Passport Authentication


Passport authentication is a centralized, single sign-on authentication service provided by Microsoft. At present a large number of Internet users use Microsoft services such as MSN or Hotmail. They submit their profiles during the registration process in those Microsoft services. The real benefit is that you can utilize the user profile data in your Web sites if you implement passport authentication in your site. That is, information about the user is accessible to your application through a profile that is stored with Microsoft. Many companies, such as McAfee.com and eBay, employ Passport authentication in their Web sites. The benefit of Passport authentication is that the user doesn't have to remember separate usernames and passwords for various Web sites, and the user can keep his or her profile information in a single location. .NET Passport [11] provides users with single sign-in (SSI) and stores the authentication information using encryption technologies such as Secure Sockets Layer (SSL) and the 3DES algorithm for data protection. Figure 9-4 shows the Microsoft .NET Passport home page.

[11] In 1999 Microsoft launched Microsoft .NET Passport, Service-to-Consumer (S2C) Web-based services.

Figure 9-4. Microsoft .NET Passport home page.

graphics/09fig04.jpg

Passport is a Forms-based authentication service. In this mechanism, when a user requests (using an HTTP GET request) a protected resource, the ASP.NET verifies whether the user has a valid Passport ticket (form). If not, the user is redirected to the Passport Logon Service, where the user has to submit the credentials (email address and a password), as shown in Figure 9-5. If the credentials entered are correct, Passport Logon Service redirects the user back to the protected resource. Otherwise , the user must register his or her profile and is then redirected to the protected resource.

Figure 9-5. .NET Passport Sign In, where the user has to submit email address and password for credential verification.

graphics/09fig05.gif

The PassportAuthenticationModule provides a wrapper around the Passport software development kit (SDK) for ASP.NET applications. It provides Passport authentication service and profile information from an IIdentity -derived class called PassportIdentity . You have to register your site with the Passport service, accept the license agreement, and install the passport SDK to employ passport authentication.

The general procedure to implement Passport authentication in an ASP.NET application is as follows :

  • Register your site with the passport service.

  • Download, install, and configure the Passport SDK from Microsoft Download or in http://www.passport.com. To deploy Passport on a real-time Web site, you have to register and get a production key, for which Microsoft charges a licensing fee. [12] For authentication, the user is directed to the page http://login.passport.com.

    [12] There are two fees for licensing .NET Passport: a periodic compliance testing fee of $1,500 US and a yearly provisioning fee of $10,000 US. The provisioning fee is charged on a per-company basis.

  • While testing your site, you cannot employ regular Passport accounts to sign in. Instead, to test the SDK, you have to launch a PREP Passport account or Preproduction key. [13] The Preproduction (PREP) environment allows sites to confirm their development efforts against .NET Passport servers without access to real-world .NET Passport user identifications and profiles. This preproduction registration can be done at http://current-register.passporttest.com. For authentication, the user is redirected to the site http://current-login.passporttest.com (the address of the PREP Login server).

    [13] Do not use your Production password for PREP passwords. The PREP system is a separate test environment containing only test data, so it is best for security purposes to keep your Production password unique to the Production system.

  • Configure the Web.config file as

     <authentication mode="Passport"> <passport redirectURL="login.aspx" /> </authentication> 

After installing the .NET Passport SDK and configuring the Web.config file, you will be able to access the PassportIdentity class, which is accessed by means of the IIdentity interface that it implements. The following code shows how to get an instance of a PassportIdentity object.

 using System.Web.Security;  ...  public class WebForm1 : System.Web.UI.Page  {  public PassportIdentity pass;  private void Page_Load(object sender,      System.EventArgs e)    {  pass = (PassportIdentity)User.Identity;  } } 

With the instance of the PassportIdentity object, you can access the .NET Passport-specific functionality provided by the PassportIdentity class.

