Introduction
In part one we setup a high assurance certificate. Now it’s time to put together a simple application that will use the CardSpace technology for registration and access instead of the standard username/password.
Setup a simple application
The first step we’ll take is to set up a directory for our application and create a quick and dirty default.htm page. Using VS 2005 create a new website. I targeted C:\inetpub\wwwroot\CardSpace. Use the IIS manager to create a virtual directory pointing to this directory and give it the alias CardSpaceTest. We don't use the VS2005 web server here since we need an HTTPS (SSL) connection.
For the purposes of this example I’m going to dispense with the use of two login mechanisms (e.g. username/password and CardSpace) and just concentrate on incorporating CardSpace. As a side note, it would be important to include this since browsers like FireFox and Opera don’t support CardSpace. Microsoft has promised to provide support for these browsers in the future. With our directory setup, create a new page called default. This is the entry point into our application. This page will let us select an identity card that we will eventually submit to the site. To allow us to select a card we need to instruct IE 7 to invoke the CardSpace selector, which looks like this:
There are two ways in which we can declare the CardSpace selector within the page; the use of the OBJECT tag or the use of some XHTML. For this sample I've chosen the OBJECT tag. Here are the contents of default.htm:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html >
<head>
<title>Sample 1</title>
</head>
<body>
<form id="form1" method="post" action="cardprocessor.aspx">
<button type="submit">
Click here to sign in with your Information Card
</button>
<object type="application/x-informationcard" name="xmlToken">
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
<param name="issuer"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />
<param name="requiredClaims"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
privatepersonalidentifier" />
</object>
</form>
</body>
</html>
Within the object tag the important thing to see for now is the requiredClaims parameter. This outlines what information the card must send in order to be accepted. From this you can see it requires the given or first name, the surname, email address and a private personal identifier. The last one here is important as it provides a unique string for this particular card. This will be useful if you are storing the cards in database as it will help you find the particular user that owns this card. There is a complete list of claims at the end of this article.
Creating your first Personal card
So the page is a very simple one that has just one button. Open IE 7 and navigate to https://www.fabrikam.com/CardSpaceTest/login.htm. You’ll remember from part one that we’ve installed a high assurance certificate here so the address bar should be green. Clicking this button opens the CardSelector;
This card is informing me that the last time I was at this site I declined to send a card. I did that so I could get a screen shot of this dialog. I’m still trying to figure out how to get an image into the site information listing. This page gives you the basic information on the site you’re visiting so you can be sure you’re visiting the correct site before sending your private information. Since we’ve setup this site, let us assume we can trust it. Select “Yes, choose a card to send” and this dialog will open.
Click Add a Card and then click the Add button at the bottom. You’ll be prompted to create a card. Select “Create a Personal card”. This represents a self-signed card. I’ll cover the difference between Personal cards and Managed cards in another article.
Under Card properties you can enter the name of the card to help you identify it and you can choose a simple image for the card. Below that you’ll see three red fields. These fields represent the requiredClaims parameter that we specified for the Card when we declared the OBJECT tag on the default.htm page. The uniquepersonalidentifier isn’t displayed as this is a value generated by CardSpaces internally. While you are free to enter all the other information such as your address it won’t be sent with the card as it’s not a required claim. Once you’ve entered the basic information, save the card.
Since you’ve never submitted this card to this site before, the system will warn you of that and you’ll be forced to review the card’s information.
You can see all the information that will be sent along with the card and can edit any mistakes you might have made. At this point, close the CardSpace window. You'll notice that you get a 404 error as the Card Selector has submitted the form. I'm not sure if this is by design, but if you use the XHTML CardSelector markup, this doesn't occur. I've dropped Microsoft an email about this and if I get an answer I'll post it up on my blog.
Summary
We’ve now setup a page that lets you select and submit a card, but we’ve nothing to actually accept this submission! Go back to the HTML and you’ll see the post attribute of the form points to cardprocessor.aspx. We’re going to use this page to actually process the card information. I’m going to cover this in part three.
I would now like to return to the requiredClaims we’ve specified. In this example we’re only sending four pieces of information but as you have seen, you can include much more. Each of these claims has a particular namespace. Here they are:
- Given Name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Email Address = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Surname = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Street Address = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress
- Locality = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
- State/Province = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
- Postal Code = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
- Country = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
- Home Phone = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
- Other Phone = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
- Mobile Phone = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
- Date of Birth = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
- Gender = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
- PPID = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
- Web site = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/website
[This list was taken from http://msdn2.microsoft.com/en-us/library/aa395199.aspx]
References
Microsoft’s CardSpace: Part 1 – Getting started
Microsoft’s CardSpace: Part 3 – Using a Card
About Tomas McGuinness
 |
Tom McGuinness is currently working as an application developer for Barclays Capital in London. He has worked primarily in web application development for a variety of companies.
View complete profile
|
Top Articles in this category
Microsoft's CardSpace: Part 1 – Getting started
This article is part one in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the setup of a high assurance certificate to give you an environment where a CardSpace application can be hosted. It assumes a basic knowledge of IIS and HTML.
Hashing, MACs, and Digital Signatures in .NET
This article covers what the differences are between hashing, MAC and digital signatures. It presumes a certain level of knowledge about encryption methods especially the difference between symmetric and asymmetric encryption. The article does not cover how to perform encryption or about key management. There are some code examples on how to perform each of the technologies using C# in .NET v2.0.
Microsoft’s CardSpace: Part 3 – Using a Card
This article is the final part in a series of articles designed to get you up and running with Microsoft's CardSpace technology. This part deals with the consuming a card that we created and accessing the details contained within the card. It assumes a good working knowledge of C# and ASP.NET.
Protect Code with Skater .NET Obfuscator
Application vulnerabilities, Intellectual Property theft and revenue loss are among the most serious risks facing companies today. According to Business Software Alliance statistics, four out of every ten software programs are pirated in software business, worldwide.
An inside look at Symmetric Encryption
This article describes the internal workings of symmetric encryption; also known as secret key encryption. Concentrating mostly on the older DES encryption method this article doesn't contain any code examples and intends to cover the internals in a manner that isn't technology specific.
|
|
Please login to rate or to leave a comment.