Passport authentication is a service supported by Microsoft that provides a centralized authentication service for single sign-on and core profile services. Using Passport authenti- cation is not mandatory, but the benefits of using such a service are apparent when you look at the number of Internet users handled by the Microsoft HotMail or MSN Service. These users already have profiles established as part of these services; and you can use this data for your own public Web sites. Additionally it simplifies users’ experience with your site, in that they do not need to go through a second registration process, but instead use an existing profile. Should a new visitor not have a Passport profile, the service provides methods to register the user for a new Passport userid.
The PassportAuthenticationModuleprovider supplies a wrapper around the Passport Software Development Kit (SDK) for ASP.NET applications. It requires installation of the Passport SDK and provides Passport authentication services and profile information from anIIdentity-derived class called PassportIdentity. This provides an interface to the Passport profile information as well as methods to encrypt and decrypt Passport authentication tickets.
The general process for implementing Passport authentication in an ASP.NET application is as follows:
1. Establish a PREP Passport Account. In order to test the SDK you will need to create a PREP Passport Account that effectively creates a testing account for development purposes. This can be done at https://current-register.passporttest.com/
2. Download, install, and configure the Passport SDK. It can be found at
http://www.passport.com/devinfo/Start_Goals.asp. When installing, be sure to select the installation options for Development/Testing unless you are planning on implementing a production environment. This option will install a sample application of AdventureWorks that utilizes the Passport Authentication Scheme. However this version utilizes standard ASP rather than the ASP.NET Passport approach.
3. Create a new PREP Site ID by following the instructions at http://siteservices. passport.com/
4. Create a virtual directory on your default Web site to store the Web.configand login.aspx files discussed below.
5. Make sure that your site has access to the Internet. The passport service operates by using the public site http://current-login.passporttest.com.
6. Create a Web.configfile and set up Passport as the authentication as shown in the following example.
<?xml version=”1.0” encoding=”utf-8” ?> <configuration> <system.Web> <authentication mode=”Passport”> <passport redirectUrl=”login.aspx”> </passport> </authentication> <authorization> <deny users=”*”>
</deny> </authorization>
<sessionState mode=”InProc” cookieless=”false” timeout=”20”/> </system.Web>
</configuration>
1. @NL:Next you will need to create a basic login.aspx file which the user will be sent to by default when they first request a file from your site, as shown in the following example: <%@ Page Language=”vb” %> <%@ Import Namespace=”System.Web”%> <%@ Import Namespace=”System.Web.SessionState”%> <%@ Import Namespace=”System.Web.Security”%> <%@ Import Namespace=”System.Web.HttpUtility”%> <SCRIPT LANGUAGE=”VB” RUNAT=”SERVER”>
Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs) Dim oPassport As Web.Security.PassportIdentity
Dim sReturnURL As String Dim sLogoURL As String Dim sAuthURL As String
‘Create a new PassportIdentity object oPassport = New Web.Security.passportidentity ‘Dynamically generate the ReturnURL as this page
sReturnURL = Server.URLEncode(“http://” & Request.ServerVariables(“SERVER_NAME”) & Request.ServerVariables(“SCRIPT_NAME”))
‘Establish the PassportIdentity.LogoURL
slogourl = opassport.LogoTag2(sReturnURL, 3600, True, Nothing, 1033, True, Nothing, Nothing, True)
‘Determine the users Authenticated Status If oPassport.IsAuthenticated() Then
Response.Write(“<H3>You are Authenticated, Click Below To SignOut, Note that unless you have a valid Passport Contract with Microsoft, SignOut functionality may not work properly.</H3>”)
Else
Response.Write(“<H3>You are Not Authenticated, Click Below To Login.</H3>”) End If
‘Dynamically display the appropriate Passport Login or Logout Logo Response.Write(sLogoURL) END SUB </SCRIPT> <HTML> <BODY> </BODY> </HTML>
In this example, we are using PassportIdentityto do all of the authentication labor. First we create a variable sReturnURL, which describes what URL that Passport should redirect the user to after a successful login or logout. We then use the sReturnURLto create the string variable slogourlusing the PassportIdentity.LogoTag2()method, which will dynamically display a login or logout graphic depending on the status of the user’s session.
To determine if a user is in fact already authenticated we use the PassportIdentity. IsAuthenticatedproperty, which returns Trueif a user is authenticated or False otherwise. Depending upon the user’s state, we display a message indicating if they are logged on or not. If they are logged in, then the passport service will automatically create the Passport sign-out hyperlink, otherwise we insert the string of html stored in theslogourlvalue, creating a dynamic hyperlink to the Passport sign-in page.
R
EVIEWIn this session, we reviewed how to handle simple forms-based authentication, as well as how to implement basic Passport authentication. The forms-based examples show how to use a database to look up a user’s credentials. The passport example shows how to use a Web service to validate authentication. You should continue exploring authorization and impersonation to add further granular security capabilities to your end solution.
Q
UIZY
OURSELF1. What security and privacy issues are associated with using Passport authentication? (See “Introducing the Key Security Mechanisms.”)
2. Provide an example Web.configfile that only allows POSTrequests from the user John in domain corporate. (See “Web.config and Security.”)
3. What alternatives are there to using a database to look up user credentials? (See “New Tricks for Forms-based Authentication.”)