8.9 Configuring Authentication Cards

Use the Authentication Card page to manage the card assigned to a CardSpace authentication card.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace > Authentication Card.

  2. Configure the following fields:

    ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the user interface, you must specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.

    Text: Specify the text that is displayed on the card to the user.

    Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click Select local image.

    Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider requests the card.

  3. Select from the following actions:

    New: To create a new profile, click New. For configuration information, see Section 8.9.1, Configuring the General Details of a Card Profile.

    A card profile allows you to provide different authentication options for the same card. When creating a profile, you select the type of provider that can issue the card, the claims that must have values in the card, and the method that is used to identify the user.

    To create an authentication card profile, you must have at least one attribute set available that contains the claims you want to use for the card. To create an attribute set, click Identity Servers > Shared Settings > Attributes Sets.

    Modify: To modify an existing profile, click the name of the profile. For configuration information, see Section 8.9.1, Configuring the General Details of a Card Profile.

    Make Default: To make a profile the default, select the profile, then click Make Default.

    Delete: To delete a profile, select the profile, then click Delete.

  4. Click OK, then update the Identity Server if you have changed the configuration.

8.9.1 Configuring the General Details of a Card Profile

Use the Card Profile page to create a new card profile or to modify an existing profile.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace > Authentication Card Profiles > New [Name of Profile].

  2. Configure the following fields:

    Name: Specify a display name for the profile.

    ID: (Optional) Specify an alphanumeric value (no spaces) that identifies the card. If you need to reference this card outside of the user interface, you must specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.

    Text: Specify the text that is displayed on the card to the user.

    Issuer: From the drop-down list, select the issuer for the card.

    • Any Trusted or Untrusted Provider or Personal Card: Specifies that the card can be either a personal card or a managed card from both trusted and untrusted providers.

    • Personal Card: Specifies that the card must be a personal card.

    • Any Trusted Provider or Personal Card: Specifies that the card can be either a personal card or a managed card from any trusted provider.

    • <Provider Name>: Specifies that the card must be a managed card from the specified provider. To add a trusted provider, click Identity Servers > Edit > CardSpace > Trusted Providers > New.

    Token Type: Indicates that the authentication credential is a SAML 1.1 token.

  3. Select one of the following actions:

8.9.2 Configuring Attribute Claims

Use the Attributes page to specify the attributes (claims) that must have values.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace > Authentication Card Profiles > [Name of Profile] > Attributes.

  2. Configure the following fields:

    Attribute Set: From the drop-down list, select the attribute set from which you want to select required and optional attributes. These attributes must match the claims that have been defined for personal cards. If you need to create an attribute set, select New Attribute Set. See Section 6.1, Configuring Attribute Sets.

    Required Attributes: From the list of available attributes, select an attribute and move it to the Required Attribute list. If the managed card is going to be backed by a personal card, make sure the Personal Private Identifier attribute is selected.

    Optional Attributes: From the list of available attributes, select an attribute and move it to the Optional Attribute list.

  3. Select one of the following actions:

8.9.3 Configuring User Identification

Use this page to specify the user identification methods. The options on this page determine whether the user can use the card for single sign-on.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace > Authentication Card > [Name of Profile] > User Identification.

  2. Configure the following fields:

    Satisfied Contracts: From the list of available contracts, select a contract and move it to the Satisfied Contract list. Select one or more.

    If you are using CardSpace to allow access to Access Gateway protected resources, you must ensure that all contracts specified for a protected resource are satisfied by an authentication profile.

    Allow Federation: Select this option to enable account federation. Enabling this option assumes that a user account exists at the provider or that a method is provided to create an account that can be associated with the user on subsequent logins. If you do not use this feature, authentication is permitted but is not associated with a particular user account.

  3. Select one of the following user identification methods for associating the accounts:

    • Do nothing: Allows the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.

    • Authenticate: Select this option when you want to use login credentials. This option prompts the user to log in to the service provider.

      • Allow ‘Provisioning’: Select this option to allow users to create an account when they have no account on the service provider.

        This option requires that you specify a user provisioning method.

    • Provision Account: Select this option when the users on the identity provider do not have accounts on the service provider. This option allows the service provider to trust any user that has authenticated to the trusted identity provider.

      This option requires that you specify a user provisioning method.

    • Attribute matching: Select this option when you want to use attributes to match an identity server account with a service provider account. This option requires that you specify a user matching method.

      • Prompt for password on successful match: Select this option to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.

  4. (Conditional) If you selected a user identification method that requires a matching method or a provision setting, configure the required method.

    Provisioning Settings: Allows you to select or create a user provisioning method. See Section 12.6, Defining the User Provisioning Method. For user provisioning error messages, see Section 12.7, User Provisioning Error Messages.

    Attribute Matching Settings: Allows you to select or create a user matching method. See Configuring the Attribute Matching Method for Liberty or SAML 2.0.

  5. If you are creating a new profile, click Finish, or if you are modifying a profile, click OK.

  6. Click OK, then update the Identity Server.