Implementing
.NET Passport Authentication in Web Applications
In this article, i am going to explain how you can
implement .NET Passport Authentication in Web applications using ASP.NET.
Basically we are going to see what are steps that are required to
implement .NET Passport Authentication.
.NET Passport
.NET Passport allows users to
create a single sign-in name and password to access any site that has
implemented the Passport single sign-in (SSI) service. By implementing the
Passport SSI, you won't have to implement your own user-authentication
mechanism. Users authenticate with the SSI, which passes their identities
to your site securely. Although Passport authenticates users, it doesn't
grant or deny access to individual sites i.e. .NET Passport does only
authentication not authroziation . Passport simply tells a
participating site who the user is. Each site must implement its own
access-control mechanisms based on the user's Passport User ID (PUID).
Here is how .NET Passport Authentication works,
First user requests any page from his web server. Since user
is not authenticated, web server redirect its request for authentication with
Sign-In logo. When user presses Sign-In button, request will go to Passport
server for Sign-In page. Once the Sign-In page comes to browser, user will
enter his authentication details like Passport ID and Password. When user
credentials are submitted, Credentials are validated in Passport server. Then
Cookies are created in server and response is send to the browser with
encrypted querystring. Now both cookies and querystring is having details about
authentication. Once user is authenticate, he will be taken to page which is
requested first.
Steps To Implement .NET Passport Authentication
Here the steps that are required to
implement passport authentication in your system,
1. Download the Microsoft .NET Passport SDK from the
following Microsoft Site and
install it in your web server.
2. Register your application in .NET Service Manager.
Go to Service Manager Site , this is where you need to create application
for your website. You will be prompted for contact information and other
details. After that you will be prompted for Application details.
The following table describes about mandatory fields that are required for
registering your application.
|
Field Name |
Sample Value |
Description |
|
Preproduction Application Name |
ExtremeExperts |
This is how .NET Passport will describe your application. |
|
Web Site Title |
ExtremeExperts |
The common name of your .NET Passport site. This is the name by which we will
refer to your site on the .NET Passport pages, including our site directory. |
|
Domain Name |
ExtremeExperts |
This will be the host name your browser will use to browse to your Web site.
|
|
Default Return URL |
http://extremeexperts/login.aspx
|
The default location to which Users will be redirected in the event of an error
or when you do not specify a ru parameter. For SCT Matrix, it
should point to your Login.asp
in Web general folder |
|
Cobrand Image URL
|
http://extremeexperts/images/header.jpg |
This is an image file that will be displayed above the standard .NET Passport
logon prompt when someone logs on from your site.
|
|
Cobrand Instruction Text
|
ExtremeExperts Web Site |
The instruction text that will appear at the top of the .NET Passport
Credential dialog box and can be viewed in Internet Explorer 6.0 and later.
This is a UTF-8 encoded string. |
|
Expire Cookie URL
|
http://extremeexperts/Signout.aspx |
The location of the page that will delete all the cookies set by Microsoft®
.NET Passport for your site. |
|
Logout URL |
http://extremeexperts/login.aspx |
The location to which we will send your customers if they sign out of .NET
Passport by clicking the .NET Passport Sign Out
button on your site. |
3. Get the SiteID and Application key after
registering your application with .NET Services Manager.Return to the .NET
My Services Manager "Manage My Applications" page, select the application
you just created from the drop-down list box and click Submit. Select the
Download a key option and click Continue to download the executable that
will install your key on your local machine. Save the file to a secure
location on your machine. In my case the file was named
partner33943_1.exe. To install the key you must run the application with
the /addkey option.
For example: partner33943_1.exe /addkey
After installing the key you need to
make the key current. This is done with the /makecurrent option along with
a time-out option for any previous keys.
For example: partner33943_1.exe /makecurrent /t 0
The application's key is now installed.
Configure your Site in Passport Administration Utility. This tool
came along with .NET Passport SDK. Then configure Secure Level
in Passport Administration depending upon your secure level. If it is
basic level, then configure it as 0. If your site is SSL Enabled then
configure it as 10.
4.
Create a .NET Passport in the pre-production environment. The .NET Passport you
created in step 1 was a .NET Passport created in the production environment.
The pre-production environment is a completely separate set of accounts.
Therefore, to log on to your development site you will need a pre-production
account. Development has to happen in this enviornment only. Once it
is done then you have request a compliance review for your
site. The .NET Services compliance team will review your site and verify
that you have met all of its functionality, UI, and other requirements. After
your site has been approved, you are ready to launch your live site
Enable Passport Authentication in Web.Config
In ASP.NET, Passport Authentication works very similar to
Forms(cookies) Authentication. To enable Passport authentication you need to
specify it in the authentication section of your web.config file
<configuration>
<system.web>
<authentication
mode="Passport">
<passport redirectUrl="login.aspx" />
</authentication>
<
authorization>
< deny users="?" />
</authorization>
</system.web>
</configuration>
Basically here you need to set your application authentication type
to Passport and you are not allowing any unauthenticated users to access any
pages in your website. By doing this, if any unauthenticated users try to
access this website, he will redirected to the page which is mentioned in
redirectUrl. Once you specify authentication as passport, Identity of user
property of the page will return PassportIdentity which managed version of
Passport Manager.
