CardSpace: Quick Start

Windows CardSpace is but a single example of Information Card technology, but it is the best-known. This summary is meant to detail the current state of Information Card Technology as it evolves over time. If you find that this summary is missing information, please comment and I will make sure to update it.

Last updated: 17 March 2010 12 August 2008 6 January 2008 28 May 2007 4 April, 2007 27 January, 2007

New: MS Guide to Claims-Based Identity, very useful

Information Cards in a Nutshell

CardSpace is a software client that runs on Microsoft Windows, and which can participate as an Identity Selector within the framework of the Identity Metasystem, one of theoretically many different card systems that utilize Information Cards. CardSpace utilizes WS-* protocols to communicate claims between three parties: the Identity Provider (IdP), the Relying Party (RP), and the Identity Selector.

  1. A user requests access to a resource or begins a transaction that requires information card validation. This site (called the Relying Party because it wishes to rely upon information from another source) triggers an Identity Selector client to start on the user’s local desktop. Examples of this could be authentication to a web resource, or entering into a purchasing transaction where credit card information is requested. The Relying Party requests one or more units of information – each unit of information is called a “claim”.
  2. The Identity Selector client prompts the user to choose one of possibly many “information cards” that represent collections of claims owned/managed by any number of different Identity Providers, and that match the types of claims required by the Relying Party. Note that the information card itself is just a pointer to the data, it does not contain any data.
  3. Once the user selects a card, the Identity Selector client brokers the transfer of claim values between the chosen Identity Provider and the original Relying Party. If/when the Relying Party accepts the brokered claims, the transaction is considered successful and the Identity Selector closes.

Things to Remember

  • Although CardSpace is just one implementation of one part of a 3-part system, many people say “CardSpace” and mean not just the client, but the whole process. This isn’t perfect usage but it gets the general point across. CardSpace has much more visibility than “the Identity Metasystem” as an understood term.
  • The generic concept of information cards has many synonyms and abbreviations: i-cards, iCard, and infocard are some examples.
  • CardSpace and Windows Card Services (WCS) are the same thing, and they both used to be known as “InfoCard”.
  • The CardSpace client is installed as part of the “.NET Framework 3.x” subsystem (formerly WinFX).
    • The original version of CardSpace was part of .NET Framework 3.0.
    • There is a new version of CardSpace, included with .NET Framework 3.5.
    • As of 11 Aug 2008, SP1 for .NET 3.5 is available.
  • The CardSpace client can be triggered in two ways:
    • From a browser.
    • From a desktop application (ie a rich client)
      • Could be a service built using Windows Communication Foundation (formerly Indigo).
      • Could be a service built using Zermatt, which is currently in public beta
  • The applet that starts CardSpace from the Control Panel used to be called “digital identities” but now it is called “Windows CardSpace”.
  • Information cards can currently be of two types:
    • Self-issued (now called Personal) Cards:
      • Self-issued cards contain data that users may create and manage from within the identity selector.
      • Self-issued cards may only contain a strict list of claims.
    • Managed Cards:
      • Managed cards contain data that is owned by an “authority” that is not the Identity Selector. Data about the user is managed at the Identity Provider, and the Identity Provider is responsible for the veracity of that data.
      • Managed cards can contain any kind of claim.
  • Some Identity Selectors also require a separate “Browser Add-on” in order to function – this browser add-on works to trigger standalone identity selectors, and to select which of possibly multiple identity selectors should open when you begin an information card transaction.

Starting point

Information Card Foundation

  • This foundation has been formed as a focal point for users and developers – not a lot of content is there, but we are working on it.

Infomation Card Documentation List

  • This is my list of technical and non-technical documentation on the subject of Information Cards.

Kim Cameron’s Identity Weblog.

  • Kim came up with the concept of information cards and has evangelized them tirelessly ever since. His blog acts as an aggregator for the debate around information cards, CardSpace, user-centric identity, and identity in general. He’s Maven, Connector, and Salesman all in one package.

Internet Scale Identity Systems Overview

Ping Identity put this white paper together to describe & compare the major forces in User-centric identity. It is a good overview of the problem space.

Identity Selectors

Windows CardSpace

CardSpace can be triggered from IE7 natively, and from Firefox using a browser extension (get it here).

