start | find | index | login or register | edit
Passport SSI
by earl, 8260 days ago
As Microsoft's Passport Site requires a Passport to be useful, I've extracted some information regarding Single-Sign-In for my own reference and to satisfy my 'how does Microsoft do it' curiosity.


"The primary goals of a Web site implementing the Microsoft® Passport single sign-in (SSI) service can be summarized as follows:

  1. "Determine whether the user is already signed in.

  2. "If not signed in, direct the user to the Passport Login server. The user must sign in (either silently or manually) and will be redirected back to the site that sent the user to the Passport Login server.

  3. "After the user is signed in, identify that user based on the contents of their Passport profile."

"All of these goals are accomplished by including the Passport Manager object as a server-side object on any page where Passport authentication will be used."

-- Complete Passport Manager API

Really relevant for SSI are the following methods, which really implement the SSI functionality. To retrieve an user's profile when successfully signed in, 2 more Passport Manager parts are needed (the HasProfile method and the Profile property - browse through the link given above).


"Detects the presence of a valid Passport Ticket cookie in the caller's domain or a fresh Ticket on the query string. If the Ticket is present and the parameters are satisfied, then this method returns True. If the Ticket is not present or the parameters are not satisfied, then this method returns False."

bool IsAuthenticated( [int TimeWindow], [bool ForceLogin], [bool CheckSecure] )


Optional. A time given as an integer value (VT_I4) in seconds. This specifies the interval during which users must have last signed in within the calling domain. This time checks either time since manual or silent sign-in, as specified by ForceLogin below. The value entered for TimeWindow must be greater than 100 and less than 1000000.


Optional. A Boolean value (should be VT_BOOL). If set to True, then users must also have given their passwords on the Login server's Sign In page within the TimeWindow interval. If set to False, then they may silently refresh as long as they have received valid Tickets within the TimeWindow interval.


Optional. Not used right now (up to Passport 1.4).

"Returns True if users have been signed in to the calling domain within the time specified by TimeWindow. If ForceLogin was set to True, then users must also have given their passwords at the Login server within the time specified by TimeWindow. All other cases return False."

-- Reference page for IsAuthenticated

Login User

"Logs the user on, either by outputting a 302 redirect URL, or initiating a Passport-aware client authentication exchange. This method supports Passport-aware client applications and the credentials manager as used in Microsoft Windows XP operating system.

"In the former case, the Passport user's client is determined to not be inherently Passport-aware, and all authorization interactions default to the mechanisms used in previous Passport releases. This method writes a 302 redirect into the HTTP response sent to the user in the page where LoginUser is invoked. All other elements of the response will thus be flushed. The 302 redirect points the user to the Passport Login server. After authentication, the user will again be redirected back to the return URL specified in LoginUser method parameters.

"In the latter case, authorization is handled through exchange of information in a series of HTTP challenges and responses, authentication credentials are potentially storable by the client, and the client can present its global authentication UI instead of displaying the HTML page used for Passport UI in default browser clients."

-- Reference page for LoginUser


"Returns an HTML snippet which includes an IMG tag for a Passport link. The link displays either Sign In if no valid Ticket cookie is detected, or Sign Out if a valid Ticket cookie is detected. Can also contact Update server if Profile cookie information has been changed locally. Each IMG source includes an associated HREF to sign in, refresh credentials, or sign out as appropriate."

LogoTag2 is the method not implementing Kids Passport service. It essentially takes LoginUser's parameters and passes them through to LoginUser.

-- Reference page for LogoTag2

most content Copyright (C) 1999-2001 Microsoft Corporation (this includes all quoted parts as well as the remarks to IsAuthenticated)
powered by vanilla
echo earlZstrainYat|tr ZY @. • esa3 • online for 8393 days • c'est un vanilla site