Back to Article List
Originally published December 2006 [ Publisher Link ]
CardSpace: Microsoft's latest for identity management
Establishing our identity is a common practice in the digital world, from username & password pairs to more elaborate mechanisms like specialized hardware devices, the process has practically become second nature to applications on the Net. However, the technologies for achieving such goals are extremely fragmented. In light of this, one of the latest approaches to surface in this space has Web services as its underpinnings, its name: CardSpace from Microsoft.
Before we delve into the finer details of CardSpace, lets take a step back to review the overall digital identity landscape. To be certain, there is no shortage of identity management solutions, just to name a few : Open ID , Liberty Alliance , Windows Live ID (Passport) and Type Key . All of them, in one way or another try to offer end users a universal identity by which to access resources on the Net and, in order to do so, also welcome third party providers to integrate these same mechanisms into applications as a way to ease user registration. Yet while all of the aforementioned technologies work as advertised, there are two factors which limit their use: Proprietary designs and centralized information management.
In order for an identity management process to work, it should be obvious that any two parties need to agree on the finer communication details. In other words, everything from payload parameters to the actual request sequence should be done in a standard manner. Another limiting issue surrounding these approaches lies in the actual data management of identities, since many require that credentials be stored on remote and centralized servers, creating a certain uneasiness among end users for storing anything more than a non-sensitive username and password. With that said, lets see how CardSpace tackles these two particular issues.
For starters, CardSpace is built around a series of Web services standards: WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. This support by itself sets a precedent in terms of the standards used to execute an identity process. Not to underestimate any other technique, but the ubiquity and industry support given to these standards should be enough to indicate an ample user base. Secondly, CardSpace is designed to be a client bound technology, namely one to be deployed on end user PC's, allowing for user managed credentials which minimize the possibility of exploit.
Having covered the background behind CardSpace, lets take a look at a common identity management scenario: an end user identifying himself to a Web site via CardSpace. The first thing we will look at is how a site would integrate an identity request onto a Web page, listing 1.1 illustrates such a form.
|Listing 1.1 CardSpace identity request form.|
<html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Card Space Login </title> </head> <body> <form method="post" action="login.aspx"> <button type="submit"> Submit your Information Card </button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="issuer" value="http://schemas.microsoft.com/ws/2005/05/identity/issuer/self" /> <param name="requiredClaims" value="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier" /> </object> </form> </body> </html>
What stands out from the previous HTML form is the
<object> tag with the attribute
type=application/x-informationcard -- a structure which indicates a CardSpace request. Nested within this same element are a series of
<param> tags, each used to specify a needed identity value. In this particular form, we can observe the use of a Security Assertion Markup Language (SAML) token -- an XML standard for exchanging authentication and authorization data -- alongside five more schema/namespaces related to given name, surname, email address and a private identifier.
When this particular form hits a CardSpace-enabled PC, the user will be prompted to authorize the actual data request via a CardSpace identity, enabling him to accept or decline sending such information to a Web site. There are of course a series of ramifications to this process, so lets review these issues.
Perhaps the biggest benefit to using CardSpace is that an end user has absolute control over his or her identities, with each token having the capacity to store everything from usernames, passwords, credit cards numbers, social security numbers or any other form of identity qualifying information. It is after all, up to the end user to surrender such identities on a one by one basis depending on who is the requestor.
As a service provider, using CardSpace also has its benefits. Since each CardSpace identity is based on Web services standards, this implies that any Web application based on these same principles can request and use such tokens for identity purposes, in effect breaking the mold of many identity solutions which require "x" language or "y" platform to operate correctly.
Now, a cautious technology adopter will of course notice one big assumption we have made so far: that a PC and browser will be equipped with CardSpace handling. So let's finish up addressing how CardSpace fits into grander scheme of things, to shed light on the former assumption.
CardSpace is but one of the many pieces in .NET 3.0, the evolving development platform for Microsoft applications -- currently in its 2.0 version. CardSpace, alongside Windows Communication Foundation (WCF), Windows Workflow Foundation (WF) and Windows Presentation Foundation will form the foundations for building Web-services-enabled applications in the near future, with CardSpace taking the bulk of identity & authentication application workloads. You can take a look at earlier columns on WCF and WF ).
As far as CardSpace adoption rates is concerned, the latest Internet Explorer (IE) 7.0 release already has support for such a technology, but the biggest push of all will come from Windows Vista -- the newest Microsoft operating system to be released in early February 2007 -- which will not only have IE 7.0 by default, but will also be equipped with the complete set of .NET 3.0 components.
Though CardSpace is still a relatively new comer to the realm of identity management, its Web services foundations along with its user-centric identity administration make it a compelling technology for the near future. Not to mention, one cannot underestimate the clout a new operating system release can harness if such a technology is slated to be one of its primary centerpieces.