7.2 Passport infrastructure

Before diving into the nuts and bolts of how Passport works, we need a clear view of the Passport infrastructure. The Passport infrastructure components can be classified into three categories: the Microsoft Passport Nexus servers, the Passport domain authority servers, and the Web servers of the participating Web sites (as illustrated in Figure 7.1). The infrastructure servers a Passport user deals with are the domain authorities and participating Web sites.

• Participating Web site is a site that provides its users with the possibility to log on using Passport SSO. The owners of the site have installed some Passport-specific code on the Web server (including the Passport Manager COM object) and have signed an agreement with Microsoft or one of the Passport domain authorities to join the Passport SSO network. Examples of participating Passport sites are MoneyCentral, Starbucks, eBay, and ActiveState. An up-to-date list of participating Passport Web sites can be found at http://www.passport.com/directory. This directory only lists those participating sites which have chosen to be listed.

• A domain authority server is a trusted third party that owns a Passport domain and acts as a Passport authentication authority for that domain. Examples are the domain authority servers for the msn.com, hotmail.com, and passport.com domains. Until now, all domain authorities were run by Microsoft or by business entities that are very closely related to Microsoft. Every domain authority manages a domain authority database that contains a secured copy of the users’ Passport credentials and profile information.

  
  Figure 7.1: Passport infrastructure.

• The Microsoft Passport Nexus servers make up the core of the Passport system. They provide configuration information to all other servers in the Passport Infrastructure, which includes things like the Passport user profile schema and the cryptographic keys used to secure certain Passport cookies.