I can’t wait to get on my flight to PDC2008 tomorrow.

Looking over the session times I have some conflicting spots, as I’m targeting the Identity, Cloud Services and ASP.NET tracks.

I’m really looking forward to hooking up with the Identity Teams, so I can build some greater inroads into the solutions Microsoft are offering.

I can’t wait to get my hands on the 160GB HDD with all the conference material, too.

It is going to be a whirlwind journey, as I arrive in LA on the Monday morning then go straight to the conference. Four days of mega-geekiness, finishing on Thursday. Then, on Thursday night, back on the plane for a Saturday arrival.

No rest for the wicked!

The Microsoft Code Name "Zermatt" Beta contains many samples, so I’ve decided to do a walkthrough an interesting one: the Simple STS for Active Clients.

Active Clients use WS-Trust to communicate with their services. For most people, your Active Client will be Windows CardSpace.

The Zermatt documentation specifies that the process for implementing an Active STS:

1. Create a class for your STS, inheriting from the SecurityTokenService class
   1. Override GetScope
   2. Override GetOutputSubjects
2. Create a class for your configuration settings, inheriting from SecurityTokenServiceConfiguration.
3. Instantiate your STS configuration class.
4. Instantiate the WSTrustServiceHost, using the configuration class you just instantiated.

Creation of the STS class

The sample defined MySecurityToken service in the SimpleActiveSTS project, which inherits from the SecurityTokenService class.

Lets take a look at the SecurityTokenService class, we are interested in the methods that are indicated:

Overriding the GetScope Method

In the sample code, we can see the GetScope method is overridden:

   1: protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )

   2: {

   3:     // Validate the AppliesTo on the incoming request

   4:     ValidateAppliesTo( request.AppliesTo );

   5:  

   6:     // Create the scope using the request AppliesTo address and the STS signing certificate

   7:     Scope scope = new Scope( request, SecurityTokenServiceConfiguration.SigningCredentials );

   8:  

   9:     // In this sample app only a single RP identity is shown, which is localhost, and the certificate of that RP is 

  10:     // populated as encryptingCreds

  11:     // If you have multiple RPs for the STS you would select the certificate that is specific to 

  12:     // the RP that requests the token and then use that for encryptingCreds

  13:     EncryptingCredentials encryptingCreds = new X509EncryptingCredentials(

  14:                                                 CertificateUtil.GetCertificate(

  15:                                                                 StoreName.My,

  16:                                                                 StoreLocation.LocalMachine,

  17:                                                                 encryptingCertificateName ) );

  18:  

  19:     // Set the RP certificate for encryption

  20:     scope.EncryptingCredentials = encryptingCreds;

  21:  

  22:     return scope;

  23: }

However, this is not essential. The Zermatt documentation states “It is strongly recommended that you also override GetScope to process incoming RequestSecurityToken objects to make policy based decisions and determine any EncryptingCredentials used to encrypt the outgoing issued tokens.”

GetScope calls the ValidateAppliesTo method:

   1: void ValidateAppliesTo( EndpointAddress appliesTo )

   2: {

   3:     if ( appliesTo == null )

   4:     {

   5:         throw new InvalidRequestException( "The appliesTo is null." );

   6:     }

   7:  

   8:     if ( !appliesTo.Uri.Equals( new Uri( addressExpected ) ) )

   9:     {

  10:         Console.WriteLine( "The relying party address is not valid. " );

  11:         throw new InvalidRequestException( String.Format( "The relying party address is not valid. Expected value is {0}, the actual value is {1}.", addressExpected, appliesTo.Uri.AbsoluteUri ) );

  12:     }

  13: }

In the above code snippet you can see that the code ensures that the RST request must come from the sample’s client application. We get these details from the RequestSecurityToken class:

If any other relying party makes the request the STS throws an InvalidRequestException, another Zermatt class:

The Zermatt documentation states for the InvalidRequestException: “Throw this exception when the request was invalid or malformed”.

GetScope forms a Scope object that tells Zermatt to encrypt the data specifically for the requesting relying party. The scope object allows for a few other properties to be set. Unfortunately the Zermatt documentation omits details for the scope class, so I’m not going to go into great detail here.

Overriding the GetOutputSubjects Method

MySecurityTokenService overrides the GetOutputSubjects method as specified by the Zermatt documentation: “When implementing a derived class of SecurityTokenService, you must provide an implementation for GetOutputSubjects.”

