I2 LiveID Login with openinfocard

From OSIS Open Source Identity Systems

I have an account and had an information card associated with it. So I removed that card. Next I tried to associate a new card "I2" with my account this failed.

The assertion sent was:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="uuid-89008961-25C7-ED5C-951B-96C643DC0C76" Issuer="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" IssueInstant="2007-10-23T07:55:06Z"><saml:Conditions NotBefore="2007-10-23T07:50:06Z" NotOnOrAfter="2007-10-23T08:05:06Z"><saml:AudienceRestrictionCondition><saml:Audience>https://login.live.com/beta/ManageCards.srf?wa=wsignin1.0&wreply=http://www.live.com&vv=500&lc=1033&bk=1193126091</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>RjdSV1htTjVqT0hnV0l3Vk05Mm9KZnF3MTZjRVdIRUVqYnhIYjZkR3BDWT0=</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><dsig:Reference URI="#uuid-89008961-25C7-ED5C-951B-96C643DC0C76"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><dsig:DigestValue>jWw4rd0jidTDW7gP9WS/AaOgKLs=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XkwmJR+ZTfUCZ5U4ztnYOX8MRzDBMi2tfkMiXnoimAuk/ENZSLVWyeihnUzWI2MPcLg8XLVMcG2Ec+BrKZTR2022S9cM7Wp9KA7j/Fy5vJrc4EU/XNOHwW08596omm0xCBpp9ngdcRCCU2R2KFR3OQUC+sVCpDSnpwUR185L5t7rD84ewH8x3vq6K6uoKpWz2GolP8oVOMrPzwNJrXBslX48aXJGHuD3lgZ5ctT/tXsGH7RBLDjplWY0lk9ZndcVcBWRaq2VtnR0MFdi+z346gG+KdX+9uK7/PUl0FBNnOsRoLS/yzHwbzO5DdwXGE/3uzuT9La0NS5nxLZfDpXwWg==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>rS5LhtKz1OVRfRfoy6BNYZfR+NXKG2bLf4KUB5wcw2J3EH5ZoRp0d7BPqRNteZbnkUvXNv6DXst0fpnt+KfqDj9IgHJOA3CuyxdZntyWLz5fI7tcBdzgIKQCXQK3y0PqH2/XJj50yAV+YtmRsC435wFglw/oZmzodZTEH/AVoi6jf7OM8b2OYl3Is/z/q4E0FdrXg74OqAOWGvL3+ZwsJcD42yos4uz+L0RTcAbQ4kZ8Fqw+sfCshfexcqQiI7RKuA/wCzOflOzXl7Bg6gf61stPspJ/sk1HrxJmzTMIliBz2/ulfTP51e7FlZPIsxRl02QMYpezIzNQS2gDcg54Ww==</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>

Here the same assertion but edited for better reading:

<saml:Assertion 
 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
 MajorVersion="1" MinorVersion="1" AssertionID="uuid-89008961-25C7-ED5C-951B-96C643DC0C76"
 Issuer="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" 
 IssueInstant="2007-10-23T07:55:06Z">
 <saml:Conditions NotBefore="2007-10-23T07:50:06Z" NotOnOrAfter="2007-10-23T08:05:06Z">

  <saml:AudienceRestrictionCondition>
   <saml:Audience>
    https://login.live.com/beta/ManageCards.srf?wa=wsignin1.0&wreply=http://www.live.com&vv=500&lc=1033&bk=1193126091
   </saml:Audience>
  </saml:AudienceRestrictionCondition>
 </saml:Conditions>
 <saml:AttributeStatement>
  <saml:Subject>
   <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
   </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Attribute 
   AttributeName="privatepersonalidentifier" 
   AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
   <saml:AttributeValue>RjdSV1htTjVqT0hnV0l3Vk05Mm9KZnF3MTZjRVdIRUVqYnhIYjZkR3BDWT0=</saml:AttributeValue>
  </saml:Attribute>
 </saml:AttributeStatement>
 <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
  <dsig:Reference URI="#uuid-89008961-25C7-ED5C-951B-96C643DC0C76">
  <dsig:Transforms>
   <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
   <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <dsig:DigestValue>jWw4rd0jidTDW7gP9WS/AaOgKLs=</dsig:DigestValue>
 </dsig:Reference>
 </dsig:SignedInfo>
 <dsig:SignatureValue>XkwmJR+ZTfUCZ5U4ztnYOX8MRzDBMi2tfkMiXnoimAuk/ENZSLVWyeihnUzWI2MPcLg8XLVMcG2Ec+BrKZTR2022S9cM7Wp9KA7j/Fy5vJrc4EU/XNOHwW08596omm0xCBpp9ngdcRCCU2R2KFR3OQUC+sVCpDSnpwUR185L5t7rD84ewH8x3vq6K6uoKpWz2GolP8oVOMrPzwNJrXBslX48aXJGHuD3lgZ5ctT/tXsGH7RBLDjplWY0lk9ZndcVcBWRaq2VtnR0MFdi+z346gG+KdX+9uK7/PUl0FBNnOsRoLS/yzHwbzO5DdwXGE/3uzuT9La0NS5nxLZfDpXwWg==</dsig:SignatureValue>
 <dsig:KeyInfo>
  <dsig:KeyValue>
   <dsig:RSAKeyValue>
   <dsig:Modulus>rS5LhtKz1OVRfRfoy6BNYZfR+NXKG2bLf4KUB5wcw2J3EH5ZoRp0d7BPqRNteZbnkUvXNv6DXst0fpnt+KfqDj9IgHJOA3CuyxdZntyWLz5fI7tcBdzgIKQCXQK3y0PqH2/XJj50yAV+YtmRsC435wFglw/oZmzodZTEH/AVoi6jf7OM8b2OYl3Is/z/q4E0FdrXg74OqAOWGvL3+ZwsJcD42yos4uz+L0RTcAbQ4kZ8Fqw+sfCshfexcqQiI7RKuA/wCzOflOzXl7Bg6gf61stPspJ/sk1HrxJmzTMIliBz2/ulfTP51e7FlZPIsxRl02QMYpezIzNQS2gDcg54Ww==</dsig:Modulus>
    <dsig:Exponent>AQAB</dsig:Exponent>
   </dsig:RSAKeyValue>
  </dsig:KeyValue>
 </dsig:KeyInfo>
 </dsig:Signature>
</saml:Assertion>

Tested by Axel Nennker with

• Firefox 2.0.0.8
• xmldap-0.9.8.20071017.xpi openinfocard id selector
• IdentitySelector.xpi (1.0.1) IdentitySelector.xpi
• (Windows XP SP2)