This tutorial includes a demo, an explanation of how Self-Issued InfoCard identity tokens work, and sample PHP code allowing you to accept these tokens at a web site.
One of the key goals of InfoCard and the Identity Metasystem is to put the release of identity information under the direct control of computer users. At the same time, the system respects the right of a web site to say what information it requires to grant entry. The accompanying demo shows how InfoCards help bring the two sides of this equation together in a way that accords with the Laws of Identity.
Information Card technology can be used to manage the exchange of any kind of token. CardSpace's self-issued tokens use the SAML format. With this format, identity information sent to a site is “signed” to guarantee that it really comes from whoever originates the “claims” in the identity token. Then, to protect the user's information during release, it is encrypted so only that site can get at it.
How can the identity provider encrypt the information destined for your web site? You need a public key and certificate. In the current version of InfoCard this has to be an SSL certificate (mine cost me under $20), and your web server needs to be able to support https. Identity tokens sent to you will be encrypted under the same key your system uses for https. If people need help with this, let me know and I'll add instructions to this tutorial.
I wrote my sample code in PHP 5 (I had a 4.2 version running at one point, but didn't want to keep two versions going). If you wonder why I chose PHP, I wanted it to be clear that InfoCards are not Windows-specific. You need to make sure your version of PHP has the mcrypt and openssl libraries enabled. (By way of example, these libraries are part of the default environment at TextDrive, my excellent web site host.)
- Watch the demo. Use this version for Windows Media Player. (If your system complains that it requires the Techsmith Screen Capture Codec [TSCC], pick it up here.) If you can't use TSCC, try the much fatter Quicktime version (doubleclick on the demo to start it).
- Learn about the Encrypted SAML Token, and then how to decrypt it to reveal the signed token.
- Learn about the Signed Token, and how to verify it.
- Look at the sample HTML page and mainline that constitutes the demo.
You can download the sample PHP files here (I updated them to V3 in June 2007 to make the code compatible with the shipping version of Vista, and at the same time embrace the new OASIS claims names.)
I'll be evolving this work over the next little while, so let me know about anything that is unclear or not pitched at the right level.
People have asked if I'll be putting this tutorial into .pdf format. I will, once I've received a bit more feedback. In particular, I'm hoping some PHP gurus will look things over – this is my first PHP project.
I've also been asked what intentions I have for this code. My only goal is to share information as widely as possible.