Chapter 21: ATL Server and Passport .NET

Using Passport

If you ve ever visited a Passport-enabled site such as Hotmail (http://www.hotmail.com) or MSN (http://www.msn.com), you ll notice the same Sign In button. Clicking that button will take you to a page or dialog box that prompts you for your user name and password. If you successfully authenticated with Passport, the site will typically display content tailored to your profile. For example, once you sign in with MSN, the news and weather displayed are tailored to suit the geographic information stored in your Passport profile.

This functionality is simple, but quite powerful and convenient . Using Passport gives your users a consistent and familiar user interface that they can use to authenticate themselves. Because Passport identities aren t restricted to individual applications, your users have to maintain only one set of credentials that they can use for any Passport-enabled application.

How to implement this scenario is what we focus on in this chapter. On your own time, you should explore the other services that Passport offers, such as the sign-in service that restricts content for underage users. The scenario that we describe requires the interaction of the following pieces of technology:

• Your Web application.

• Passport Manager running on your application.

• The Passport server hosted by Microsoft (sometimes this is also referred to as a Passport environment ).

• The application your user is using to access your Web application. This is usually a Web browser, but some applications, such as instant messaging clients , may use Passport as well.

To develop with Passport, you ll need to download and install the Passport SDK. This SDK is available from http://www.passport.com/business. You ll also need to configure your Visual C++ .NET project to reference the passport.h and passport.lib files that this SDK installs . Installing the Passport SDK will install Passport Manager.

Passport Manager is the entity that allows you to interact with the Passport servers hosted by Microsoft. For example, your Web application will prompt a user for his or her username and password. Passport Manager will send a remote request with this information to the Passport server that it has been configured to use with this information.

Microsoft hosts test Passport servers as well as production Passport servers. During your development, you have to configure your Passport Manager to use a test Passport server. Once your development and testing is done, you can reconfigure your Passport Manager to target the production Passport server. This all sounds much more complicated than it is; the technical aspect of reconfiguring your Passport Manager to use a production Passport server is really just a matter of changing a URL. The Passport SDK ships with a convenient tool that you can use to visually configure your Passport Manager. On the nontechnical side, there s an application process that you have to work through in order to be allowed to use the production Passport servers. At the time of this writing, there s a subscription fee that you have to pay in order to use the production Passport servers. The Passport SDK documentation and Web site (http://www.passport.com) do an excellent job of explaining the technical and nontechnical steps that you should follow as your application moves from the test environment to the production environment. The SDK documentation and Web site will offer the most up-to-date information in these areas.

If the information that your user entered is valid, the Passport server will return a security token to your Passport Manager. This security token indicates that your user has been successfully authenticated, and the token will expire after a specified amount of time. Passport Manager sends this token to your client as a cookie. The client application, usually a Web browser, is expected to persist this cookie. When the client makes another request to your application, this cookie will be sent as part of the request. The Passport Manager on your server will read the value of this cookie and determine if it s still a valid security token for this user. If the token is valid, then your Web application can use Passport Manager to retrieve information about this user and display content specific to your user, as we discussed earlier. Otherwise, your application can prompt your user to reenter his or her credentials. All of the communication between the client, Passport Manager, and Passport server is done using secure HTTP.

Passport is an evolving technology, so you should always consult the latest documentation and/or Web site to get the most up-to-date information. That said, what we ve described so far in this section is a high-level description of how Passport works and it probably won t change for some time.

From the development point of view, all of the network communication that goes on between these pieces is transparent. Passport Manager is exposed as a set of COM interfaces that you can use, so you re isolated from the fact that it s making network requests to remote Passport servers. Passport Manager also makes the way it processes information from your client s cookies transparent.

Now that you have an understanding of how Passport works, you ll take a look in the next section at how you can implement the scenario described earlier.