Tuesday, 27 December 2011

Implementing .NET Passport Authentication in Web Applications

Implementing .NET Passport Authentication in Web Applications 

In this article, i am going to explain how you can implement .NET Passport Authentication in Web applications using ASP.NET. Basically we are going to see what are steps that are required to implement .NET Passport Authentication.

.NET Passport

    .NET Passport allows users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. By implementing the Passport SSI, you won't have to implement your own user-authentication mechanism. Users authenticate with the SSI, which passes their identities to your site securely. Although Passport authenticates users, it doesn't grant or deny access to individual sites i.e. .NET Passport does only authentication not authroziation . Passport simply tells a participating site who the user is. Each site must implement its own access-control mechanisms based on the user's Passport User ID (PUID). Here is how .NET Passport Authentication works,

    First user requests any page from his web server. Since user is not authenticated, web server redirect its request for authentication with Sign-In logo. When user presses Sign-In button, request will go to Passport server for Sign-In page. Once the Sign-In page comes to browser, user will enter his authentication details like Passport ID and Password. When user credentials are submitted, Credentials are validated in Passport server. Then Cookies are created in server and response is send to the browser with encrypted querystring. Now both cookies and querystring is having details about authentication. Once user is authenticate, he will be taken to page which is requested first.

Steps To Implement .NET Passport Authentication

   Here the steps that are required to implement passport authentication in your system,
1. Download the Microsoft .NET Passport SDK from the following Microsoft Site  and install it in your web server.
2. Register your application in .NET Service Manager. Go to Service Manager Site , this is where you need to create application for your website. You will be prompted for contact information and other details. After that you will be  prompted for Application details. The following table describes about mandatory fields that are required for registering your application.
Field Name
Sample Value
Description
Preproduction Application Name ExtremeExperts This is how .NET Passport will describe your application.
Web Site Title ExtremeExperts The common name of your .NET Passport site. This is the name by which we will refer to your site on the .NET Passport pages, including our site directory.
Domain Name ExtremeExperts This will be the host name your browser will use to browse to your Web site.
Default Return URL http://extremeexperts/login.aspx
The default location to which Users will be redirected in the event of an error or when you do not specify a ru parameter. For SCT Matrix, it should point to your Login.asp in Web general folder
Cobrand Image URL
http://extremeexperts/images/header.jpg This is an image file that will be displayed above the standard .NET Passport logon prompt when someone logs on from your site.
Cobrand Instruction Text
ExtremeExperts Web Site The instruction text that will appear at the top of the .NET Passport Credential dialog box and can be viewed in Internet Explorer 6.0 and later. This is a UTF-8 encoded string.
Expire Cookie URL
http://extremeexperts/Signout.aspx The location of the page that will delete all the cookies set by Microsoft® .NET Passport for your site.
Logout URL http://extremeexperts/login.aspx The location to which we will send your customers if they sign out of .NET Passport by clicking the .NET Passport Sign Out button on your site.

3. Get the SiteID and Application key after registering your application with .NET Services Manager.Return to the .NET My Services Manager "Manage My Applications" page, select the application you just created from the drop-down list box and click Submit. Select the Download a key option and click Continue to download the executable that will install your key on your local machine. Save the file to a secure location on your machine. In my case the file was named partner33943_1.exe. To install the key you must run the application with the /addkey option.
             For example: partner33943_1.exe /addkey
   After installing the key you need to make the key current. This is done with the /makecurrent option along with a time-out option for any previous keys.
            For example: partner33943_1.exe /makecurrent /t 0
   The application's key is now installed. Configure your Site in Passport Administration Utility. This tool came along with .NET Passport SDK. Then configure  Secure Level in Passport Administration depending upon your secure level. If it is basic level, then configure it as 0. If your site is SSL Enabled then configure it as 10.
4. Create a .NET Passport in the pre-production environment. The .NET Passport you created in step 1 was a .NET Passport created in the production environment. The pre-production environment is a completely separate set of accounts. Therefore, to log on to your development site you will need a pre-production account. Development has to happen in this enviornment only. Once it is done then you have request a compliance review for your site. The .NET Services compliance team will review your site and verify that you have met all of its functionality, UI, and other requirements. After your site has been approved, you are ready to launch your live site 

Enable Passport Authentication in Web.Config

   In ASP.NET, Passport Authentication works very similar to Forms(cookies) Authentication. To enable Passport authentication you need to specify it in the authentication section of your web.config file
<configuration>
    <system.web>
          <authentication mode="Passport">
                 <passport redirectUrl="login.aspx" />
           </authentication>
           < authorization>
                  < deny users="?" />
            </authorization>
         </system.web>
</configuration>
  Basically here you need to set your application authentication type to Passport and you are not allowing any unauthenticated users to access any pages in your website. By doing this, if any unauthenticated users try to access this website, he will redirected to the page which is mentioned in redirectUrl. Once you specify authentication as passport, Identity of user property of the page will return PassportIdentity which managed version of Passport Manager.

