When a user tells CardSpace to “send” identity data from a self-issued card to a web site, it posts a SAML token using the action attribute in the HTML form containing an x-informationCard Object tag.
In the simple, no-ssl case, this information will not be encrypted, so you can just treat it as an XML blob. You can test this out by making the form's action a script like this one:
This script just takes everything that is posted to the web server by CardSpace after processing the invocation form, and reflects it back as an “XML encoding”. The result is shown in my demo, and in the no-ssl zip file as result.xml.
As pedagogical as the XML dump may be, it isn't a good sample of how you would consume claims. For that, let's look at the following script:
GetClaims() shown above is just a way of pulling values out of an XML document – use your own instead. You will see that the givenname and privatepersonalidentifier claims used here are retrieved with this simple code.
I hope all of this will become very clear by watching the demo and looking at the aforementioned zip file, which you can cut and paste for your own experiments.
[Note: the raw XML display code above did not include the stripslashes function when I first posted it, which caused the function to fail in certain php configurations. Thanks to Alex Fung from Hong Kong for the report.]
I've tried to install the NoSSL files on my localhost XAMPP installation. It did not work straight away. A PHP-speaking colleague of mine found that my problem was solved by replacing line 16 , which currently reads:
$objXml->loadXML($_POST[‘xmlToken’]);
with the following line:
$objXml->loadXML(stripslashes($_POST[‘xmlToken’]));
Rieks