Here’s the code for the GetOutputSubjects method:

   1: public override ClaimsIdentityCollection GetOutputSubjects( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request )

   2: {

   3:     IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity;

   4:     Console.WriteLine( "\nRequest from: " + callerIdentity.Name + "\n" );

   5:  

   6:     ClaimsIdentityCollection outputClaimCollection = new ClaimsIdentityCollection();

   7:     IClaimsIdentity outputIdentity = new ClaimsIdentity();

   8:  

   9:     // Create a name claim from the incoming identity.

  10:     Claim nameClaim = new Claim( System.IdentityModel.Claims.ClaimTypes.Name, callerIdentity.Name );

  11:  

  12:     // Create an 'Age' claim with a value of 25. In a real scenario, this may likely be looked up from a database.

  13:     Claim ageClaim = new Claim( "http://ZermattSamples/2008/05/AgeClaim", "25", ClaimValueTypes.Integer );

  14:  

  15:     outputIdentity.Claims.Add( nameClaim );

  16:     Console.WriteLine( "ClaimType  : " + nameClaim.ClaimType );

  17:     Console.WriteLine( "ClaimValue : " + nameClaim.Value );

  18:     Console.WriteLine();

  19:  

  20:     Console.WriteLine( "ClaimType  : " + ageClaim.ClaimType );

  21:     Console.WriteLine( "ClaimValue : " + ageClaim.Value );

  22:     Console.WriteLine( "===========================" );

  23:  

  24:     outputIdentity.Claims.Add( ageClaim );

  25:  

  26:     outputClaimCollection.Add( outputIdentity );

  27:  

  28:     return outputClaimCollection;

  29: }

This code obtains the caller’s identity and writes it to the console, showing the identity of the requestor.

The code then constructs a ClaimsIdentity object, where Claim objects are stored and returned to the requestor. The code creates two claims, one for name and one for age. The method then returns the ClaimsIdentityCollection for Zermatt to respond with.

Concluding Part One

Zermatt provides a very simple method of generating RSTR messages by simply inheriting from the SecureTokenService class and overriding the GetOutputSubjects method.

If you require, you can optionally override the GetScope method, where you have the ability to target the RSTR message, or abort the request completely. The request is aborted using the InvalidRequestException.

I must say that having done some prototyping on the sharpSTS platform I find both offerings to be very compelling. Zermatt certainly has a nice method of consumption, and its greater feature set makes it my preferred option.

In Part Two, I’ll walk through the code that hosts the service and then the client.

Please provide me feedback: Too many class diagrams, too much code, not enough text? I’m trying to hit the nuts and bolts level of Zermatt.

As I've been upgrading the CardSpace Authentication Provider for DotNetNuke to use Zermatt as its core I've found that you still need to run your ASP.NET application in full trust.

This is a disadvantage for systems that have a target market of shared hosting providers, as many providers will not grant the elevated privilege. DotNetNuke as a bare platform has been able to run in medium trust environments for some time.

In the CardSpace Authentication Provider for DotNetNuke we use some code to determine whether the application is running in full trust:

   1:          public override bool Enabled

   2:          {

   3:              get 

   4:              {

   5:                  try

   6:                  {

   7:                      // Make sure we are running in full trust.

   8:                      new AspNetHostingPermission(AspNetHostingPermissionLevel.Unrestricted).Demand();

   9:   

  10:                      // Return whether the user has enabled CardSpace.

  11:                      return Config.GetConfig(PortalId).Enabled;

  12:                  }

  13:                  catch (System.Security.SecurityException)

  14:                  {

  15:                      // The app isn't running in full trust so return false to disable CardSpace.

  16:                      return false;

  17:                  }

  18:              }

  19:          }

I've submitted feedback to Vittorio Bertocci about my recommendations, and I hope this is solved in the near future.

(Microsoft, thanks you so much for Zermatt. It'll let us Identity Metasystem freaks move off your sample TokenProcessor classes! woo hoo!)

After being revitalised by Tech.Ed in Sydney, I've decided to revamp my blog and bring down my old DotNetNuke web site. I've just evaluated WordPress and Live Spaces, and Live seems to suit my style a little more.

This isn't a sign that I'm moving away from DotNetNuke, I'm still committed to supporting it in my professional career. The main reason is that I've had my own virtual server in the cloud running my site, and I want to reduce my costs.

