IIS7 - CardspaceAuth

What is CardSpace Authentication?
This is a managed IIS7 module which helps websites to provide authentication mechanism using Windows CardSpace just like Basic Authentication currently available.

How does it work (UX) ?
When a user browse the website instead of usual authentication window to enter UserName & Password, 

  • User is prompted with Windows CardSpace UI
  • User selects a Self-Issued card (which has all required claims)
  • Submit selected self-issued card to the website
  • The website decrypts the claims and check against Provider (SQL/AD etc...)
  • If the claims meet the requirement, user is allowed access to the site

How does it work (technical) ?

Step 1

IIS7 managed module which kicks in during OnBeginRequest

public void Init(HttpApplication application)
    application.BeginRequest += new EventHandler(OnBeginRequest);

Step 2
This is just a prototype so 1st step is to make-it-work so the method of using "POST" for if condition would change in an ideal world.
HTML file is used so that I can change the infocard triggering code easily.

public void OnBeginRequest(Object source, EventArgs e)
    HttpApplication app = (HttpApplication)source;
    if (app.Request.RequestType != "POST")
        app.Response.AddHeader("CardSpaceAuth", "I handled authentication :)");
        app.Response.StatusCode = 200;
        app.Response.ContentType = "text/html";


Step 3
Here is what is inside "infocard.htm"

<html xmlns="http://www.w3.org/1999/xhtml" >
    <title>Infocard results</title>
        <object type="application/x-informationcard" name="_xmlToken">
            <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
            <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />

    <script language="javascript">
            /* This code gets triggered during page load which triggers CardSpace UI */
            function GoGetIt()
                var xmltkn=document.getElementById("_xmltoken");
                var theinputarea = document.getElementById("xmltoken");
                theinputarea.value = xmltkn.value ;
<body onload="javascript:GoGetIt()"> 
    <form id="form4Card" method="post" action="login.aspx">
        <input type=hidden id="xmltoken" name="xmlToken" />

Step 4
Submitted self-issued card gets submitted to "login.aspx" which process the claims and decides on authentication
Submitted claim gets processed by TokenProcessor

protected void Page_Load(object sender, EventArgs e)
    string xmlToken;
    xmlToken = Request.Params["xmlToken"];
    if (xmlToken == null || xmlToken.Equals(""))
        ShowError("Token presented was null");
        Token token= new Token(xmlToken);
        givenname.Text = token.Claims[ClaimTypes.GivenName];
        surname.Text = token.Claims[ClaimTypes.Surname];
        email.Text = token.Claims[ClaimTypes.Email];
        uid.Text = token.UniqueID;

Yea, it works perfectly according to plans. I need to implement it completely with an IIS manager UI


Sukesh Sukesh Ashok Kumar
Works @ Microsoft

Chat with me!
who's online


All opinions posted here are those of the author and are in no way intended to represent the opinions of his employer. All posts are provided "AS IS" with no warranties, and confers no rights. © Copyright 2010

Recent Comments

Comment RSS

Sign in