Martin's Blog

Over the last months I’ve been digging into CardSpace (InfoCard). My feelings are we’re on the right track here with a simplified credential paradigm. With the launch of Vista we’re at an interesting point of time where Microsoft will likely push CardSpace in a big way. However, I believe Microsoft has some challenges educating the masses to comprehend and use an InfoCard but, who better than Microsoft to attempt this. ;)

Following the sage information provided by Kim Cameron and Chuck Mortimore I’ve implemented an authentication Plug-in (called a CardSpace AuthModule) for OpenSSO. Quite simply an end user can use their own InfoCard to authenticate against the OpenSSO security System. What good would an InfoCard be if you can’t authenticate it anywhere??

Below is the use case from the CardSpace docs (I borrowed this picture from Kim’s site hopefully not a problem) that we’re satisfying. I’ve implemented the authentication mechanism required at the Relaying Party (the party consuming the InfoCard) as an AuthModule for OpenSSO.

Once OpenSSO consumes (validates and more) the InfoCard token we can gain access to an otherwise protected site (which OpenSSO is protecting). The InfoCard Token is used as a credential instead of the classic user ID and password. This is good!

Besides the fact OpenSSO is really good at protecting web resources. By implementing the CardSpace authentication by extending OpenSSO we gain an enterprise service as among all the services offered by an access management system. Just to beat the horse here an Access management system is the right place to create this. Not in every application the wishes to use CardSpace.

So on to the good stuff. Here is the flow diagram. Hopefully this is self explaining.

Auth Module flow diagram

Auth Module ScreenShots

To setup these screenshots just pretend you’re accessing a protected site that is allowing you to use your InfoCard instead of user ID and password. But, at first we don’t recognize your InfoCard so we’ll ask you to authenticate and then link your InfoCard to the existing user Identity. So, after you link your card can use that for all subsequent accesses to this protected website. It so happens I’ve built these functions into OpenSSO (my security system).

Well there is much more to talk about. I’ll save that for next time. I’m still figuring out a method to release and package this. If you’re interested in more details please shoot me an email. martin.gee at icsynergy.com. Thanks again to Kim, Chuck and others that have posted good details regarding CardSpace.

I’ve found it pretty common that I want to rollback my OpenSSO instance to its preconfigured state. For example I’m testing OpenDS integration and it’s not working as desired… In that case I'd like to go back to using the "files" based repository. I’ll post on that shortly. It’s a really quick hit to bring your OpenSSO instance back to the beginning state. ..

1) Stop the web container that is running OpenSSO
2) Goto your home directory. The following image is my home dir on my XP instance. You’ll notice two directories “Access Manager” and “opensso”.
3) Simply delete or rename these directories
4) Start your web container again and you’ll be back in action

NOTE: As depicted in the next image, I’ve found it a best practice to append “opensso” to the default “Configuration Directory” value. As my previous cleanup instructions are based upon this. If you’ve used the default value you’ll still find an “opensso” directory. In addition you’ll need to find the “AMConfig.properties” and “serverconfig.xml” files to delete too.