What is CardSpace Authentication?
This is a managed IIS7 module which helps websites to provide authentication mechanism using Windows CardSpace just like Basic Authentication currently available.
How does it work (UX) ?
When a user browse the website instead of usual authentication window to enter UserName & Password,
- User is prompted with Windows CardSpace UI
- User selects a Self-Issued card (which has all required claims)
- Submit selected self-issued card to the website
- The website decrypts the claims and check against Provider (SQL/AD etc...)
- If the claims meet the requirement, user is allowed access to the site
How does it work (technical) ?
Step 1
IIS7 managed module which kicks in during OnBeginRequest
public void Init(HttpApplication application)
{
application.BeginRequest += new EventHandler(OnBeginRequest);
}Step 2
This is just a prototype so 1st step is to make-it-work so the method of using "POST" for if condition would change in an ideal world.
HTML file is used so that I can change the infocard triggering code easily.
public void OnBeginRequest(Object source, EventArgs e)
{
HttpApplication app = (HttpApplication)source;
if (app.Request.RequestType != "POST")
{
app.Response.AddHeader("CardSpaceAuth", "I handled authentication :)");
app.Response.StatusCode = 200;
app.Response.ContentType = "text/html";
app.Response.ClearContent();
app.Response.WriteFile(@"infocard.htm");
app.CompleteRequest();
}
}Step 3
Here is what is inside "infocard.htm"
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Infocard results</title>
<object type="application/x-informationcard" name="_xmlToken">
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />
</object>
<script language="javascript">
/* This code gets triggered during page load which triggers CardSpace UI */
function GoGetIt()
{
var xmltkn=document.getElementById("_xmltoken");
var theinputarea = document.getElementById("xmltoken");
theinputarea.value = xmltkn.value ;
form4Card.submit();
}
</script>
</head>
<body onload="javascript:GoGetIt()">
<form id="form4Card" method="post" action="login.aspx">
<input type=hidden id="xmltoken" name="xmlToken" />
</form>
</body>
</html>Step 4
Submitted self-issued card gets submitted to "login.aspx" which process the claims and decides on authentication
Submitted claim gets processed by TokenProcessor
protected void Page_Load(object sender, EventArgs e)
{
string xmlToken;
xmlToken = Request.Params["xmlToken"];
if (xmlToken == null || xmlToken.Equals(""))
{
ShowError("Token presented was null");
}
else
{
Token token= new Token(xmlToken);
givenname.Text = token.Claims[ClaimTypes.GivenName];
surname.Text = token.Claims[ClaimTypes.Surname];
email.Text = token.Claims[ClaimTypes.Email];
uid.Text = token.UniqueID;
}
}Yea, it works perfectly according to plans. I need to implement it completely with an IIS manager UI