Over the next week weeks I'm going to start blogging about my experiences with Zermatt, as I create a secure token server for DotNetNuke. This will also kick off the upgrade of the CardSpace Authentication Provider for DotNetNuke to support managed cards. If I can convince the DotNetNuke core team so publish my STS we may see that all the other DotNetNuke sites gain easy access to the 600 thousand registered users on the DotNetNuke web site.

I have been speaking with the guys on the AJAX Control Toolkit and they have requested that I get the control onto CodePlex.

So, here it is: http://www.codeplex.com/CardSpaceAjax

I've created a control based on the ASP.NET AJAX Control Toolkit that gives a web site the ability to easily add cross browser support for CardSpace and othe Identity Selectors.

The concept comes is loosely based on dominick baier's CardSpace Control for ASP.NET, however I think that you'll find that it should be more flexible in regards to the UI abilities.

I have offered the control to the ASP.NET AJAX Control Toolkit team and they are considering its inclusion in the project.

This prototype code is attached to this blog entry.

CsAjax.zip

DotNetNuke is having its first ever conference - DotNetNuke OpenForce '07 - and I'll be there!

I'm really looking forward to all the things on the DotNetNuke schedule, and because the event is coupled with the DevConnections event, I may even pop in there to see what's going on.

DotNetNuke Core Team members and Super-Duo Philip Beadle and Lorraine Young will be there leading the Australian contingent.

I just booked my conference ticket and hotel room. It'll be my first trip to the United States and I'm looking forward to it very much. It's a shame that I'll only be there for the conference and then I'll be coming straight back - but it will be worth it nonetheless.

Also I'd love to pay respect to my employer, Readify, the greatest company I've ever known. Readify place such importance in their staff. Even though I'll be paying for the trip myself, Readify are really helping out by letting my use a week out of my 23 fully paid Professional Development days.

I love Readify!

To all those that have asked me for an advance copy of the CardSpace Authentication Provider for DotNetNuke I thank you for your patience.

The provider is now a part of the standard DotNetNuke installation in DNN 4.6. Right now you'll need to sign up to the DotNetNuke Beta testing progam here: http://www.dotnetnuke.com/LinkClick.aspx?link=1123&tabid=510&mid=2027

Please send any feedback to me. The installation instructions haven't been published yet so unless you've got some CardSpace deployment experience you'll probably have an issue or two. Firstly, remember that you'll need SSL on your web site (shared SSL will be enough) before you can even contemplate using CardSpace on your site.

This is gold: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2007/08/09/9571.aspx

I love how he uses the Silverlight 1.1 scripting bridge to overcome Silverlight's existing limitations.

As LiveId now supports information cards for authentication it seems that Microsoft are getting the whole machine behind the technology publicly.

You can now sign into Hotmail and various other sites using a self-issued card.

But the process seems kind of funny to me: the identity metasystem was designed for Identity Providers to run their own STS - and for site providers to act as relying parties.

However the current model for LiveId is topsy-turvy. LiveId acts as a RP and your computer acts as the STS.

This means that web sites that want to use CardSpace for authenticating LiveId based users need to have a system of HTTP redirects in place - this messes with the security of the identity metasystem and gives the user an inconsistent experience.

I hope that Microsoft soon expose a LiveId STS and then issue managed Information Cards to LiveId users. Then web sites will be able to act as Relying Parties, LiveId can act as the STS, and the user gets the true benefits of CardSpace  -  greater security and a better user experience.

I broke it a few days ago while preparing for the upcoming release of DotNetNuke 4.6.

I have written the DotNetNuke CardSpace Authentication Provider - which will be release to benefactors quite soon - and then to the wider public.

Until this release is complete I won't have the time to get the CardSpace module on this site running properly.

This will be my first official release of any open source software - so wish me luck! All feeback welcome...

With the recent new functionality in Microsoft's LiveId / CardSpace integration I thought it would be useful to give Microsoft some feedback about the CardSpace user experience when signing into LiveId services.

I opened up Camtasia and recorded a session associating an Information Card with my LiveId, and then signing into Hotmail.

Unfortuately it didn't work - CardSpace runs in a separate desktop - and Camtasia didn't capture the window.

I asked my mate at MS, Steven Woodward, what I should do - he gave me the easy (and obvious answer) - run the CardSpace demo in a VPC, and then use Camtasia to capture the whole session.

