU;S{OPUD=TG+7*i;e*7~
zpA$lFSASB7hy+pz2!K)&7}zUaI@LMMX76%=6UGABB~%?}W42AHGud&Ikfpz6f=8v%
zb$zw!9Y3Ie2cW?ZJERnl5Qgdv<IjYR_1FG`qdO_8vz5eY-YnT40H~yrs80<%&UH{s
z2~-lR01UiSmR-G>AecZ{8St3Yg)QY_dys7D8}-|yPv|=ZP^nnSSOA{p@VLIM^g*Pz
zmWY5z-nnBqFT_r1YErcmRTD^(0$hP%N+tz~zEjYNZH(<iTSwb$rcEW9Qe?}o**^Ej
zu3Fg?Vi*1I(sdyj^L!^?LWKfN$iOzL*wV9?;X{+KniA<tqC>+A?_E=&w1b5Jl=LY{
zi?e^GWct@Qu)P86pV@)^TkFw!?gG-O4Dtu$p{$|^RU;}f=IY^?{Dsk&bK9h7huR#D
zY@i$4yrTQH?;E>U=xSC<y!Xn-c>ReFacu7?bhh<qG~C9X$Fe&|1T?Ly84ILPf7U|K
z1o;f#vvmyzDq+i;F~;IKPip^s@H`dlL~SDlkdc7Ew2J_qesC>betdJ}cKUi!XzEF!
z>2w?RZ>__tf7<MITAVXOJ1<*@+CYzcAQ;2zPkxBU?t8I+>HU6W&6P@(#CA$41IhH9
z97()Y2?-^Qeml8d)Y%~*YGC?tA#<GIhc&4*IwO!wDuL=)Lq%_TagP<mxb6Ijj(8B`
zRIbgL$tJai>U?p<rrh8uz~XErq4*^6W&==(y;Om}$K-etsO+P%ne?yds#QYIG%%uC
z{hXi{H`368*h%I1&`#3gKqG`$`_wkAPbSV7g)c9;9)qeY;JN~*>(1e$+Jo5k)_!Et
zE}D+Fqhd%2oID;MH)e|kvw5+$&Swl~8=AG<&mMRXLq}9*ululOKn$r=wvo2`oNB=E
z5VcA}5MkQLKs+6TLURlnjysw}ff52l?P{K^37-EXQirGh(=*zi{rZ2s1;u5BfCTdL
z9gLbd43}Ry9JhRZ7GC`0MhI8pLURw2RYehSK7Riw-um+ne7d~>&1c$?No9~6T#74a
zjl{xxW@E|?WBM0o`q!IR_#^ACZ;t;})Sl*e7{VN;2-K=1A(~_?ba)V@=%moOSF6_=
zkl~c)B<Uvgig>0pmZU5UwTq@_O6{nWaMP}C7rWCaE-Q>=G|DSWaL+Gp0~nC*%V?d`
z-O+>Je)l<i@Y>!;e>R<L!={(^VAD%`aO>T(aR1|fk3^o6+ZoCQbhhd;%XL%<i1eKt
zNEwD4lGr`YLyr}qgCnSf`qW*Z5UHnXf~d+e7z@>`2B1v>eeygKqL=`ZhiAn2A=>|b
z^5NI;$p?qg-Pvm`tkQCj0EFw}p*x?pf@p5*S8v10|Mqe`Tayit{x~@?-=!tl97rIw
znMAb;5pt|jgyD$FiqP;lL7ys3os#SW&H4vHznR)1fq$SrX`D%ZN2BNfEV_3N9{t`6
z!SznpH{qG(e**xNUs8h0t{8%`Q!c|bH;na|C8l@QyMNt--J1?;opkrl7vRhH%tlFh
zA$GoX0FQqEd33aN0|4H5;zKO>)=Z3>HX<ir8+#rDq>P3qHqSYmT~v;a5CNz(j)bz8
ziVz_2VnoF%Z`VfAF=8XF>7_*I>;%q@<Ag6W<gf(sagsUz>(jCL`*Zc{`&)Z+C-!YU
zikJTQE*|>U6WI9DP5?m3z{23VZ~bM5cFrC5&BeDKSb)mGrN}SH!|bnIh5J_At{wBn
