My name is Oren Melzer and I’m a developer on the CardSpace team. In this post, I am going to talk a bit about the newly designed selector in the new CardSpace “Geneva” beta.
Based on feedback from v1, one of our primary goals in designing the CardSpace “Geneva” selector was to give the user a simple, quick, and in-context card selection experience. Quite simply, users don’t want a lengthy or complex login experience; users want to quickly and easily access the site they’re trying to visit. With that in mind, the CardSpace “Geneva” selection experience was designed to be seamless. At a glance, users can see where their information is going and what data they’re sending. At the same time, they’re never more than a few clicks away from being authenticated.
The CardSpace “Geneva” selector uses Credential UI, a built-in Windows authentication mechanism that you may recognize from Remote Desktop Connection or smart card authentication. Credential UI allows CardSpace to operate in the context of the browser, so that the website the user is accessing is still visible.
When a user clicks the CardTile or the “log in” button on a webpage, the selector comes up showing all of the user’s cards that match the site’s policy. If the user has previously logged in to the site using CardSpace, the most recently used card will show up first and will be selected by default. All the user needs to do to log in is choose a card, authenticate to the Identity Provider (which may happen silently in the case of certificate or Kerberos backed cards), and click OK.
Users may also wish to review the personal data that they are submitting. To do this, the user simply clicks on “What information will be sent?” to review the display token returned by the Identity Provider. This functionality is equivalent to the “Preview” button in CardSpace v1.
One new feature in the CardSpace “Geneva” beta is the ability to use a card automatically at a website. If the corresponding box is checked and the card is successfully submitted, CardSpace will automatically use the given card to log in to this site in the future, saving any credentials used. During subsequent logins to the same site, the user won’t be presented with the selector. Note that in the case of smart card backed cards, users will still have to authenticate to their smart cards. In the current beta, users can undo automatic card use by opening the CardSpace “Geneva” control panel applet and choosing “Delete all card history.”
Website developers should keep in mind that multiple users sometimes share the same Windows account and they may wish to log in to the same site using different cards. Websites may include an alternate object tag with the “requireUserInteraction” parameter set to true (see below) that allows the user to log in with a different card even if the user has chosen to always use a card. Should the user choose a different card, CardSpace “Geneva” will no longer use the previously chosen card automatically.
The following additional information may be useful for web developers:
· If the connection to a site does not use https, the selector displays a large warning advising the user not to submit sensitive data to the site.
· To mitigate spoofing attacks, the CardSpace selector limits the total length of the fully qualified domain name and scheme to 50 characters. The CardSpace selector will not be shown on sites with names longer than this limit. In corporate usage scenarios, system administrators may override this limit up to a maximum of 128 by setting a DWORD registry key at HKLM\Software\Microsoft\CardSpace\MaxHostNameLength.
Go install CardSpace “Geneva” and try it out – if you don’t have a card, you can download an example card on the demo page.
Software Development Engineer