Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()
 

 Tuesday, November 21, 2006

Sergey Shishkin of newtelligence asked a very good question on the Microsoft Cardspace forums here. Basically, the current STS examples out there doesnt show a good sample of how a RSTR will look and be parsed on the client Cardspace selector before it is sent over to the Relying Party (RP) or website.

If you click on the "Retrieve" button on the Cardspace selector, while the RST<->RSTR takes place, somehow, the Cardspace selector doesnt show the credentials that will be sent to the RP from the STS, or more commonly known as the Identifying Party (IP).

The reason why was that the current STS samples out there ignores the RequestDisplayToken element value and therefore doesnt pump in the RequestedDisplayToken blob. Cardspace selector looks and parses those (RequestedDisplayToken) values as its treats the RequestedSecurityToken as an opaque object.

I took some time to figure out how to pump in those values and searching the web turns out a good resource here, surprisingly .

Following the stated schema and with a bit of push in the right direction from (my collegue now) Garrett Serack, I managed to hack out some snippets that can be written into the current STS sample (RC1) so that the following XML Blob appears in the RSTR back to the client Cardspace selector. Only then, the selector would be able to show the DisplayToken in the UI to let the subject decide if he/she wants to send the entire claimset over. (Laws of Identity Rule No 1: User Control and Consent)

<wsid:RequestedDisplayToken xmlns:wsid="http://.../ws/2005/05/identity">
<wsid:DisplayToken>
<wsid:DisplayClaim Uri="http://.../ws/2005/05/identity/claims/givenname">
<wsid:DisplayTag>First Name</wsid:DisplayTag>
<wsid:Description>http://.../ws/2005/05/identity/claims/givenname</wsid:Description>
<wsid:DisplayValue>William</wsid:DisplayValue>
</wsid:DisplayClaim>
<wsid:DisplayClaim Uri="http://.../ws/2005/05/identity/claims/surname">
<wsid:DisplayTag>Last Name</wsid:DisplayTag>
<wsid:Description>http://.../ws/2005/05/identity/claims/surname</wsid:Description>
<wsid:DisplayValue>Tay</wsid:DisplayValue>
</wsid:DisplayClaim>
<wsid:DisplayClaim Uri="http://www/ws/2005/05/identity/claims/emailaddress">
<wsid:DisplayTag>Email Address</wsid:DisplayTag>
<wsid:Description>http://.../ws/2005/05/identity/claims/emailaddress</wsid:Description>
<wsid:DisplayValue>abc@def.ghi</wsid:DisplayValue>
</wsid:DisplayClaim>
<wsid:DisplayClaim Uri="http://.../ws/2005/05/identity/claims/privatepersonalidentifier">
<wsid:DisplayTag>Site-specific card ID</wsid:DisplayTag>
<wsid:Description>http://.../ws/2005/05/identity/claims/privatepersonalidentifier</wsid:Description>
<wsid:DisplayValue>KDK-G7AC-SAW</wsid:DisplayValue>
</wsid:DisplayClaim>
</wsid:DisplayToken>
</wsid:RequestedDisplayToken>

p/s: You can use the writer.WriteElementString(Constants.WSIdentity.NamespaceUri.Prefix ...) to make sure the above XML blob is generated after you have written the RequestedSecurityToken (the SAML token) XML bits.

Tuesday, November 21, 2006 7:14:51 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

  •  Wednesday, November 08, 2006

    I am very honoured to be invited to present in a prestigious event organized and supported by our Singapore Government (Ministry of Home Affairs - MHA) as well as the Infocomm Development Authority of Singapore (IDA). It is really an honour to be amongst an elite speaker line-up with some really great security tracks and programs in store.

    GovernmentWare 2006 has always been a great event and has been (and still is) evolving towards an improved and better positioning and I am sure this year's event will be significantly different from the previous iterations.

    After all those years of speaking on Microsoft technologies from an external vendor's perspective, this will be the first time I am speaking "from the other side". I guess I will know by then how different it will be.

    My topic ? No surprise ... It will be in the Electronic Identification (e-ID) track

    Title: Federated Identities and the Metasystem
    Synopsis:
    What are the basis forces driving the concepts of the Identity Metasystem that has the world watching and waiting? How do we plug the missing gaps of the Transactional Internet today? Can we imagine the WWW without passwords one day? How can this be possible and even be more secure and assuring? One of the things people don't know about is how this entire secured infrastructure setup can be extended beyond authentication purposes to include other value-added business functionality.

    Hope to see some of you there !

    Wednesday, November 08, 2006 11:56:10 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions