Passport Authentication Provider
Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. This benefits the user because it is no longer necessary to log on to access new protected resources or sites. If you want your site to be compatible with Passport authentication and authorization, this is the provider you should use. This topic provides some introductory material about Microsoft .NET Passport and the ASP.NET support for it. For more information, see the Passport documentation located at http://www.passport.com/business. In order to access the documentation, you must get a Passport and register.
Passport is a cookies-based authentication service. A sample transaction conversation using Passport authentication might look similar to the following:
- A client issues an HTTP GET request for a protected resource, such as http://www.contoso.com/default.aspx.
- The client's cookies are examined for an existing Passport authentication ticket. If the site finds valid credentials, the site authenticates the client. If the request does not include a valid authentication ticket, the server returns status code 302 and redirects the client to the Passport Logon Service. The response includes a URL in the query string that is sent to the Passport logon service to direct the client back to the original site.
- The client follows the redirect, issues an HTTP GET request to the Passport logon server, and transmits the query string information from the original site.
- The Passport logon server presents the client with a logon form.
- The client fills out the form and does a POST back to the logon server, using Secure Sockets Layer (SSL).
- The logon server authenticates the user and redirects the client back to the original URL (http://www.contoso.com/default.aspx). The response contains an encrypted Passport cookie in the query string.
- The client follows the redirect and requests the original protected resource again, this time with the Passport cookie.
- Back on the originating server, the PassportAuthenticationModule detects the presence of the Passport cookie and tests for authentication. If successful, the request is then authenticated.
Subsequent requests for protected resources at the site are authenticated at the originating server using the supplied ticket. Passport also makes provisions for ticket expiration and reusing tickets on other member sites.
Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site-specific key. The Passport logon server uses this key to encrypt and decrypt the query strings passed between sites.
Note To use Passport authentication, you must register your site with the Passport service, accept the license agreement, and install the .NET Passport SDK prior to use.
The ASP.NET PassportAuthenticationModule provides a wrapper around the .NET Passport SDK for ASP.NET applications, and provides Passport authentication services and profile information from an IIdentity-derived class called PassportIdentity.
As is the case with WindowsIdentity, the primary purpose of handling the PassportAuthentication_OnAuthenticate event is to attach a custom IPrincipal object to the context. A special IIdentity-derived class called PassportIdentity provides an interface to the Passport profile information and methods to encrypt and decrypt Passport authentication tickets.
To implement Passport authentication in an ASP.NET application
- Download, install, and configure the .NET Passport SDK from http://www.passport.com/business. You must complete a registration form to obtain the SDK. Windows Server 2003 includes the .NET Passport SDK and does not require this step.
- Set up Passport as the authentication mode in the application configuration file as follows.
<authentication mode= "Passport"/>
- Using the Passport documentation and the .NET Passport SDK functionality, implement Passport authentication and authorization.
For a code example of an ASP.NET page using Passport authentication, see the article Creating a Microsoft .NET Passport-Authenticated Web Site with ASP.NET at http://msdn.microsoft.com/library.