DigitalMe is a set of components that enable users and applications to interact with InfoCard-compatible services and websites. In a typical use case, a user wants to complete some type of transaction with a relying party site. This usually requires the exchange of identity information such as the user's given name, surname, street address, and e-mail address.
By using an InfoCard-aware web browser (such as Firefox with the DigitalMe extension installed), a user can easily provide the required information by selecting an appropriate InfoCard from the set of cards that they own. The flow of data in this case would be:
· A user visits a web site that supports InfoCard-compatible tokens.
· By clicking on a link or button, an identity selector interface appears and presents a list of cards that satisfy the policy of the web site.
· A card is selected by the user.
· Credentials needed to access the IDP (i.e., ldap directory or something similar) are requested by the identity selector.
· The credentials and required claims are bundled into a request that is signed and sent to the STS.
· The STS extracts information from the token request, authenticates the user via the IDP, and retrieves the requested claim values. The response is bundled into a message that is signed by the STS and returned to the identity selector.
· The identity selector passes the token returned by the STS to the relying party site.
· The relying party site verifies that the token is issued by a trusted STS and that the token is valid (signature is good, token hasn't expired, etc.).
· Claim values are extracted from the token by the relying party and are used to complete the transaction.
This technology provides the following benefits:
· Relying party sites do not need to store sensitive identity information.
· Users are put in control of their own identity information and can choose who they trust to store their sensitive data.
· Rather than updating dozens of accounts whenever some piece of identity information changes (such as a phone number), users can update their information at one (or a small number) of IDP sites.
· Identity providers can implement strict identity verification policies. This allows relying parties to have a high degree of confidence that the identity information being used in a transaction is complete and accurate.
· Users can interact with sites without ever disclosing their identity. For example, an STS can issue a token asserting that a user's age is greater than some required value without disclosing anything else about the user. Because of the trust relationship the relying party has with the STS, it can be sure that that the assertion is true.