Intalling and Running your STS for Cardspace

I realized that there were many gotachs when running the sample STS that is posted here. This has evolved and the experience is really improved. Thanks to Garrett.

Some steps

  1. Download the sample from the site and run the setup script.
  2. You might want to check the SSL cert setup if it has executed successfully or not.
  3. Make sure you have IE7 and your proxy settings is disabled as it has to have host entries made to point the same machine.
  4. Note that the SSL certs might not show the site in Green.
  5. Do read the documentation before you proceed.
  6. Download httpcfg if can but the sample should include this. This usually helps of you want to deploy the STS on another machine.


Code Pointers for Managed Cards

  1. When debugging and trying to fix cardspace do look at the event viewer (open run dialog and type eventwvr.)
  2. Make sure the ACL’s are setup using the SSL certificate setup script and you have httpcfg or netsh in Vista. You might get this exception

    There was a failure making a WS-Trust exchange with an external application. Could not retrieve token from identity provider.

    Inner Exception: An error occurred while receiving the HTTP response to This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.
    Inner Exception: The underlying connection was closed: An unexpected error occurred on a receive.
    Inner Exception: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
    Inner Exception: An existing connection was forcibly closed by the remote host

    When you make a cardspace site make sure you are accessing over SSL or you get script access denied.

  3. Make sure your claims are of the form
    <object type=”application/x-informationcard” name=”_xmlppidToken”>
            <param name=”tokenType” value=”urn:oasis:names:tc:SAML:1.0:assertion” />
            <param name=”requiredClaims” value=”” />

    And not

  4. Another thing that you may come across is an exception of the format.
    throw new ArgumentException(String.Format(“Claim {0} not found”, uri));
    You can either do this or you could setup the proper claims that is required by the site.
    The STS should be modified to return the set of claims that the other organization is requesting. You can do this by overriding the RequestSecurityTokenResponse class which implements the BodyWriter inthe Sample and update the token addition method.

           protected List<SamlAttribute> GetTokenAttributes()



                    System.Diagnostics.Debug.WriteLine(“GetTokenAttributes — Started”);


                    List<SamlAttribute> result = new List<SamlAttribute>();

                    //result.Add(new SamlAttribute(new Claim(ClaimTypes.PPID , “*Fill in this field*”, Rights.PossessProperty)));


                    List<Claim> claims = IdentityManager.GetCurrentRequestUserClaims();

                    foreach (Claim claim in claims)


                        result.Add(new SamlAttribute(claim));



                    return result;




                    System.Diagnostics.Debug.WriteLine(“GetTokenAttributes — Ended”);



    And you can probably check the users PPIC claim that he has sent a custom authentication module like say an IdentityManager.

  5. Cardspace might not be able to communicate with the STS. Try to retrieve the data by picking the Managaged card and check the event log for this or use DebugView from and see the debug out as cardspace runs in a very secure mode and visual studio debugging doesnt seem like an option.
  6. When reading the Tokens in the destination site you might get

    The X.509 certificate, O=Fabrikam, L=Redmond, S=Washington, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

    Primarily the revocation mode for the X509SecurityTokenAuthenticator is online. You can work around this by turning off certificate checking in Token Processor, but do remember that this is not a general solution but it gets your managed card and STS demos working.

    Token(String xmlToken)

  1. {

        byte[] decryptedData = decryptToken(xmlToken);


        XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));

        m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null);


        SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(

             new SecurityTokenAuthenticator[]{

             new RsaSecurityTokenAuthenticator(),

             new X509SecurityTokenAuthenticator(X509CertificateValidator.None) }), MaximumTokenSkew);


        if (authenticator.CanValidateToken(m_token))


            ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);

            m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);





            throw new Exception(“Unable to validate the token.”);




I hope after all these steps you are a step closer to the managed card STS sample.