Home » Digital Identity

Infocard/CardSpace Environment Setup

26 September 2006 3 Comments

Setting up Infocard/ Cardspace Today I’m going to explain how to enable accepting CardSpace cards (formerly known as Infocards) on your website. This is a topic that took a little figuring out and navigating various documentation etc. so I figured I’d write it down as I’ll probably forget how to do it and need this in the future.

1) Enable SSL on your page – The Infocard ID selector only works for pages running under SSL. This means you need to purchase a certificate and install it on your web server. That’s easy. The hard part is figuring out how to create a test certificate for use on your personal web server. Turns out this is easy too. Download the "Internet Information Services (IIS) 6.0 Resource Kit Tools" HERE. Install it and then navigate to "C:Program FilesIIS ResourcesSelfSSL". Run "SelfSSL.exe" in that folder.

2) Install IE 7 – only IE 7 supports the Cardspace Info selector. Download IE 7 here.. There are some home-grown plugins you can find for FireFox but I will not focus on these for now.

3) Install the cert in your browser. Now you can launch your page under SSL using IE7. The browser bar at the top will turn pink as this site is running under a test certificate. If you try and launch the ID selector now you’ll get an error "An incoming identity could not be validated." The ID selector will then close. To fix this click "Certificates" button in the Browser Bar in IE 7. Click "View Certificates" then click "Install Certificate". Now you’ll be able to launch your ID selector.

4) The markup required on the page is just this:
<object type="application/x-informationCard" name="xmlToken">
   <param Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion" />
   <param Name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</object>
Then submit the form like this:

<a href="javascript:void(0)" onclick="javascript:document.forms[0].submit()">Submit me</a>.

That’s it. You still need to parse the token (you can use the TokenHelper.cs Lab code for this). and so on but you now can launch the ID selector and have a nice test environment.

3 Comments »

  • Dion said:

    Hi Francis, this helped me a lot trying to get CardSpace running on my localhost machine with an test certificate.
    Now I can select a Card, but the login.aspx now returns:
    “Relying Party Certificate thumbprint not specified”.

    Do you have any idea how to fix this?

  • Dion said:

    By adding Thawte’s Test Root CA (the root CA for the free test certificate from Thawte), I managed to solve the above error. But now the error is in this line of the TokonProcessor.cs:
    Line 415: alg.Key = (certificate.PrivateKey as RSACryptoServiceProvider).Decrypt(symmetricKeyData, true);

    “System.Security.Cryptography.CryptographicException: Keyset does not exist”

    Any clue?

  • Francis said:

    Dion: I’m not sure but this might be inability to access the private key, have you specified the path to the PFX file containing the key or alternatively specified the path to the certificate on the machine in the config file?

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.