How to: Build a Managed Card Issuance Site

  • Article

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

A managed card represents metadata about a security token service (STS), such as the service’s address, its authentication method, and the claims it issues. When you create a service to issue tokens for Identity selectors, you will also need to issue managed Information Cards to users. This topic explains how.

Issuing a Card

The following code sample shows how, in the ASP.NET page, to issue managed information cards with hardcoded addresses for the STS and the relying party.

protected void IssueCard()
{
    // STS certificate
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificateCollection = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", true);
    store.Close();
    X509Certificate2 stsCertificate = certificateCollection[0];

    // STS endpoint addresses
    string stsAddress = "https://localhost/Sts";
    string stsMex = "https://localhost/mex";
    // Initialize the card with the STS signing certificate and the STS issuer name
    InformationCard card = new InformationCard(stsCertificate, "http://myissuer");
    // Set the claim types supported by the STS
    card.SupportedClaimTypeList.Add(new DisplayClaim(ClaimTypes.Role));
    // Set the token types supported by the STS
    card.SupportedTokenTypeList.Add(Saml11SecurityTokenHandler.OasisWssSamlTokenProfile11);
    // The TokenService class describes an STS's endpoint information
    // This code demonstrates how to setup a card for an sts endpoint
    // that expects Kerberos authentication
    TokenService stsEndpoint = new TokenService(new TokenServiceEndpoint(stsAddress, stsCertificate, stsMex, UserCredentialType.KerberosV5Credential));
    card.TokenServiceList.Add(stsEndpoint);
    // Set the card language
    card.Language = "en";
    InformationCardSerializer cardSerializer = new InformationCardSerializer();
    // Write this out to the current directory
    FileStream cardStream = new FileStream("InformationCard.crd", FileMode.Create, FileAccess.ReadWrite);
    cardSerializer.WriteCard(cardStream, card);
    cardStream.Close();
}

Note

It is recommended that your STS maintain a cache of Information Cards that it issues. This way, when it receives a request to issue a token, it can verify that the request contains a reference to a known and current Information Card. If the reference is to an unknown Information Card, or to an Information Card that has expired, the STS can handle the request accordingly.