Sunday, April 26, 2009

Creating CardSpace Credentials at Microsoft’s Identity Labs Web Site

Microsoft’s Identity Lab (Identity Protocols Security Token Service, ipsts) is a set of hosted security token services to support testing of Identity Protocols. The goal of the lab is to provide a set of custom test endpoints to evaluate the interoperability of Identity Protocols amongst multiple partners and vendors. Microsoft promotes its CardSpace credentials as an industry-standard, SAML v1.1-compliant source of identity information.

Note: For an overview of Windows “Geneva” and CardSpace, read David Chappell & Associates’ “Introducing ‘Geneva’” white paper and Matias Woloski’s Multi tenant federation with Geneva Framework and Microsoft .NET Services Access Control post of 4/23/2009, from which the following illustration was taken:

There are no help buttons on the pages for creating a CardSpace credential, so I captured the following page views to help readers of Chapter 9, “Authenticating Users with .NET Access Control Services” add a CardSpace credential to their computer.

Browse to the Microsoft Identity Lab’s Microsoft Identity Interop Sts Logon page and click the Sign Up button to open the Registration page. Type a fictitious name in the UserName text box, a password in the Password and Confirm Password text boxes, and mark the Accept Terms of Use check box:

Click Submit to open the Claims Configuration page. Accept the default (marked) setting for the By Default, Release the Following Claims to Any Relying Party check box. These are the minimum claims required by most relying parties. Type fictitious names in the First Name and LastName text boxes, accept the referring party’s Email Address (UserName@ipsts.federatedidentity.net).

Click Continue to open the Edit Profile Information/Manage Relying Party Policies page (see Figure 9-09.) The Edit Profile Information link opens a page that lets you add to and edit the information you entered previously; the Manage Relying Party Policies page enables selecting the profile information you release to relying parties:

Click the Edit Profile Information Link to open an expanded version of the Claims Configuration page. Complete the entries with fictitious information and enable their selection for your profile by marking the associated check box:

Click Submit to return to the Edit Profile Information/Manage Relying Party Policies page, click Save to return to the Manage Relying Party Policies and click the Manage Relying Party Policies link to open the Relying Parties page which contains Edit/View buttons for HTTPS and HTTP policies.

Click the EditView button for the https://relyingparty.federatedidentity.net party to open the Edit a Policy page. Mark the check boxes for the profile items you want to release and select the public key file (CertName.cer) for your localhost or other certificate you created for authenticating users:

Click Save to save your changes and return to the Edit Profile Information/Manage Relying Party Policies page.

Click the Download Your Username/Password card button to open the File Download dialog for the InformationCard.crd file, and click Yes when asked if you want to save the card with Windows CardSpace “Geneva” on your local computer. This will add the CardSpace credential to the Windows CardSpace “Geneva” Beta Control Panel applet (Control Panel –> Windows Cardspace “Geneva” in Vista):

For more information on the CardSpace Control Panel applet, read Oren Melzer’s The CardSpace “Geneva” Selection Experience post of 11/18/2008 to the somnolent “Geneva” Team Blog.

The OfficeLive team announced on 8/27/2007 that Windows Live ID adds Beta support for Information Cards with Windows CardSpace! However, I haven’t been able to get the Windows Live ID Information Card management page to work, regardless of whether I use saved username/password credentials or type them in manually. After almost two years, you would think their process would be out of beta and work reliably.

Mary Branscombe's When will Windows Live stop treating CardSpace as the unwanted stepchild? post of 10/29/2008 laments that “Windows Live [ID is] ignoring CardSpace.”

0 comments: