|
 uthenticating users is one of the most difficult challenges for anyone developing a Web site. Not only do you have to solve significant technical issues, but you also have to get users to give you the necessary information to identify and authenticate them. A while ago, Microsoft set out to make it easier for Web developers to authenticate users by creating an online-authentication service. The result of that initiative is Microsoft Passport. In this article, I'll give you some background on Passport, explain how it works, and tell you about some of its important features. I'll also provide some information on Microsoft's new Web services initiative, called HailStorm, and explain how Passport fits in with it.
 |
Technology Toolbox
VB6, Passport SDK 1.4, Internet Information Server 4/5 |
 |
|
Microsoft launched Passport in 1999. Originally, the company used Passport to authenticate users on Hotmail and a handful of other Microsoft sites, and it has since extended Passport to the entire family of Microsoft sites. In addition, a number of non-Microsoft sites have implemented Passport. In mid-2001, more than 150 million Passport accounts were active (see the sidebar, "What's New in Passport 2.0?").
Passport allows users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. By implementing the Passport SSI, you won't have to implement your own user-authentication mechanism. Users authenticate with the SSI, which passes their identities to your site securely. Although Passport authenticates users, it doesn't grant or deny access to individual sites. Passport simply tells a participating site who the user is. Each site must implement its own access-control mechanisms based on the user's Passport User ID (PUID).
Along with user authentication, Passport offers two optional services participating sites can implement. The first is Passport Express Purchase (EP), which allows users to maintain a single profile containing information, such as shipping address and credit card number, required when making purchases on e-commerce sites. A participating site can request this information from Passport when the user elects to make a purchase. The second service is Kids Passport, which limits the content children can access on the Web. You can find more about these features on the Passport Web site (see Resources).
A central user database, owned and managed by Microsoft, drives the SSI. As I mentioned, sites implementing the SSI don't actually authenticate users. Instead, the SSI redirects users to a Passport server that authenticates them and sends them back to the calling site. The SSI uses encrypted cookies and query strings to pass information back and forth between the sites.
You implement the SSI using the Passport Manager, a server-side COM object provided by Microsoft. This object checks whether Passport has already authenticated the user for a particular site by looking for an authentication ticket in the user's cookies. If the ticket exists and is "fresh," the site treats the user as authenticated, and can access the user's profile information.
| |
|
Figure 1 | Have Passport, Will Travel. Click here.
|
However, if the ticket either doesn't exist or has expired, the participating site redirects the user to a cobranded Passport sign-in page provided by the Passport server, where he or she enters a sign-in name and password to be authenticated against the Passport user database. Once the Passport site authenticates the user, it writes a pair of encrypted cookies to the user's browser. The site uses these cookies to reauthenticate the user automatically if he or she is sent back to Passport for authentication. Passport then redirects the user back to the calling site, passing encrypted query string parameters with the user's credentials and profile information. The Passport Manager then parses these parameters and makes them available to the calling site (see Figure 1).
Note that no server-to-server communications take place when a user is authenticated. All communications between the partner site and the Passport site go through the user's browser using cookies, query string parameters, and redirects. You don't need special firewall rules for Passport to work, and Passport works with any browser.
|
Sign In, Please
Implement Passport
Passport Key to HailStorm's Success