Apache Authentication Module for CardSpace

Yesterday I referred to a mind-altering announcement from Ping Identity Corporation.  I think it's a key piece of the identity puzzle.  Since it's obvious that this is a big accomplishment and that he's played a major role in it, I'll quote Ashish Jain's Identity TIcker blog: 

Thanks to the efforts of our labs team, we finally have the ‘Apache Authentication Module for CardSpace‘ available for download .

Here is the product description from the SourceID website:

“The Apache Authentication Module for CardSpace is an open source module that allows applications using an Apache server for hosting or proxy to use Information Cards as an additional authentication mechanism. It allows the Apache applications to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the tokens submitted by CardSpace, retrieving the claims and making them available for the applications’ use.”

The idea behind this is simple. If you have an application that is deployed on an Apache server and you want to CardSpace-enable it, drop in the module (along with the dependencies), change the httpd.conf and your application should have access to the claims in the infocard.

The post includes proof that these guys were coding twenty-four hours a day.

To my mind this is really huge.  I wonder if one day we'll see it become a part of Apache, just like the password and digest authentication modules.

The whole cardspace processing can be a black box for the administrators

The module puts the attributes in the session. So if you have a PHP application, you can do the following to retrieve the attributes

$email = $_ENV[‘auth_infocard_env_emailaddress’]
$ppid = $_ENV[‘auth_infocard_env_privatepersonalidentifier’]

The same thing works in any other programming language, since they all give you access to your environment variables.

So this is pretty much as simple as it gets.  I hope everyone with a product that runs on Apache will look at this.

But wait!  There's more!  When I wrote to Ashish to congratulate him on this development, he added:

We also have a .jar file for java that serves the similar purpose (we internally refer it as the cardspace-magic.jar and we will open source some day). Same idea…drop the .jar file in,  then:

xmltoken in -> attribute’s map out

So if you use Java, you can go that way too.

But wait! There's still more!!

Yes, folks, Ping Identity is actually showing a demo at RSA of some of the very ideas we've been discussing over the last couple of days.  Namely, use of CardSpace to log in to OpenID sites.  I'll do another post to sow you some screen shots.