z6CYkY!xQJFN*PNJO4BYHAW(WvDz4g(Bc-8ACBo09YE95Q9A`YNek1Bsy&Uf7VTB@q
zePhlXCmM24#)e9!vaNpGT@T!XiPJB~whjC6+0J^LZaA+o7l3CM*F5naDu<L}!kkNk
z>mT{}q;}kwzI|<^^Jm^NLHoXcOI`m$mj0;NY?avxB%8;o930ox*d9fSht!;~WI?h}
zbXp>p(sNEIp-P3SAJ#Zl<LQkf%579!No4`9yuJnlhm_+hOXeWem&U2OCLG+|fcM|{
z7@h4s!F4yi`VqeIvzvn7>TK)L`t{pW9?2bxo^H?W%-G29Y%G##0||(>Hc1^J6^1BJ
zHb^k*QW<1Hq|m|-Zb~GLA02K;Cds1(v7`dlm&{1OPqQ2bh%j=H11~MZuyL1wI}G^+
zc^EmN8n@nc9q#-6KWH6v@<@}W(n^wr7d^J3w>#B;k2UVNI7Wzip#IAi^asG24v+8%
z0GoqDU-Y&JA;2OPZl<H7GWCIDqi&SabEaCQPLC0sD@py=#s3@k{OT*Xe9|yf3@t&~
zz#?=scO%{Fg(bxm`C4D)<vW@x8$D^5=IlK6(N9q`en@u4CYRdGM&ISgfl884wgRXm
zk4h}(03io7lH3(xX(ZuYX&Q^u```)3Bg-kH<L4q(dmw>9n#<ADtH$Ig$)rhQDz$$5
zjtvL!-I>3`k8k}0);_Zpr|Zt4I5_~7)y25b(TOJ>dR^<onu$ZT&YSnOY1;l@-0>vd
ze{C;1nmZv}7d>5lIC110-hb^A{OKoaaQEcpxxu2&%*Di*1`Q_-CP^CcWN^F!QDr^^
z2|I*tFV+5tjg)?=pHio)#8In1_1PY4{?QgQTC({RL<+3h_S7E6p4!7X)#8``@j9(D
z=YMS));+xypKkN&aZlHs$Fi?I-9HDVzfMd)bC0poM?6<kdMUU{GO2eOv6X@IW3!RW
zbas>~)g_c>I0D;9D*z~cXF4{VN9`r^>|uYmuipCw-29E{+SBhO9Q^v_?_m1;aTjMO
zv*kB)0c{EXV?9&aZj(w%1_U7rDTx$P^ITOZ60wm=Vyv~K5nw}-90X8}j*F|ykrI7f
zt~Z{943T?w|AYAWy(8Gatq#ZbokHX1E$C?JM!GM9g5rEsT~>(+Ge%&+w`O7DtQu>l
zmQ@ttku~4Lu8oKA&hxwQ+4cssob5oWH;sbgd<+_v#E9`jFmdKc%)E6%d}=F>e9uA4
zNz$%K8S!X?b|2gbbw`dDLO{Agw~Mas0MWmY(7Ehr#={}S!JHOWDFBURX&h00p`{P!
zj<qA5a;=r&Lxv5)kiQ#*`L}!DODhXedPyOYLyGM=Jxe(T;~dj(8i(og$H!+pVr*c*
z)WiV0v3o^M$4S~^MiW?@TJ>!tjU~;3E0a7Aoh6$@vY2XcqH-ezSElq4wW{`YccgLh
z(`J1vMNCn#Dl_S9=|N{}4_eQ3V#t^Z6c*?8FXL}ZU&RIYaWy#f_-qe^#j(-oILhd#
z<H`5P@s#C}q-Mvp$C43>PHi3y=R^kJsDU=zD3ppgJT|+?7|tAOjR#R$D!NH=a9?*C
z$3H%YwsYOOG{%)G<{I0cEkluusxyz3(M&x^Oc+tE%3f0bm6UqWl8=xWms&EJmVQ{P
z=(r*TRGGi32w<uzoP#q*mp~PY(72FNbO3t0GD!Ei+6duDAvBD^HtKQaVZ+&D-jMg?