Let us discuss how to display sign-in and sign-out buttons . Generally, you can see the .NET Passport Sign In or .NET Passport Sign Out buttons in the upper-right corner of the page, and the buttons look like those shown in Figure 9-6

Figure 9-6. Microsoft .NET Passport Sign In and Sign Out buttons.

graphics/09fig06.gif

The LogoTag2 method of the PassportIdentity object returns an HTML fragment that includes an <img> tag for a Microsoft .NET Passport link. The link displays either Sign In if no valid Ticket cookie is detected or Sign Out if a valid Ticket cookie is detected. The following code illustrates how to use the LogoTag2 method in an ASP.NET page.

[View full width]
 
[View full width]
using System.Web.Security; ... public class WebForm1 : System.Web.UI.Page { public PassportIdentity pass; private void Page_Load(object sender, System.EventArgs e) { pass = (PassportIdentity)User.Identity; string returnURL = "http://phptr/default.aspx"; string logo = pass.LogoTag2(returnURL, 10000,true,null,1033,false,Context.Request graphics/ccc.gif .ServerVariables["SERVER_NAME"],0,false); Response.Write(logo); } ... }

The syntax for the PassportIdentity.LogoTag2 method is as follows:

[View full width]
 
[View full width]
public string LogoTag2(string strReturnUrl, int iTimeWindow, bool fForceLogin, string graphics/ccc.gif strCoBrandedArgs, int iLangID, bool fSecure, string strNameSpace, int iKPP, bool graphics/ccc.gif bUseSecureAuth);
  • The first parameter of the LogoTag2 method is the [returnURL] . It is an optional value. It sets the URL of the location to which the Login server should redirect the user after the .NET Passport sign-in is completed successfully. If returnURL is left empty, then it uses the registry default. Usually, the URL is set to the current page so that the user is redirected back to the same page he or she was at before signing in. However, you can set any URL that is favorable.

  • The second parameter is [TimeWindow] (optional). Time is represented as an integer value in seconds. This indicates the time interval during which the user must have last signed in. This value must be between 100 and 1,000,000.

  • The further parameters of the LogoTag2 method, such as [ForceLogin], [coBrandArgs], [lang_id], [bSecure], [NameSpace], [KPP] , and [SecureLevel] , specify whether the users should be forced to log on or not, indicate the URL for a co-branding image, stipulate the language for the .NET Passport sign-in pagefor example, U.S. English (EN/US, the default) is 1033)indicate whether it is being accessed over SSL, offer the domain name for the request, indicate Kids Passport consent requirements, and indicate the security level of the sign-in.

The three security-level options for the .NET Passport sign-in are shown in Table 9-11.

As an alternative to the single sign-in mechanism, you can employ an Inline sign-in mechanism, which allows you to embed the sign-in dialog box directly into a page on your site instead of redirecting the user to a .NET Passport-hosted sign-in page. This Inline sign-in mechanism provides more flexibility. The compact and standard inline sign-in modules are shown in Figure 9-7. You can also employ a mobile sign-in [14] mechanism in mobile devices.

[14] Mobile sign-in provides many features and modifications to support general use of .NET Passport on mobile devices. Users can create a Passport using a phone number and personal identification number (PIN) for use on a mobile device (such as a cell phone or PDA).

Figure 9-7. Compact and standard inline sign-in modules.

graphics/09fig07.gif

Table 9-11. Three Security-Level Options for the .NET Passport Sign-In

SecureLevel value

Description

0 (or unspecified)

Sign-in UI is served HTTP from the .NET Passport domain authority (default).

10

Sign-in UI is served HTTPS from the .NET Passport domain authority. Requires that return URL be an HTTPS URL; otherwise, the authentication will fail.

100

Sign-in UI is served HTTPS from the .NET Passport domain authority, and sign-in process now requires submission of secure authentication PIN in addition to password.

