Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service (STS) compatible with Windows CardSpace and other "infocard" implementations. The project has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.
Once installed and configured, the Carillon STS allows a user to authenticate himself, either by password or by X.509 certificate, whereupon he is issued a digitally signed infocard containing some standard identity claims and optionally some customizable identity claims. When he presents this infocard to a Relying Party's (RP's) site, his browser's identity selector requests a SAML token from the Carillon STS.
If the authentication information is still valid, a digitally signed token will be issued with the various claims asserted. The browser takes this token, checks the digital signature, encrypts it for the RP, and passes it along. It is the RP's responsibility to decrypt the SAML token, check the digital signature, check the asserted claims, and make an access decision based on this information.
What's New in This Release:
· This version contains updates for X.509 support to work more properly with Windows CardSpace.
· The infocard now contains the right kind of UserCredential tag, and the right assertion names and tags.
· The mex output contains policy for allowing CardSpace to authenticate itself using the certificate.
· The token request consumer checks the signature on the included timestamp, since CardSpace doesn't support using the user certificate for the HTTPS/SSL transport.
· There are several other fixes.