z;39j$RIb`m+McaCE}Mj!bu~&V%z)p}5YmVz0}t00rYPEus#Q`s7urp!-8R?$yIJ1h
zgku-!FmJ5_z^n{6Vo8ya(Gp9>?Bfz)8A*&#I-45W(bJiZmTlNx7ZYN{)w9M)D*;4?
zqXu-3mD(}mA<#e<B9v~D))GeGA22%5s|2Fi55}xxIkW+$4v*Hd(%6tnrV1?z6S@F$
zW+@p*I2_z8J|^l{2#Kc8+v7Xhe8t&M3owxqkT{mdQhOuKydwpWf=BjSIa$MNwUXsz
zgckh^Tq6XmqlxuFs6o-OS#+hcA~a1UCGra#6ekDhl1HVHjL)ZI5Vg`w;uQ5<NTItU
z6%SN@oT2_OG+7eQR8@i&OPN8xjbl}k9H)v^V%arDWSR9kZd`=`U>_aDJlm-3rb*Gk
zAOdVPJ3~iTdWBNdkXlr%wKS7Qf$ccoZ7-y<*+Cn?aq8G6t%kaeI50*Hj#&|4jU@@_
zR>1vA^B{>VjjHn?A8FV~s#=|xA#jXlKg?Lta0V#P3IK(r`KXy(g(6=v%`yFvL8#_;
zrUTp8oz9s;ij6(Z&n9?TyjhJKr3F-G$U!AdD{mw*CM5$btdQoZx*{T>>O5;XWH=_#
zw~aIeaYz+ie_}~e#|kM?Sdxd4lLu$bxL;`L#hD{59)~Cq8H=K7byD4#{t?>QrlN`)
zn3H2zT_mtK(pDPnW=gE-$s%HD!dQ|PCriCDK!HogYH}TjaAu7lc4VPMIu4JPby&tM
z(xh@MpJ`EHrI!?9@W^DmbTXru+BW>n#@^V}Ypz;XTT!v;ncCWO<sVJSqyVZ6h^pB!
z!K2v_DYS=NuWRMTG%1V_=bViFAolRq^8c=N_}g9oGc<!Hh;b9Ukw26_Afb&Cj(D%;
zXzE-N)gNiKNv@^ywfN7pbEfxcuuLYfcMSiPc3aQa|4dIrQ_v{KsyJ9-Aq1FjdlG)^
z$TX_Xn@)`R<bXCv$I?+OTlSzovko!~S-|ueHW*m;>T;We=3;tcBvPuHB-1msk>s{m
z(w4rmZAK-XRvBP2JCKp<h2aO_r>q<}iBJ+9Ln6%qtTy+a4py}?DK^(WCic^2*kH(B
zf0}EYWZb#7^GynkszVAac||BX^LUF&jf*8Uj@1oQS84(!b4yTBa8#-asz5oMnMzFp
zp{1|v5ktR5H^m3+77&SQ4JH7LBf<My31<se4ArdJGh3)&Ix2DGxviGfR{KgN6VhrU
zy%b<*q_ylvXu^B|6QshNhskAAwZ<l7jqTXpQ+WCDTI}0Whx4b~kx9EKA6Sf<@k20q
z&S=b8G#ND$hDHeUlSj{C<4ZenY~M+=HFd&uU6hm;p}J-uW-Xk6Ik!zh&BW>mQ090I
zEk%{>81jHg03W}11aJLiCqCQJfaWtD$fPnTA5?+~Gi$J5$xKYXepF~Pjci8y`7XS)
zq82+h976M%4iuFRz!lSmW5JT?xN6R*STF;Lqzn%6U`-nqt!pI|T|ksOX2m(7==@U1
zT(R5kO^5NbMgNA3F}|a<@d8>KFJMpY5v+Q6y*>~|0ta_DVC7F=gqzXTNJmQ-I$FAL
zaQE@>yj(0zfA$kQ+11g5-^Gk0Ie)4hn_u|^n_u|^^S?O__ddD^PJ)NFR7!k)un`a4
zu?nr{I>~)^W7k`UvFokF_`4s?v4iM)t)L8!)C;gQmzg0xAIT_yBz>jLI%OHq8dvA?