Implementing Passport Authentication using ASP.NET
The .NET Framework provides .NET Passport Manager
functionality with two main classes: the
System.Web.Security.PassportAuthenticationModule class and the
System.Web.Security.PassportIdentity class. You can think of the
PassportAuthenticationModule as the inner workings of .NET Passport, about
which you do not need to worry. It is simply a plug-in that allows Microsoft
ASP.NET applications to perform .NET Passport authentication. The
PassportIdentity class is where all the functionality is provided that you will
use in your code. It exposes many of the same methods that were available with
the PassportManager COM object for use in ASP pages, but now it is done
completely in managed code.
Once you have set the authentication mode to Passport, you will be
able to access the PassportIdentity class, which is accessed via the IIdentity
interface that it implements. You can get an interface pointer to it from the
User property of the current ASP.NET page context. The following code is used
to get an instance of a PassportIdentity object
Dim Passport as System.Web.Security.PassportIdentity
Passport = Page.User.Identity
Now the Passport variable can be used to access the .NET
Passport-specific functionality provided by the PassportIdentity class. One of
the key things you will need to implement when you perform .NET Passport
authentication is the sign-in and sign-out buttons that should be displayed
somewhere in the upper-right portion of your page. The HTML for the images
along with a corresponding hyperlink to the .NET Passport authentication
servers is returned by the LogoTag method of the PassportIdentity object. The
following code demonstrates how you might use the LogoTag method in an ASP.NET
page
ltlSignin.Text = Passport.LogoTag(strURL,2000, False, Nothing, 1033,
Page.Request.IsSecureConnection, Page.Request.ServerVariables("SERVER_NAME"),0 ,False)
The first parameter to the LogoTag2 method is the return URL. This
is where the user will be redirected after a successful .NET Passport sign-in.
In most situations the return URL should be the current page so that the user
is returned to where the user was before signing in. You can, however, specify
a different return URL if you prefer, or no URL at all, which tells .NET
Passport Manager to pull the default return URL from the registry that you set
with the Passport Administration utility; if it is not there, the .NET Passport
servers will use the default return URL indicated during the configuration of
your .NET My Services application when you created the site ID. For more
details about other parameters, you can refer SDK Documentation.
Your code will probably also want to detect if a user has
signed in or not. The IsAuthenticated property of the PassportIdentity class
can be used to detect a user's sign-in status. Once a user is signed in, the
.NET Passport profile information will be available through the Items
collection. Developers should be aware that most of the profile information is
optional information. So, for instance, if you are accessing the FirstName item
from the profile, it may not exist for all users.
The Passport User ID (PUID) will always be available for a
.NET Passport-authenticated user and is accessible via the Name or HexPUID
properties of the PassportIdentity class. You should use the PUID as the index
for storing user-specific information at your site. For the Favorites Service,
we store the hierarchical favorites list for each user, so we use the PUID as
the user identifier
Signing in and accessing the .NET Passport profile
information is only part of your responsibilities as a .NET Passport site
developer. The other key item you must deal with is signing out. The LogoTag2
method will still handle creating the image and anchor for linking
appropriately to the .NET Passport servers for performing a sign-out, but you
must create a page that will handle the last portion of the sign-out. The .NET
Passport servers will deal with expiring the .NET Passport ticket used for
validating your sign-in, but it is up to the site developer to delete the HTTP
cookies that carry the ticket information. Your sign-out page must also return
an image that can be used to indicate a successful sign-out to the user. The
following code deletes the .NET Passport cookies and returns the appropriate
GIF image to perform a successful sign-out
<%
Response.ContentType = "image/gif"
Response.Expires = -1
Response.AddHeader("P3P", "CP=TST")
Dim Cookie1 As New HttpCookie("MSPProf","")
Cookie1.Expires = Now()
Response.Cookies.Add(Cookie1)
Dim Cookie2 as New HttpCookie("MSPAuth","")
Cookie2.Expires = Now()
Response.Cookies.Add(Cookie2)
Dim Cookie3 as New HttpCookie("MSPSecAuth","")
Cookie3.Expires = Now()
Response.Cookies.Add(Cookie3)
Dim Cookie4 as New HttpCookie("MSPProfC","")
Cookie4.Expires = Now()
Response.Cookies.Add(Cookie4)
Dim Cookie5 as New HttpCookie("MSPConsent","")
Cookie5.Expires = Now()
Response.Cookies.Add(Cookie5)
Response.WriteFile("images/signoutcheckmark.gif") %>
Conclusion
If you are implementing a site that will eventually go
into production, you will need to take special care to follow the UI guidelines
indicated in the .NET Passport SDK documentation. This article just gave an
basic idea about how to implement Passport Authentication in Web applications.
There is one more important thing which i didnt cover in this article is
Co-branding stuff. For more details about that and for any other clarification
refer .NET Passport SDK.
|