When the Identity Server is acting as a CardSpace identity provider, you need to configure the Identity Server’s certificates to support CardSpace, configure the underlying STS to support CardSpace, and create a managed card template:
For a basic set up, see Section 8.3.2, Authenticating with a Managed Card.
For CardSpace and managed cards, you need to make sure that the SSL certificate and the signing certificate of the Identity Server use the same name for the certificate’s subject name. When you configured the Identity Server for SSL, you replaced the default SSL certificate with a certificate that uses the DNS name of the Identity Server as the common name in the subject name of the certificate. For CardSpace, you need to replace the default signing certificate. You can use the same certificate for signing as you did for SSL or you can use different certificate, if the full subject name is the same as the certificate you have configured for SSL.
In the Administration Console, click > > > .
In the section, click .
Click .
In the Replace pop-up, click the icon, select the certificate with the correct subject name, then click .
When the certificate appears in the box, click , then click .
Update the Identity Server.
CardSpace relies on the Security Token Service (STS), which controls what claims are available, what authentication method can be used to validate the credentials on the card, and whether a name identifier is added to the SAML assertion.
In the Administration Console, click > > > .
Verify that the CardSpace attribute set is listed in the list.
The CardSpace attribute set is a default set that ships with Access Manager. It contains all the claims that can be sent with an authentication card.
Click .
Select a method, move it to the list, then click .
The PasswordClass understands how to retrieve a name and password from a managed card. A method created from this class must be installed at the STS to provide authentication for the managed card. We recommend that you create a customized method from this class for CardSpace. For information on how to create methods, see Section 3.3, Configuring Authentication Methods.
If you are using the method, you can select this method because it is created from PasswordClass.
If you have installed a custom class that can retrieve CardSpace credentials and you have created a method for this class, you can select this method. For information on creating a custom authentication class, see Novell Access Manager Developer Tools and Examples.
Click , then click .
The options displayed allow you to select the format for the name identifier that is returned in the SAML assertion. The selected attribute sets ( > > > ) determine the values that are available for the formats.
Select a format and value.
If you select a format without a value type, a random one-time identifier is sent.
If no attributes are listed for the value type, you need to set up an attribute set. See Step 2.
None: Indicates that the SAML assertion does not contain a name identifier.
Unspecified: Specifies that the SAML assertion contains an unspecified name identifier. For the value, select the attribute that the relying party and the identity provider have agreed to use.
E-mail: Specifies that the SAML assertion contains the user’s e-mail address for the name identifier. For the value, select an e-mail attribute.
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier. For the value, select an X.509 attribute.
Click , then restart the Identity Server:
On the Identity Servers page, select the server, then click > .
When the health turns red, select the server, then click .
In the Administration Console, click > > > > > , then fill in the following fields:
Name: Specify a display name for the template.
Description: Specify the text to be displayed on the card. This can contain information about how the card can be used or the type of resource that can be accessed with the card.
Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click .
Require Identification of Relying Party in Security Token: Select this option to require the relying party to provide identification when it requests a security token.
Allow Users to Back a Managed Card Using a Personal Card: Select this option if you want to allow users to back a managed card with a personal card.
When a managed card is backed by a personal card, the user enters the required credentials once, and thereafter only the card is needed for authentication.
When a managed card is not backed by a personal card, the user must always enter the required credentials on authentication.
When the option is selected, the user is presented with the option to back the managed card with a personal card. When it is not selected, the option to back the managed card with a personal card is removed from the user interface.
Click , then fill in the following fields:
Attribute set: From the list of available sets, select an attribute set. A default attribute set, named CardSpace, is available for CardSpace claims.
Selected claims: From the list of available claims, select the attributes for the managed card and move them to the list of selected claims.
Do not remove the claim.
Click .
Update the Identity Server.