z)I)!ZfS9W@8Dm)U<mL#7|5w#+7gP4(&%(Iu&Zi?o5NzAq&+bAZ&%yV9e_Ie6_I9W6
z$dczY5Y6r7$KH=ut^VgARYg2hlY6FmJtPGD33PS4Xw2+LE8yq^2U(u_V|!0&-+%M+
zcQ9@Kcw|x;oH}+Mduk8ko#%HM0XlH%*g5UIrT^o0jGtBmHzUw^vK1}oTk*~dyK(~P
z&FC!q=lB44_piGnAl~)B&A4^ROca$BVAneb@z@Vv#)VdoCS3o_cFg<QH5fg)8d6HU
z^Zag{sc#9+Ehx&vJ&!EJw41L0q{NOl58<hQU5~z=bo3U8qeMMaGiHp;PNtVbGBO5|
zc&Was4MG4_aD|vDQjB2SEUY@P>vJ60a{`&Pi_0es!|gwui~qId$2!F)fkeJOD!%@}
zX?%XT5t+1$;iCuR_WPpeWi6!Yk3s<O_H(<mw#7@ofUo~#K9Yk<keBb^+J#qo5=gf7
z&ukAqZ+T<Cw(pxipN}srz6yoK`6wvP$DGAi;?AGUjsCV`bX+&A+3{n>kbN*-ut+2W
zLTMz^Onc!6ft^Zbwp5Y7&A53yHodeb`2Or88}RHS-o(EHhm~XM7sq1p4{pHd$-}iL
z?#h{?u<P9eLDSmRTd;QZ7B9Ixumm%2oruNv&I!-!Pa#znTd6!#a~#QnyJzaLq?DL?
z(^&oC+<rWeq|XoNnq<a;aS?`R#+Sxp^|H4k(x|*vDwUE>v243(SO@_+<ed5R9Akvp
zmc~dbn`$*A;NC|Uqwz#5KHJ`4bsRSQc?aHpZWorn`dv)FDJ*CFhx=|qOJfJ>K0OsV
zukCy%HvD-z-hOT;mcQ~HOuu<T|Lr7WaMPLCedail?@s@H&Pz6*?FhWq?hAd|zS4>U
zjpdP2qO_tg-fImc)9&0@S5|;Ih{u@K*rViBnWO)%#&|f6oe(hMw#vb!c)a#saA12q
zc5OU_`cKc`#Nl&jIB+(YW?Q%dtAD-TtA6vJo3e^x{Nzt}p>F>ve73V5r|O!}c%lVo
z8qNoWxxy7#{hK%a^Xzj12qEDL35N{XYdX~yy=6bvD=9As#!>cn>+4PjzgtwAkIuGU
z&08%WSgi4~?af`Wsx`cCk=41$;_QTkKp2KFZ7Bo*5z;(oC7b^P<7d=h{EV8Q?Zn|m
zEK#NV0FLcF9eS-~Qq++Xs!=ncI+%g6@kBFzdG}NLd4`QFD9ZN+>G)gY@n%$y92k~9
z{>N^+mXZ>ePa1|jwMT;XKYsWx7%^dpK0Ms0O{L_(W#g*w*|u<Ljva3v#7*D0Ml)->
zHXM$n=|Y~?E_s@C66MF~u{=<xTszyFQwO25L-|2-^DEB-)imq(c>d9M@aeXCw4d*U
z>k9OA_Tkg5^-*n1@{bSy)6-c0m#sLq|0Fuwy5VMA^!B81Z2xJy7AJ)B(2<vD$Nbv^
zucPJM1@v6##ky5n@#p1lTD6Fj5;y++6s`H;Z~i+ze0?7}TDst7GU(|_;ndM4Y+H8#
z&pfyuKbZZPmY1BlaJ+W@bC0}>57z8QZ)YERJNxj#tNZc7Z#Tu00j_J6IL+ZfG{vXc
zNHxZT`HQOr+?cWaK~D0Q*sEiEPenoy+cthi4dGpZlSj|t<k52%cb=~aX8)H-+DsuI
zytX&z`~s?vzIf+Uyt#TuVAIdkH)HwT&-PCP0r=vbQ?TyI?PxsiRsHpJrtpXRU(f9^
