The protected resources on an Access Gateway are designed to rely on contracts for authentication. The CardSpace protocol uses cards for authentication. Therefore, to use the CardSpace protocol as the authentication authority for protected resources, you need to associate an authentication card profile with the authentication contract you are using for the protected resources.
In the Administration Console, click Devices > Identity Servers > Edit > Local > Contracts.
Click the name of the contract you are using for protected resources.
Verify that the Satisfiable by External Provider option is enabled, then click Authentication Card.
Disable the Show Card option, then click OK.
Click CardSpace > Authentication Card, then in the Profiles section, select the profile you want to use with protected resources.
If you select a profile that is configured only for a personal card, the user must supply a personal card to log in.
If you select a profile that is configured for a managed card, the user can supply a managed card to log in.
Click User Identification, then configure the following fields:
Satisfies contract: Select the contract that is used by the protected resource.
Allow federation: Select this option so that the personal private identifier of the card can be associated with a user in the Identity Server’s user store.
Authenticate: Select this method for federation.
Click OK twice, then update the Identity Server.
(Optional) Verify the configuration by requesting access to a protected resource configured to use the contract you have enabled for CardSpace.