How to: Build a Managed Card Issuance Site

A managed card represents metadata about a security token service (STS), such as the service’s address, its authentication method, and the claims it issues. When you create a service to issue tokens for Identity selectors, you will also need to issue managed Information Cards to users. This topic explains how.

Issuing a Card

The following code sample shows how, in the ASP.NET page, to issue managed information cards with hardcoded addresses for the STS and the relying party.

	Copy Code
protected void IssueCard() { // STS certificate X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificateCollection = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", true); store.Close(); X509Certificate2 stsCertificate = certificateCollection[0]; // STS endpoint addresses string stsAddress = "http://localhost/Sts"; string stsMex = "https://localhost/mex"; // Initialize the card with the STS signing certificate and the STS issuer name InformationCard card = new InformationCard(stsCertificate, "http://myissuer"); // Set the claim types supported by the STS card.SupportedClaimTypeList.Add(new DisplayClaim(ClaimTypes.Role)); // Set the token types supported by the STS card.SupportedTokenTypeList.Add(Saml11SecurityTokenHandler.OasisWssSamlTokenProfile11); // The TokenService class describes an STS's endpoint information // This code demonstrates how to setup a card for an sts endpoint // that expects Kerberos authentication TokenService stsEndpoint = new TokenService(new TokenServiceEndpoint(stsAddress, stsCertificate, stsMex, UserCredentialType.KerberosV5Credential)); card.TokenServiceList.Add(stsEndpoint); // Set the card language card.Language = "en"; InformationCardSerializer cardSerializer = new InformationCardSerializer(); // Write this out to the current directory FileStream cardStream = new FileStream("InformationCard.crd", FileMode.Create, FileAccess.ReadWrite); cardSerializer.WriteCard(cardStream, card); cardStream.Close(); }

Copy Code

protected void IssueCard()
{
	// STS certificate
	X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
	store.Open(OpenFlags.ReadOnly);
	X509Certificate2Collection certificateCollection = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", true);
	store.Close();
	X509Certificate2 stsCertificate = certificateCollection[0];

	// STS endpoint addresses
	string stsAddress = "http://localhost/Sts";
	string stsMex = "https://localhost/mex";
	// Initialize the card with the STS signing certificate and the STS issuer name
	InformationCard card = new InformationCard(stsCertificate, "http://myissuer");
	// Set the claim types supported by the STS
	card.SupportedClaimTypeList.Add(new DisplayClaim(ClaimTypes.Role));
	// Set the token types supported by the STS
	card.SupportedTokenTypeList.Add(Saml11SecurityTokenHandler.OasisWssSamlTokenProfile11);
	// The TokenService class describes an STS's endpoint information
	// This code demonstrates how to setup a card for an sts endpoint
	// that expects Kerberos authentication
	TokenService stsEndpoint = new TokenService(new TokenServiceEndpoint(stsAddress, stsCertificate, stsMex, UserCredentialType.KerberosV5Credential));
	card.TokenServiceList.Add(stsEndpoint);
	// Set the card language
	card.Language = "en";
	InformationCardSerializer cardSerializer = new InformationCardSerializer();
	// Write this out to the current directory
	FileStream cardStream = new FileStream("InformationCard.crd", FileMode.Create, FileAccess.ReadWrite);
	cardSerializer.WriteCard(cardStream, card);
	cardStream.Close();
}

Note:
It is recommended that your STS maintain a cache of Information Cards that it issues. This way, when it receives a request to issue a token, it can verify that the request contains a reference to a known and current Information Card. If the reference is to an unknown Information Card, or to an Information Card that has expired, the STS can handle the request accordingly.