Implementing Passport Authentication using ASP.NET

    The .NET Framework provides .NET Passport Manager functionality with two main classes: the System.Web.Security.PassportAuthenticationModule class and the System.Web.Security.PassportIdentity class. You can think of the PassportAuthenticationModule as the inner workings of .NET Passport, about which you do not need to worry. It is simply a plug-in that allows Microsoft ASP.NET applications to perform .NET Passport authentication. The PassportIdentity class is where all the functionality is provided that you will use in your code. It exposes many of the same methods that were available with the PassportManager COM object for use in ASP pages, but now it is done completely in managed code.
   Once you have set the authentication mode to Passport, you will be able to access the PassportIdentity class, which is accessed via the IIdentity interface that it implements. You can get an interface pointer to it from the User property of the current ASP.NET page context. The following code is used to get an instance of a PassportIdentity object
Dim Passport as System.Web.Security.PassportIdentity
Passport = Page.User.Identity
 
    Now the Passport variable can be used to access the .NET Passport-specific functionality provided by the PassportIdentity class. One of the key things you will need to implement when you perform .NET Passport authentication is the sign-in and sign-out buttons that should be displayed somewhere in the upper-right portion of your page. The HTML for the images along with a corresponding hyperlink to the .NET Passport authentication servers is returned by the LogoTag method of the PassportIdentity object. The following code demonstrates how you might use the LogoTag method in an ASP.NET page
ltlSignin.Text = Passport.LogoTag(strURL,2000, False, Nothing, 1033, Page.Request.IsSecureConnection, Page.Request.ServerVariables("SERVER_NAME"),0 ,False)
   The first parameter to the LogoTag2 method is the return URL. This is where the user will be redirected after a successful .NET Passport sign-in. In most situations the return URL should be the current page so that the user is returned to where the user was before signing in. You can, however, specify a different return URL if you prefer, or no URL at all, which tells .NET Passport Manager to pull the default return URL from the registry that you set with the Passport Administration utility; if it is not there, the .NET Passport servers will use the default return URL indicated during the configuration of your .NET My Services application when you created the site ID. For more details about other parameters, you can refer SDK Documentation.
    Your code will probably also want to detect if a user has signed in or not. The IsAuthenticated property of the PassportIdentity class can be used to detect a user's sign-in status. Once a user is signed in, the .NET Passport profile information will be available through the Items collection. Developers should be aware that most of the profile information is optional information. So, for instance, if you are accessing the FirstName item from the profile, it may not exist for all users.
    The Passport User ID (PUID) will always be available for a .NET Passport-authenticated user and is accessible via the Name or HexPUID properties of the PassportIdentity class. You should use the PUID as the index for storing user-specific information at your site. For the Favorites Service, we store the hierarchical favorites list for each user, so we use the PUID as the user identifier
    Signing in and accessing the .NET Passport profile information is only part of your responsibilities as a .NET Passport site developer. The other key item you must deal with is signing out. The LogoTag2 method will still handle creating the image and anchor for linking appropriately to the .NET Passport servers for performing a sign-out, but you must create a page that will handle the last portion of the sign-out. The .NET Passport servers will deal with expiring the .NET Passport ticket used for validating your sign-in, but it is up to the site developer to delete the HTTP cookies that carry the ticket information. Your sign-out page must also return an image that can be used to indicate a successful sign-out to the user. The following code deletes the .NET Passport cookies and returns the appropriate GIF image to perform a successful sign-out
<%
        Response.ContentType = "image/gif"
        Response.Expires = -1
        Response.AddHeader("P3P", "CP=TST") 
        Dim Cookie1 As New HttpCookie("MSPProf","") 
        Cookie1.Expires = Now()
        Response.Cookies.Add(Cookie1) 
        Dim Cookie2 as New HttpCookie("MSPAuth","") 
        Cookie2.Expires = Now()
        Response.Cookies.Add(Cookie2) 
        Dim Cookie3 as New HttpCookie("MSPSecAuth","") 
        Cookie3.Expires = Now()
        Response.Cookies.Add(Cookie3) 
        Dim Cookie4 as New HttpCookie("MSPProfC","") 
        Cookie4.Expires = Now()
        Response.Cookies.Add(Cookie4) 
        Dim Cookie5 as New HttpCookie("MSPConsent","") 
        Cookie5.Expires = Now()
        Response.Cookies.Add(Cookie5)
        Response.WriteFile("images/signoutcheckmark.gif") %>

Conclusion

     If you are implementing a site that will eventually go into production, you will need to take special care to follow the UI guidelines indicated in the .NET Passport SDK documentation. This article just gave an basic idea about how to implement Passport Authentication in Web applications. There is one more important thing which i didnt cover in this article is Co-branding stuff. For more details about that and for any other clarification refer .NET Passport SDK

No comments:

Post a Comment