InfoCard can bring a new level of security to authenticating users to your site. In this session, take a deep developer look at how this can be achieved. A traditional forms-based authentication implementation is converted to use InfoCard, along with explanations of the Web services, protocols, and security considerations that one needs to understand.

1. From Username & Password to "InfoCard" Richard Turner "InfoCard" Product Manager Microsoft Corporation Garrett Serack Program Manager Microsoft Corporation

3. The Imperative to Connect Suppliers & Partners Businesses Employees Friends & Family Consumers

4. Who Are You?

7. Password Fatigue

11. Contoso Car Rental

12. Participants Relying Party (website) User Identity Provider

13. Login with Self Issued Card Relying Party (website) User Object Tag Login

14. Select Self Issued Card Relying Party (website) User

15. Create Token from Card Relying Party (website) User

16. Sign, Encrypt & Send Token Relying Party (website) User

17. Login with Managed Card Relying Party (website) User Object Tag Identity Provider Login

18. Select Managed Card Relying Party (website) User Identity Provider

19. Request Security Token Relying Party (website) User Auth’: X509, Kerb, SIC, U/PWD … Identity Provider

20. Create Token from Card Relying Party (website) User Identity Provider

21. Sign, Encrypt & Send Token Relying Party (website) User Identity Provider

23. Building A Relying Party

25. 1. Associate a user with a card CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar (50) ) AS ... CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar (50) ) AS ...

26. 2a. Create an association page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Update account with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

27. 2b. Create an association page public partial class Associate_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { // check if an xmlToken is posted string xmlToken = Request[ &quot;xmlToken&quot; ]; if (xmlToken != null ) { TokenHelper tokenHelper = new TokenHelper (xmlToken); // get the unique id string uniqueID = tokenHelper.getUniqueID(); if (uniqueID != null && uniqueID != &quot;&quot; ) { //store it with the account. MembershipUser user = Membership .GetUser(); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } } } }

28. 3a. Update the sign in page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Sign in with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

29. 3b. Update the sign in page public partial class Login_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper .GetUser( tokenHelper.getUniqueID()); if (username != null ) { MembershipUser user = Membership .GetUser(username); // give the cookie back to the browser. FormsAuthentication .SetLoginCookie(user.UserName, false ); } } }

30. 4a. Update the registration page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Register with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

31. 4b. Update the registration page // ... string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); string uniqueId = tokenHelper.getUniqueID(); string emailAddress = tokenHelper.GetClaim( “ http://schemas.../emailaddress ”); string username = tokenHelper.GetClaim( “ http://schemas.../givenname ”); if (username != null ) { MembershipUser user = CreateUser( name , emailAddress ,... ); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } // ...

32. Summary

33. WinFX: .NET to the core

35. &quot;InfoCard&quot; Summary Labs available in the MIX Sandbox! Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort

36. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.