Passport Authentication Provider

  • Article

Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. Passport benefits users because they do not need to log on to new limited-access resources or sites. If you want your site to be compatible with Passport authentication and authorization, this is the provider you should use. This topic provides some introductory material about Microsoft .NET Passport and the ASP.NET support for it. For more information, see the .NET Passport Web site. In order to access the documentation, you must get a Passport and register.

Passport is a cookie-based authentication service. A sample transaction conversation using Passport authentication works like the following:

  1. A client issues an HTTP GET request for a protected resource, such as https://www.contoso.com/default.aspx.

  2. The client's cookies are examined for an existing Passport authentication ticket. If the site finds valid credentials, the site authenticates the client. If the request does not include a valid authentication ticket, the server returns status code 302 and redirects the client to the Passport Logon Service. The response includes a URL in the query string that is sent to the Passport logon service to direct the client back to the original site.

  3. The client follows the redirect, issues an HTTP GET request to the Passport logon server, and transmits the query string information from the original site.

  4. The Passport logon server presents the client with a logon form.

  5. The client fills out the form and does a POST back to the logon server, using Secure Sockets Layer (SSL).

  6. The logon server authenticates the user and redirects the client back to the original URL (https://www.contoso.com/default.aspx). The response contains an encrypted Passport cookie in the query string.

  7. The client follows the redirect and requests the original protected resource again, this time with the Passport cookie.

  8. On the originating server, the PassportAuthenticationModule detects the presence of the Passport cookie and tests for authentication. If successful, the request is then authenticated.

Subsequent requests for limited-access resources at the site are authenticated using the supplied ticket. Passport also makes provisions for ticket expiration and reusing tickets on other member sites.

Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site-specific key. The Passport logon server uses this key to encrypt and decrypt the query strings passed between sites.

NoteNote

To use Passport authentication, you must register your site with the Passport service, accept the license agreement, and install the .NET Passport SDK prior to use. For more information on setting up an ASP.NET application to use Passport authentication, see the .NET Passport Service Guide Kit Web site.

See Also

Tasks

How to: Implement Passport Authentication in ASP.NET Applications

Reference

IIdentity
PassportAuthenticationModule
PassportIdentity

Other Resources

ASP.NET Web Application Security
ASP.NET Authentication