There's lots of talk lately about CardSpaces and the underlying WS-* technologies (that aren't Microsoft-specific, which is a good thing) that make it all happen.
We did this week's Hanselminutes on Identity, with CardSpaces as the primary focus. I realized that it's a pretty hard thing to visualize as the user interface for Windows CardSpace has some new UI techniques like the "Curtain of Security" (my term) that loads the CardSpaces application in a separate desktop context to defeat keyloggers and others evils.
Stuart Celarier at Corillian worked recently on a project to integrate CardSpaces with our eFinance Platform. We've been working with various pre-release versions of CardSpaces for a while, and last month we took a team up to Microsoft to get a live Voyager (Voyager is the name of our eFinance Platform) system integrated with CardSpaces "for real" - as opposed to static demoware. This week Stuart recorded a CardSpace Screencast of the process.
In this demo, we log in as bill27 using a Username and Password, the way folks usually log in. Then while logged in, we visit the Self Service page and ask to associate an Information Card with that account.
When we click Select Information Card, there's an <object> tag within the HTML that asks for specific claims like this:
<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
This object tags requests the givenname, surname, email and a privatepersonalidentifier that is unique to the site/user combination. It's suitable for use as a key.
On this machine we haven't created or imported any Information Cards yet, so we create a Personal Card. This is a "Self Issued Card." Basically a we act as our authority and a local Security Token Service (STS) issues the card. There's two kinds of cards, Personal/Self-Issued and Managed. Managed cards will be issued by wholespace identity providers, like perhaps Visa or Mastercard, maybe Amazon and Paypal. We shall see. Managed cards have the benefit of being revocable, just like real credit cards.
After we create a card, we send it to the web server (which happens to be running .NET 1.1) that decodes the Security Token and retrieves each of the claims. Once the Information Card is associated with the account, we can log out.
Then rather than using a Username and Password we can log in using only the Information Card. Of course, using an Information Card doesn't preclude the use of additional factors, including passwords, Intelligent Authentication, or challenge questions.
Here's a list of links to check out:
Thanks to my boss for letting us publish this (formerly) internal CardSpace screencast and to Stuart for making it happen.