What is CardSpace Authentication?
This is a managed IIS7 module which helps websites to provide authentication mechanism using Windows CardSpace just like Basic Authentication currently available.

How does it work (UX) ?
When a user browse the website instead of usual authentication window to enter UserName & Password, 

  • User is prompted with Windows CardSpace UI
  • User selects a Self-Issued card (which has all required claims)
  • Submit selected self-issued card to the website
  • The website decrypts the claims and check against Provider (SQL/AD etc...)
  • If the claims meet the requirement, user is allowed access to the site

How does it work (technical) ?

Step 1
IIS7 managed module which kicks in during OnBeginRequest

public void Init(HttpApplication application)
{
    application.BeginRequest += new EventHandler(OnBeginRequest);
}

Step 2
This is just a prototype so 1st step is to make-it-work so the method of using "POST" for if condition would change in an ideal world.
HTML file is used so that I can change the infocard triggering code easily.

public void OnBeginRequest(Object source, EventArgs e)
{
    HttpApplication app = (HttpApplication)source;
    if (app.Request.RequestType != "POST")
    {
        app.Response.AddHeader("CardSpaceAuth", "I handled authentication :)");
        app.Response.StatusCode = 200;
        app.Response.ContentType = "text/html";
        app.Response.ClearContent();
        app.Response.WriteFile(@"infocard.htm");

        app.CompleteRequest();
    }
}

Step 3
Here is what is inside "infocard.htm"

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>Infocard results</title>
        <object type="application/x-informationcard" name="_xmlToken">
            <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
            <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname                         
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />
        </object>

    <script language="javascript">
            /* This code gets triggered during page load which triggers CardSpace UI */
            function GoGetIt()
            {
                var xmltkn=document.getElementById("_xmltoken");
                var theinputarea = document.getElementById("xmltoken");
                theinputarea.value = xmltkn.value ;
                form4Card.submit();
            }
        </script>
</head>
<body onload="javascript:GoGetIt()"> 
    <form id="form4Card" method="post" action="login.aspx">
        <input type=hidden id="xmltoken" name="xmlToken" />
    </form>
        
</body>
</html>

Step 4
Submitted self-issued card gets submitted to "login.aspx" which process the claims and decides on authentication
Submitted claim gets processed by TokenProcessor

protected void Page_Load(object sender, EventArgs e)
{
    string xmlToken;
    xmlToken = Request.Params["xmlToken"];
    if (xmlToken == null || xmlToken.Equals(""))
    {
        ShowError("Token presented was null");
    }
    else
    {
        Token token= new Token(xmlToken);
        givenname.Text = token.Claims[ClaimTypes.GivenName];
        surname.Text = token.Claims[ClaimTypes.Surname];
        email.Text = token.Claims[ClaimTypes.Email];
        uid.Text = token.UniqueID;
    }
}

Yea, it works perfectly according to plans. I need to implement it completely with an IIS manager UI