zt0`KnAswu%JjB+usxTv%wVyFhrJ7u~k~*7>B;;{_x3bD2-21z)23)Izy!i7-r{3|S
z8!_zifwAZP<FbWT8wu&z(uZDHf~oVa==c3oJ~qD~fgeA42g(N)#~#1v2iMwn&_0#9
zQg<=ohew**Qw-MXwm8*F=OYyYPw)OIwyfQceIM4L;j^=7Y3zWTc2QVbfZ?MDV(Pqc
z`078;LFLeL?FoEv^*>?n2S;&q-wB+qKkunFSD>IUAA^Qh;QHIHik|0hCFO;9eAE5-
z_vIU~W$k`6pJ_))vJjK5AC238cmpP0I|@%PTN?{VNwN^j{$mMtZ#s%if8C8kyFN!t
z;{~L9GZ;{mk4vh{aOo9;Fm~FdnDWIjdcIN!TzbVI{C2~4@ap3qVD~#m(9(DTg(U+p
zW=b{Y-!%mjuOEpuf7lvjcFY+hW7KFw%>rP{zqe9;>Gp+?QU>c<fdfo3-O2ISue$Pv
z;no>|v#Qu^Gb$R#bhr26)WK%Y+|hLu=ywT>yMB0-+s(F`no%QTD;%aNCbRZbnh9bf
zv8)XP5W;>PGWT3$5(q;wpZd)UQRy?J@`icyFlcZU*1fcrW<O{rcy`g8Gd%b`+tkjg
zok}THv)Lx7)zV31LU#(Hly<dZyN>O5eBdI^g(W{2NeI)ikEGUyURU#E%}R1)nJ>V6
z0ENg}Rj8?2X^A7LbHfaFoq^@HT698L%QVk92hs%jK!lUK$E<22MV6|!n1@EjRjsMy
zah9B6WH?;5(hiH1M`pN^F<yWPV%!pmG7BLfCBPXA-5(hiE(h1;SyZWMBl|;>#gu$#
z)3O*(U@&|CMPyTKrH2|AaaC@XB(ZjmnOHU}<4j=vAqD}kio}RBQ*pKt+2TkGgP<+Z
z=dU!A>dojAty2Ka8!<~hVpJa8(tUayMI}?IcqxHYubW-1(g(v<e`-^Q*?_g!OPYj^
ztt3#tK>)MbMbf7i+WXHeY2}dSIu?v9Y{H0yGKb;p(KcjKB6g1M2*`AQ4lq+a8MK}4
zwA)2rQdLva@piar5kIbxbY{f<QO6@&!Esz!qX`lLFLuPTC3zg_Gk6mXZ+>H2?l{t{
z*%2AEwYRn>%PY#gwGoZQP=dlNhXn&r4{tl=$CrAosq$=t2S9}9X)ET?HKl036R%WT
z<pxBh`ip3`HFlw`u`ApsjWry7;Dr!yg-dE)+@SWw+AhL1sOWx|oF{}E6hyiHI1N`#
z;9%QNeoy-48&+Evw<0aGJ3PsX3bePj!|g!>&$Oeqqpd^lEXe{;8TY}UdYS9T(5icN
zjtQb>uE@e*!FO%RHeJO>78Rqb-blR&DOg303=j<@jh5ZVEL)^axL~U*mBx^8TH&U~
zE(&Az4L8j83n{XL7BRebm0F%mB0oPL9c>+OyYVr1yHMNO+!ESCuuz@G{D5M7v_fv5
z){~NeDCl@c|EOTqHUp@bcu|vD^<C=cO5-|V$vqkEYa97%jK|l;BN{-_M6Yy3v|Q0V
z-Zkb|b-jBqmvz!Y31-j!+m^Sg8R->pojcPAw+pr0?Zujt4JVOFr?qvLa86SI00YWN
zL_t)XWH>{t_36>)fM=Q-rUal`>=Kd@sgl70U>b<9OQy7iAv8o`(FY@LDWV8arc}!4
zl$yfLa;%yI#|_tb6za1}?jcw-(hiIjv=}v;NaUer<S2A^b))fgBitUW;>$NJJ>GW?
