What is CardSpace Authentication?
This is a managed IIS7 module which helps websites to provide authentication mechanism using Windows CardSpace just like Basic Authentication currently available.
How does it work (UX) ?
When a user browse the website instead of usual authentication window to enter UserName & Password,
- User is prompted with Windows CardSpace UI
- User selects a Self-Issued card (which has all required claims)
- Submit selected self-issued card to the website
- The website decrypts the claims and check against Provider (SQL/AD etc...)
- If the claims meet the requirement, user is allowed access to the site
How does it work (technical) ?
IIS7 managed module which kicks in during OnBeginRequest
public void Init(HttpApplication application)
application.BeginRequest += new EventHandler(OnBeginRequest);
This is just a prototype so 1st step is to make-it-work so the method of using "POST" for if condition would change in an ideal world.
HTML file is used so that I can change the infocard triggering code easily.
public void OnBeginRequest(Object source, EventArgs e)
HttpApplication app = (HttpApplication)source;
if (app.Request.RequestType != "POST")
app.Response.AddHeader("CardSpaceAuth", "I handled authentication :)");
app.Response.StatusCode = 200;
app.Response.ContentType = "text/html";
Here is what is inside "infocard.htm"
<html xmlns="http://www.w3.org/1999/xhtml" >
<object type="application/x-informationcard" name="_xmlToken">
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
/* This code gets triggered during page load which triggers CardSpace UI */
var theinputarea = document.getElementById("xmltoken");
theinputarea.value = xmltkn.value ;
<form id="form4Card" method="post" action="login.aspx">
<input type=hidden id="xmltoken" name="xmlToken" />
Submitted self-issued card gets submitted to "login.aspx" which process the claims and decides on authentication
Submitted claim gets processed by TokenProcessor
protected void Page_Load(object sender, EventArgs e)
xmlToken = Request.Params["xmlToken"];
if (xmlToken == null || xmlToken.Equals(""))
ShowError("Token presented was null");
Token token= new Token(xmlToken);
givenname.Text = token.Claims[ClaimTypes.GivenName];
surname.Text = token.Claims[ClaimTypes.Surname];
email.Text = token.Claims[ClaimTypes.Email];
uid.Text = token.UniqueID;
Yea, it works perfectly according to plans. I need to implement it completely with an IIS manager UI