The considerable benefit of employing Passport authentication is that, as already mentioned, you can access the Passport user's profile data, such as FirstName and Country , if the user permits his or her profile data to be used, while registering to .NET Passport. But the Passport User ID (PUID) for a .NET Passport-authenticated user is always accessible by means of the Name or HexPUID properties of the PassportIdentity class. You can use the PUID as the index for storing user-specific information at your site. Some other useful attribute names that you can access from the profile data are FirstName, LastName, Nickname, Gender, Birthdate, PreferredEmail, TimeZone, Occupation , and Country . The following code illustrates how to access the user profile data.

 private void Page_Load(object sender, System.EventArgs e)   {   if (pi.IsAuthenticated)    {     string name = pi["FirstName"];       if (name == "")       {         Label1.Text = "Warm Welcome!";       }       else       {         Label1.Text = "Welcome" +name+ "!";       }    }    else    {     Label1.Text = "Welcome! Please Sign In!";    } } 

We first verify whether the user has signed in to .NET Passport by using the IsAuthenticated method, which returns true if the user is authenticated against a Passport authority. As .NET Passport employs cookies to handle state, you have to create a separate page that takes care of deleting the HTTP cookies that carry the ticket information. Your sign-out page must return an image that can be used to show a successful sign-out to the user. The following code removes the .NET Passport cookies and returns the apposite GIF image to specify a successful sign-out.

 <%@ Page language="c#" %>  <%    Response.ContentType = "image/gif";    Response.Expires = -1;    Response.AddHeader("P3P", "CP=TST");    HttpCookie Cookie1 =      new HttpCookie("MSPProf","");    Cookie1.Expires = Now();    Response.Cookies.Add(Cookie1);    HttpCookie Cookie2 =      new HttpCookie("MSPAuth","");    Cookie2.Expires = Now();    Response.Cookies.Add(Cookie2);    HttpCookie Cookie3 =      new HttpCookie("MSPSecAuth","");    Cookie3.Expires = Now();    Response.Cookies.Add(Cookie3);    HttpCookie Cookie4 =      new HttpCookie("MSPProfC","");    Cookie4.Expires = Now();    Response.Cookies.Add(Cookie4);    HttpCookie Cookie5 =      new HttpCookie("MSPConsent","");    Cookie5.Expires = Now();    Response.Cookies.Add(Cookie5);    Response.WriteFile(      "/images/signout_Clear.gif");  %> 

We clear the five cookies MSPProf, MSPAuth, MSPSecAuth, MSPProfC , and MSPConsent . You have to incorporate a P3P tag (Platform for Privacy Preferences Project) to clear the cookies in the 6.x generation of Web browsers.

The public instance properties defined in the PassportIdentity class are shown in Table 9-12.

Table 9-12. Public Instance Properties Defined in the PassportIdentity Class

Public Property

Description

Error

Returns an error state associated with the current Passport ticket.

GetFromNetworkServer

Returns true if a connection is coming back from the Passport server (log-on, update, or registration) and if the Passport data contained on the query string is valid. This is actually vitally important, because if it's true, the ticket is on the query string and the application should redirect without the query string to make sure the ticket isn't persisted in browser history (important for things like kiosks ).

HasSavedPassword

Returns true if the Passport member's ticket indicates that the password was saved on the Passport logon page the last time the ticket was refreshed.

HasTicket

Returns true if there is a Passport ticket as a cookie on the query string.

IsAuthenticated

Returns true if the user is authenticated against a Passport authority.

Item

Consists of the default collection. Calling this is the equivalent of calling GetProfileObject or SetProfileObject .

Name

Consists of the name of the identity. In this case, it is the value of the Passport PUID.

TicketAge

Consists of the time, in seconds, since the last ticket was issued or refreshed.

TimeSinceSignIn

Consists of the time, in seconds, since a member's logon to the Passport logon server.



.NET Security and Cryptography
.NET Security and Cryptography
ISBN: 013100851X
EAN: 2147483647
Year: 2003
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net