ztLhKe2X-YGDCIES+2H_pLOZA}T}ww*InjlsLn#keZKGaj7#~8jlM;vy=%IFy8Q)cQ
zUB-+n)KsU?)@h{UDyTGT4}&SSt|9Hxs1Wz}n~R`X!8D~Z#y(EG>MG<9$VdH=dh|76
z)$-b<?HmBotyp$w?~%6l)^^XCa%H4gn9_9AP6p17qV~+etiD>6l7Of>-<6>gE8?rl
zOi7iHQM)LiNss5@5;Yi6sWJ*6U9*weIP+nU#uyB$YUvmaVw<h8pv+Rf5o0Syj2ekC
zW5=PrwH<W_8rssWSO)luWxwCBuKl{fUpm_*+7?w`TJ0Afd(x*az#XP7yRPzwK?K2#
z5mO*-CIKVJ67SI0Q)DdkSR>vnsI=<pHJB~RG6RORNTtl>;7GkNI8yQLPqS%#FboxJ
zm9`j96b3Cyj~y{`BxYQDEi&mew!OCv7mj8A`8V$@eJ=nK05%_6_sR6Cc{QyaO;-=S
zwAw54kRE{C(U-TSUTbI<8Ch9XKPFgMnyN)(VQDSI6b2oK7|vDdjE^P-wh8%!KD~5A
zm0D~hoeD*BU~D$kCC97yGFuADHsZ{(5Njeo4_8gT8k43>L8>o}?VGourLJq$!+%@)
zOLeM4uk+r4b+1hyJg=s;v+3$&WfB7l288PXORq*$aj)7Mnp|HA)dX6bN<>?;*t;-Y
zsFN;rYtnI2N<;e?c9Bk?U~^i8#e<D3BqpMROl>n6lW9`4hk;D^7ibcjmx>%<N}#Bu
z7-Pnc!>rk}F}SJ<?XB(Dz2ze`9qm~4%U70u8#(+U{NmP?KN?VtWn(9eNsb&d5{bOL
zzz%xVcJY}aZB1e5-!1bz=(d1|b~E6e{N>zZ3y-vzRBE3CHV9IaZt1(^f!z+?r4hGE
z;>pXPn2SC<9!WzUEfo&gJk+=>hJ_R;E-pq<aS0d$QhjMO9IeNpy+_)5PvZVxZ&<n-
z+4Icd_P~uRN90vtS#fn@$&l(Hs2Wy<vSb;Gii@(Q0dsMJ{h3rF>tHQOMrXy<Y%pXe
zo{_yqR68}xT556g4%#wxam#eYrBb^)yK$kT1C6H|arV?%be+kpO1EIy^4g`xk%Rn+
z1=K0TqC_bc<s~r}|GE8t+tTf*&2(Um+l@7G0IKc(0E0a-le{Kys{jB107*qoM6N<$
Eg8F3bjsO4v

literal 0
HcmV?d00001

diff --git a/modules/InfoCard/www/tokenservice.php b/modules/InfoCard/www/tokenservice.php
new file mode 100644
index 000000000..3c076dfaf
--- /dev/null
+++ b/modules/InfoCard/www/tokenservice.php
@@ -0,0 +1,139 @@
+<?php
+
+/*
+* AUTHOR: Samuel MuĂ±oz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: Web interface for the token generator
+*/
+
+
+//Borrowed from xlmseclibs, TEMPORAL
+function decryptMcrypt($data,$key) {
+	$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
+	$iv_length = mcrypt_enc_get_iv_size($td);
+
+	$iv = substr($data, 0, $iv_length);
+	$data = substr($data, $iv_length);
+
+	mcrypt_generic_init($td, $key, $iv);
+	$decrypted_data = mdecrypt_generic($td, $data);
+	mcrypt_generic_deinit($td);
+	mcrypt_module_close($td);
+	
+	$dataLen = strlen($decrypted_data);
+	$paddingLength = substr($decrypted_data, $dataLen - 1, 1);
+	$decrypted_data = substr($decrypted_data, 0, $dataLen - ord($paddingLength));
+	
+	return $decrypted_data;
+}
+
+
+
+//Input: self issued saml token
+//Returns ppid coded in base 64
+	function getppid($samlToken){
+	$token = new DOMDocument();
+	$token->loadXML($samlToken);
+	$doc = $token->documentElement;
+	return($doc->getElementsByTagname('AttributeValue')->item(0)->nodeValue);
+}
+
+
+// grab the important parts of the token request.  these are the username,
+// password, and cardid.