I hope someone finds this useful.

I recently installed Blend 2 August Preview in order to cut some Silverlight 1.1 CardSpace examples.

I started by using the W2K3 VS2008 Beta 2 TFS VPC image, then installed Blend2, the VS2008 Silverlight Alpha Tools.

Unfortunately the "Open in Expression Blend" context menu option in VS2008 failed, when Blend2 came up and said "The name Canvas does not exist in the namespace http://schemas.microsoft.com/winfx/2006/xaml/presentation".

There was also another symptom: When you open the "New Project" dialog in Blend2 the Silverlight (.Net) and Silverlight (.Net "Orcas") options were missing.

After a few hours thinking that I had the installation order incorrect, and talking to fellow Readifarian Damian Edwards, I found that there are two builds of the Blend 2 August Preview: 2.0.1075 and 2.0.1077. Damian is running the older one on Vista without problems.

I found this link: http://silverlight.net/forums/p/3628/10697.aspx which pointed me to the later build. This one works fine on the W2K3 image.

I got CruiseControl testing my Watin scripts today, after a couple of tricks:

• Run NUnit with an app.config file for your test assembly, and specify that NUnit needs to run with a Single Threaded Apartment. See here: Thread.ApartmentState, running Watin with NUnit
• Run CruiseControl as an application, not a service. I didn't try whether the "Allow service to interact with the desktop" worked, as the local system account wouldn't have been able to get to my VSS server.

Drop me a line if you have any other questions about it.

Some time back MS hinted that a new logo for Web Sites that accept Information Cards would be available.

Finally, it has been released. Mike Jones was first to annouce it, as far as i can tell: http://self-issued.info/?p=17.

I've got the logo built into the DotNetNuke CardSpace package.

I'm still talking with the DNN folk about integration, things are looking good on that front.

Sorry to all that have been awaiting the latest release of the DotNetNuke CardSpace module. I've been offline for close to a month now as I have had a baby, and it turns out that she has got Cystic Fibrosis.

It has been a big shock to my wife and I, however we're getting through it and learning how to deal with it. It is heartbreaking to have to give a baby disgusting drugs and to perform pysiotherapy on her as she cries at the top of her lungs.

I've started working on the module again. I've also signed the paperwork to donate the module to the DotNetNuke Core, so in the coming months you'll see the module come in every installation of DotNetNuke.

DotNetNuke has recently appointed a new Team Leader for the Active Directory Authentication Provider project. CardSpace is coming on board soon. Also, there are conversations about OpenID and a more generic LDAP provider.

This increase in DotNetNuke's authentication abilities will improve DNN's user experience. As there are all these different methods, the DotNetNuke team are currently overhauling the interfaces between the DotNetNuke Core and the Authentication Providers. This work will take some time.

To all those that have requested a copy of the module, please be patient, I'll have something that you can use quite soon. This will be in the case that the DotNetNuke Team do not wish me to withhold it.

After listening to Garrett's (and friends) presentation at MIX07 on CardSpace, my eyes were opened to the new wave of business opportunities that the identity metasystem will give.

The presentation cited a new Canadian business that are using managed cards providing claims that captured in formation about people's body sizes.

Users can use these managed cards to sign in to sites selling clothes, and then they would can be directed to clothes that fit their body shape. Also, the users can use models to visualise what the clothes would look like when worn.

This is a very simple example of how claims based systems can create new businesses and enhance the offering of existing businesses to the consumer.

Today my blog would not accept my Information Card when I tried to log in.

I got this error: The SamlToken is not time valid. The current time '5/7/2007 1:57:23 PM' is outside the Effective '5/7/2007 2:02:27 PM' and Expiration '5/7/2007 3:02:27 PM' time of the token.

The system is checking the validity of the two systems that are working with the SAML token.

Make sure your sever has the right time and timezone set, otherwise users will not be able to authenticate.

The Pamela Project is a group of people that are building plugins and additions for existing web site frameworks that add CardSpace support.

This is a great initiative, along the lines of the work that I have been doing for DotNetNuke.

Here's a great presentation delivered by Garrett Serack at MIX07.

Garrett demonstrates Microsoft's latest CardSpace reference sample, and the CardSpace patterns outlined in my last post.

http://sessions.visitmix.com/silverlight/v1/videos/XBD07.wmv