Passport Authentication

Passport authentication is a Microsoft-centralized authentication service. Passport provides a way to authenticate users coming across all the sites that participate in the initiative. Users need to do a single logon and, if successfully authenticated, they can then freely move through all the member sites. In addition to the single logon service, Passport also offers core profile services for member sites.

ASP.NET provides the PassportAuthenticationModule to set up authentication for Web applications hosted by Passport member sites.

Understanding the Passport Initiative

In a certain sense, the Passport authentication mode is the Web-wide counterpart of the Integrated Windows mode or the SQL Server Mixed mode. In all cases, security and identity tokens are shared between participating entities in a way that is totally transparent to the user and improves her experience. The code running in the Web applications resorts to the Passport single sign-in service to get information about the user making the request. As mentioned, all this happens transparently for the user, who just signs in once and jumps from one site to the next until she signs out.

The Passport profile information for each user is severely protected and managed according to a strict privacy policy. Each participating site guarantees that personal customer information will be kept in a secure environment and implements security measures such as using SSL and deleting any cookies that contain Personally Identifiable Information (PII) during sign out.

The .NET Passport SDK is required to implement the .NET Passport single sign-in and other profile- related services on your Web site. The SDK is freely available for developing and testing purposes. However, to run a Passport-enabled Web site, you must submit an official request, adhere to the Passport software licensing and service agreements, and swear that you'll comply with all the strict standards for privacy and security. Only then will you be allowed to obtain encryption keys and other start-up elements to move the Web site into a production environment.

ASP.NET has built-in support for Passport, which saves you from having to interact with the Passport SDK to activate the authentication service and then implement single sign-in.

The Passport Authentication Provider

In the .NET Framework, the PassportAuthenticationModule class carries out the Passport authentication. Passport authentication is enabled by the following text in the application's configuration file:

<configuration> <system.web> <authentication mode="Passport" /> </system.web> </configuration>

When an HTTP request hits a Passport-enabled Web site, the HTTP module verifies whether or not the request contains a valid Passport ticket. If not, the Web server returns the status code 302 and redirects the client to the Passport Logon service. The query string contains properly encrypted information about the original request. The client issues a GET request to the logon server and passes the supplied query string. At this point, the Passport logon server prompts the client with an HTML logon form. After the user has filled out the form, the form is posted back to the logon server over an SSL-secured channel.

The logon server utilizes the form information to authenticate the user and, if successful, creates a Passport ticket. Next, the user is redirected to the original URL and the ticket is passed, encrypted, in the query string. Finally, the browser follows the redirect instruction and requests again the original Passport protected resource. This time, though, the request contains a valid ticket so that the PassportAuthenticationModule can make the request pass.

Passport utilizes the Triple DES encryption algorithm. Each member site receives its own encryption key upon registration. In ASP.NET, an identity recognized by Passport is represented by a PassportIdentity object. The class contains ad hoc methods and properties that represent the Passport ticket and the key operations such as sign-in and sign-out. The Passport server controls the lifetime of the ticket and makes decisions about expiration and reuse on other member sites.

Note

The Passport SDK version 2.1 can be downloaded from the Microsoft Web site at http://www.microsoft.com/net/services/passport/ . Older versions are supported but not recommended. Note that Windows XP supports only Passport 2.0 and newer versions.