+
+Header('Content-Type: application/soap+xml;charset=utf-8');
+
+$config = SimpleSAML_Configuration::getInstance();
+SimpleSAML_Logger::debug('Tokenservice');
+
+$token = new DOMDocument();
+$token->loadXML($HTTP_RAW_POST_DATA);
+$doc = $token->documentElement;
+
+$cardId  =  $doc->getElementsByTagname('CardId')->item(0)->nodeValue;
+
+$authenticated = false;
+
+
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+$debugDir = $autoconfig->getValue('debugDir');
+
+
+SimpleSAML_Logger::debug('USERCREDENTIAL: '.$ICconfig['UserCredential']);
+switch($ICconfig['UserCredential']){
+	case "UsernamePasswordCredential":
+		$username = $doc->getElementsByTagname('Username')->item(0)->nodeValue;
+		$password = $doc->getElementsByTagname('Password')->item(0)->nodeValue;
+		if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),$ICconfig['UserCredential'])){
+			$authenticated = true;
+		}
+		break;
+	case "KerberosV5Credential":
+		break;
+	case "X509V3Credential":
+		break;
+	case "SelfIssuedCredential":
+		//Obtener clave simĂ©trica
+		$encKey = base64_decode($doc->getElementsByTagname('CipherValue')->item(0)->nodeValue);
+		$sts_key = $autoconfig->getValue('sts_key');
+		$privkey = openssl_pkey_get_private(file_get_contents($sts_key));
+		$key=NULL;
+		openssl_private_decrypt($encKey,$key,$privkey,OPENSSL_PKCS1_OAEP_PADDING);
+		openssl_free_key($privkey);
+		
+		//Recuperar informaciĂłn
+		$encSamlToken = base64_decode($doc->getElementsByTagname('CipherValue')->item(1)->nodeValue);
+		$samlToken=decryptMcrypt($encSamlToken,$key);
+		SimpleSAML_Logger::debug('$samlToken'.$samlToken);
+		$ppid=getppid($samlToken);
+		SimpleSAML_Logger::debug('PPID: '.$ppid);
+
+		if (sspmod_InfoCard_UserFunctions::validateUser(array('PPID'=>$ppid),$ICconfig['UserCredential'])){
+			$authenticated = true;
+		}
+		break;
+	default:
+		break;
+}
+
+
+$messageid = $doc->getElementsByTagname('MessageID')->item(0)->nodeValue;
+
+if ($authenticated){
+	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
+	$ICconfig['issuer'] =  $autoconfig->getValue('issuer');
+	$ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt');
+	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+	
+	$requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType'));
+	$claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims);
+	
+	$response = sspmod_InfoCard_STS::createToken($claimValues,$ICconfig,$messageid);
+	
+
+}else{
+	$response = sspmod_InfoCard_STS::errorMessage('Wrong Credentials',$messageid);
+}
+
+
+Header('Content-length: '.strlen($buf)+1);
+print($response);
+
+//LOG
+if ($debugDir!=null){
+	$handle=fopen($debugDir.'/'.$messageid.".log","w");
+	fwrite($handle,"  ------ InfoCard simpleSAMLphp Module LOG ------\n\n");
+	fwrite($handle,"-- TIME: ".gmdate('Y-m-d').' '.gmdate('H:i:s')."\n");
+	fwrite($handle,"-- MESSAGE ID: ".$messageid."\n\n\n");
+	fwrite($handle,"-- RST\n");
+	fwrite($handle,$HTTP_RAW_POST_DATA);
+	fwrite($handle,"\n\n\n-- RSTR\n");
+	fwrite($handle,$response);
+	fclose($handle);
+}
+
+
+?>
\ No newline at end of file
-- 
GitLab