This means it should not be trusted, and precautions
should be taken against SQL injection and cross-site scripting
attacks.
The claims values returned can be used in many different ways;
this is both the beauty and the power of the claims-based
model. When a site knows some strongly asserted information
about a subject, it can devise its own rules for how to process
The claims sent in
the token can be
used to transmit
any required
information
Figure 4-5 An audience restriction condition added to a SAML
assertion
Using CardSpace in the Browser 243
this information. Figure 4-6 shows how the claims emailaddress,
givenname, and webpage returned in the token.
Accepting Personal Cards at a Website
To help make the process of accepting a card more concrete, we
elaborate on the simple case of accepting a Personal Card for
logging in to a site. The site logon page would contain a form
that speci?¬?es the self-issued URI for the issue, as the claims that
it would like. In this case, the site will simply request the Private
Personal Identi?¬?er (PPID) claim:
method="post"
action="TokenProcessingPage.aspx"
>
type='application/x-informationcard'
name='CardSpaceToken'
>
NAME="issuer"
Value="http://.
Pages:
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368