May 24th, 2007

How to use CardSpace to secure web applications

Cesar De la Torre
Principal Program Manager

Using CardSpace to secure a Web Application…, that sounds interesting… We can also use CardSpace for securing WCF-Services for SOA application, but I leave that for another posting. :-).
For a Web Application, we need to implement CardSpace within the Login and registration page, because we’ll use it as an Authentication method.
So, let’s suppose we have a registration page called Registration.aspx. We’ll have to embedded ‘something’ into the HTML so the browser can know how to trigger CardSpace secure environment (the credentials selector). So, what can it be?. Well, we’ve got at least two choices:
– A.- The CardSpace ActiveX Control which defines the requirements for our CardSpace implementation.
– B.- An ‘XHTML binary behavior‘ for CardSpace describing the information card requirements. I’d use this option for non-IE browsers, like FireFox, etc.
In either case, we’ll have to describe what are the InformationCard requirements. The two most important parameters are:
– Token Type: It tells to CardSpace user interface to prompt only with cards that represent this type of token.
– Claims: Claims that must be passed in the security token containing the user’s identity. In this case, we require just ‘required claims’, but a user could also choose to send optional claim information as well, so it will also provide things like name, surname, address, or any other type of claim.
If we use a CardSpace ActiveX Control, it would be something like:

<object type=”application/x-informationcard” name=”xmlToken” id=”xmlToken”>      

   <param name=”tokenType” value=”urn:oasis:names:tc:SAML:1.0:assertion” />  

 

   <param name=”requiredClaims” value=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier” />

<object/>

On the other hand, if we use a ‘XHTML binary behavior’, it would be something similar to:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml” xmlns:ic>

<head><title>My Web-Site</title>

<link xhref=”App_Themes/site_styles.css” mce_href=”App_Themes/site_styles.css” rel=”stylesheet” type=”text/css” />

 

<ic:informationcard

  id=’infocardBehavior’

  name=’infocardBehavior’

  style=’behavior: url(#default#informationCard)’

  issuer=’http://sts.labs.live.com/trust/InfoCard’

  tokenType=’http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1′>

<ic:add claimtype=’http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier’ optional=’false’ />

</ic:informationcard>

</head>

Take into account that usually, you need something more than just single auto-assigned information cards. If you really want to authenticate, you need to do it against any user credentials repository, right?. Well, it depends of our environment, but usually we’ll have two typical ways of ‘how to authenticate’:


A. – Use auto self assigned information cards and then, when the user is registering itself, we can create a Membership user, so, we can associate the card-id with the Membership user id we’ve just created.
B.- The second way is, of course, involving an ‘Identity Provider‘ in our system, using a STS (Security Token Service) which will be the external authority or ‘Identity Provider‘ assigning security tokens (any kind), and then, the Relying party (your web application) should also authenticate that security token agaist any type of user credentials repository (Active Directory Federation Services, Membership, or any other kind).


So!, it is not a really complicated thing, but you have to consider different choices and getting the best from different worlds (HTML, Script and .NET executing at the server).
Read the following articles for a deeper scuba-diving in CardSpace:
Secure Your ASP.NET Apps And WCF Services With Windows CardSpace

http://msdn.microsoft.com/msdnmag/issues/07/04/identity/

How to Use Windows CardSpace with Internet Explorer 7.0

http://msdn2.microsoft.com/en-us/library/aa395199.aspx

and also: http://cardspace.netfx3.com/

Interesting, uh? 🙂

Author

Cesar De la Torre
Principal Program Manager

Principal Program Manager at the Azure team.

0 comments

Discussion are closed.