When a user tells CardSpace to “send” identity data from a self-issued card to a web site, it posts a SAML token using the action attribute in the HTML form containing an x-informationCard Object tag.
In the simple, no-ssl case, this information will not be encrypted, so you can just treat it as an XML blob. You can test this out by making the form's action a script like this one:
This script just takes everything that is posted to the web server by CardSpace after processing the invocation form, and reflects it back as an “XML encoding”. The result is shown in my demo, and in the no-ssl zip file as result.xml.
As pedagogical as the XML dump may be, it isn't a good sample of how you would consume claims. For that, let's look at the following script:
GetClaims() shown above is just a way of pulling values out of an XML document – use your own instead. You will see that the givenname and privatepersonalidentifier claims used here are retrieved with this simple code.
[Note: the raw XML display code above did not include the stripslashes function when I first posted it, which caused the function to fail in certain php configurations. Thanks to Alex Fung from Hong Kong for the report.]