  • Windows CardSpace Sandbox
    • This contains the list of what you need and where to get it for the purpose of authenticating to the handful of example sites on the web that take information cards (Check out the Information Card Enabled Internet Sites section below).
  • Windows CardSpace Simple Demo
    • This is a channel 9 video by Richard Turner which shows the Windows CardSpace client in use.

DigitalMe

DigitalMe is part of Higgins, and packaged by the Bandit team at Novell. DigitalMe is open-source code that can theoretically be compiled for any platform, but is currently being supported in binary form for SUSE and Mac OSX. DigitalMe can be triggered from Firefox.

Bandit Main Site

Bandit Code Downloads

Azigo

Azigo is an Adobe AIR based Identity Selector.

Azigo.com

OpenInfocard/XMLDAP Firefox Identity Selector

The OpenInfocard Identity Selector is browser-based, installable as a Firefox browser extension.

OpenInfocard/XMLDAP Identity Selector Download Page

Higgins Identity Selectors

There are two Higgins Identity Selectors:

Ian Brown’s Safari Selector

This is a browser-based Identity Selector plugin for Apple’s Safari Browser.

Check here for more information

Identity Providers

Play with cards in a test environment:

Create and work with Managed Information Cards

Downloads of Relying Party Modules & Code

PHP

the Pamela Project: contains PHP code for WordPress, and is expanding to Joomla and MediaWiki in the near future. Also contains test blogs that you can authenticate to with information cards to test the technology.

Java

OpenSSO Java Module: A snap-in module for information card authentication to OpenSSO and Sun Access Manager

http://sourceforge.net/projects/informationcard/

http://www.codeplex.com/informationcardjava

Ruby

http://rubyforge.org/projects/informationcard/

http://www.codeplex.com/informationcardruby

.NET

Write your own Relying Party and/or Identity Provider code:

Enable your site to accept Information Cards:

Supported Platforms

  • CardSpace is supported on the Vista, XP, and W2K3 Windows platform.
  • CardSpace v3.0 does not work on systems with a FAT32 root filesystem, only on NTFS (however CardSpace v3.5 does work on FAT32).

Platform/Browser Combinations

Windows/IE7 – CardSpace selector works by default for IE7, thanks to an ActiveX control called ‘infocardsigninhelper’
Windows/Firefox – CardSpace selector can be launched by Kevin Miller’s CardSpace Extension.
Any/Firefox

Apple/Safari – Ian Brown’s Identity Selector Safari Extension is also java-based, and is closely related to Chuck’s selector.

Linux/Firefox – the Higgins native client is mostly running on OpenSUSE right now, but eventually there will be packages for all sorts of unix-based operating systems.

Governing Bodies

  • OSIS is an open-source initiative to create an Identity Selector that runs on multiple platforms.
  • The Information Card Foundation (ICF)
  • A new OASIS Technical Committee is being formed – more information as it arrives

Discussion Forums

Windows CardSpace MSDN Forum

News & Announcements

Check Kim’s blog for things like who in the community is doing fun things with the identity metasystem.

Check the WCS Main Page for technical announcements such as new CTP releases.

Information Card Products

WS02 (haven’t played with this yet, but it looks cool)

Online Identity Providers

The Pamela Provider – based on the Higgins STS

Human Present – Kim Cameron’s identity provider

Wag – the Bandit Project Reference Implementation of the Higgins STS

Information Card Enabled Internet Sites

Kim’s blog: use a self-issued card to create an account and then use it to authenticate and post comments.

Chuck’s Relying Party: for some reason this page isn’t loading at the time I’m writing this, but I think it’s still valid. I’ll keep you posted.

Ashish’s SP Demo: A java-based RP that serves the handy purpose of showing you the claims & token that were passed to the RP as part of the WS-* transaction. Instructions are here.

Opinity: I haven’t tried this yet but I will as soon as possible. My assumption is that this takes a self-issued card. The first non-MS-related site to offer information cards as part of a consumer offering, as far as I know.

Sxore: Sxore is an ultra-hip blogging tool. Check it out, you can use your infocard.

dotnet.org.za: A south african developers portal

CDATA Zone: Rob Richards’ blog

Hot Chicken!: use a managed card to login and view DEC chicken pics!


Date Created: June 18, 2006