InfoCard can bring a new level of security to authenticating users to your site. In this session, take a deep developer look at how this can be achieved. A traditional forms-based authentication implementation is converted to use InfoCard, along with explanations of the Web services, protocols, and security considerations that one needs to understand.
1. From Username & Password to "InfoCard" Richard Turner "InfoCard" Product Manager Microsoft Corporation Garrett Serack Program Manager Microsoft Corporation
2.
3. The Imperative to Connect Suppliers & Partners Businesses Employees Friends & Family Consumers
25. 1. Associate a user with a card CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar (50) ) AS ... CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar (50) ) AS ...
26. 2a. Create an association page <!-- ... --> < button onclick ="javascript:return infocardlogin.submit();"> Update account with your Information Card </ button > < form name ="infocardlogin" target ="_self" method ="post"> < object type ="application/x-informationcard" name ="xmlToken"> < param name ="tokenType" value ="urn:oasis:names:tc:SAML:1.0:assertion"> < param name ="issuer“ value ="http://schemas..../identity/issuer/self"> < param name ="requiredClaims" value ="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </ object > </ form > <!-- ... -->
27. 2b. Create an association page public partial class Associate_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { // check if an xmlToken is posted string xmlToken = Request[ "xmlToken" ]; if (xmlToken != null ) { TokenHelper tokenHelper = new TokenHelper (xmlToken); // get the unique id string uniqueID = tokenHelper.getUniqueID(); if (uniqueID != null && uniqueID != "" ) { //store it with the account. MembershipUser user = Membership .GetUser(); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } } } }
28. 3a. Update the sign in page <!-- ... --> < button onclick ="javascript:return infocardlogin.submit();"> Sign in with your Information Card </ button > < form name ="infocardlogin" target ="_self" method ="post"> < object type ="application/x-informationcard" name ="xmlToken"> < param name ="tokenType" value ="urn:oasis:names:tc:SAML:1.0:assertion"> < param name ="issuer“ value ="http://schemas..../identity/issuer/self"> < param name ="requiredClaims" value ="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </ object > </ form > <!-- ... -->
29. 3b. Update the sign in page public partial class Login_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { string xmlToken = Request[ "xmlToken" ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper .GetUser( tokenHelper.getUniqueID()); if (username != null ) { MembershipUser user = Membership .GetUser(username); // give the cookie back to the browser. FormsAuthentication .SetLoginCookie(user.UserName, false ); } } }
30. 4a. Update the registration page <!-- ... --> < button onclick ="javascript:return infocardlogin.submit();"> Register with your Information Card </ button > < form name ="infocardlogin" target ="_self" method ="post"> < object type ="application/x-informationcard" name ="xmlToken"> < param name ="tokenType" value ="urn:oasis:names:tc:SAML:1.0:assertion"> < param name ="issuer“ value ="http://schemas..../identity/issuer/self"> < param name ="requiredClaims" value ="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </ object > </ form > <!-- ... -->
35. "InfoCard" Summary Labs available in the MIX Sandbox! Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort