Hey You! This is a stick up!

toddha — Fri, 23 Feb 2007 00:00:00 GMT

Hand over your ~~wallet~~ InfoCard!

I've been playing around with CardSpace and trying to get it to do what I need it to do : authenticate some user in a little 3-tier play app that I'm writing. It's not as simple to use as most people would think. Here's my experience with it and how I got it to work. Hopefully I'll save you some time and frustration. (Note your milage may vary, especially since I'm not as detailed here as I would like to be).

Also, please note : this is NOT prescriptive guidance. There are no claims, warranties, or rights implied.

First, install IE7. CardSpace requires it. You can do the next couple of steps without it, but eventually you'll need it.

I needed a cert in my test environment. You may or may not need this step, but I went off and got the SelfSSL tool in the IIS 6.0 Resource Kit. I created a self signed cert and installed it into my computer's certificates store (via mmc).

Next, I created a new IIS website (via inetmgr). I right clicked on it, clicked properties, went to the Directory Security tab, clicked on Server Certificate, and chose my cert. I checked that my site (https) worked in Internet Explorer and that there were no cert issues.

There's one small step that you'll probably need to do with certs that I missed, however. You'll need to know what identity your web site is running under. Open up inetmgr, find the web site or virtual directory that you are using. Right click it, click properties, and on the Web Site or Virtual Directory tab it will say the AppPool. Go back to the main window of inetmgr, expand Application Pools, find that AppPool, right click it, properties, and it will show you on the Identity tab what account it's running under.

Next.

Go download and install the WSE 3.0 tools from here. Run the Certificates tool.

Choose Local Computer as the location.
Click Open Certificate
Choose the Certificate you signed and click OK.
Click View Private Key File Properties.
Click on the Security tab.
Make sure the account that we identified as the AppPool identity is listed and has read access.
Done.

Now you can implement your login. See here for the sample code on how to do this. I used some of this. I wrote my own code for looking up the Certificates by subject like this :

protected static X509Certificate2 LookupCert(string subject) { X509Store store = new X509Store( StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); foreach (X509Certificate2 cert in store.Certificates) { if (cert.Subject.Equals(subject)) return cert; } return null; }

Probably not the most efficient as you can call store.Certificates.Find(...).

I then took just Token.DecryptToken to do what I needed and discarded most of the rest (there are some supporting data structures that DecryptToken requires). Remember, no rights or warranties implied. Use at your own risk.

string xmlToken = Request.Params["_xmlToken"]; if (xmlToken == null || xmlToken.Length == 0) { ShowError("ERROR : Token presented was null"); return; } string serverSubject = Request.Params["HTTPS_SERVER_SUBJECT"]; if (serverSubject == null || serverSubject.Length == 0) { ShowError("ERROR : serverSubject was null"); return; } try { X509Certificate2 c = LookupCert(serverSubject); if (c == null) { ShowError("ERROR : Could not find cert to decrypt with"); return; } // decrypt the token into a byte array byte [] decrypted = DecryptToken(c, xmlToken); // get SAML string from decrypted string data = new UnicodeEncoding().GetString(bytes);} catch (Exception ex) { ShowError("ERROR : " + ex.ToString()); return; }

You now have the SAML and can authenticate as appropriate!

ToddHa's WebLog : CardSpace

Hey You! This is a stick up!