The token string is in the form of an <EncryptedData> section. It is encrypted with the public key portion of the site’s SSL certificate. The code to decrypt it therefore must have access to the site’s private key. Specifically, the ASP.NET account will need permissions to access the private key from the certificate store.

The code to decrypt the token is lengthy and a topic in itself, so I’ll let you look at the code sample for those details. After the token is decrypted, you’ll find that you are working with a SAML token that has a set of claims inside. The claims are exactly those you requested, shown in Example B-1 and Example B-2. In this example, the claims include a personal private identifier (PPID) and an email address—but there is a complete list of valid claims in the CardSpace specification, and this can be extended for managed cards.

Once you have decrypted the token and verified that it includes the claims you requested, it is time to authenticate.