One of the toughest challenges faced by online retailers is the safe transmission of credit card, private, and financial data on the Web. Although establishing customer trust is the number one priority, this task is made difficult by a lack of standardized tools and methodologies.
Microsoft decided to tackle this problem by developing Passport. Microsoft Passport is a collection of authentication services designed to facilitate access and transmission of secure data. These services allow you to implement single sign-in (SSI), a process in which the user has to log on once using a username and password to have access to a host of Passport-enabled Web sites and services. All Passport authentication is done through Microsoft’s own servers.
Passport has had its share of problems in the past. Upon launching the service, a host of cross-scripting vulnerabilities were found, including intrusion hacks affecting Hotmail. On top of that, Microsoft discontinued its Passport Wallet and .NET Passport Express Purchase Service after numerous problems were found.
In spite of this, Passport is maturing as a technology and has the support of many large online companies, including Hotmail, eBay, Monster.com, NASDAQ, Starbucks, and a host of other sites. You can view a complete list here.
This article will outline how you can add the Passport functionality in your ASP.NET applications using the Microsoft Passport SDK.
Setting up Passport
To integrate Passport in your application, you must undertake three steps:
- 1. Install the Passport Software Developer Kit (SDK) on your development machine.
- 2. Create an application in the .NET Services Manager.
- 3. Add Passport code to your ASP.NET application.
Install the Passport SDK
You can download the SDK from the following link at no cost here. The latest version of the .NET Passport SDK requires Microsoft Windows 2000 Server or Windows .NET Server. For development purposes, the SDK will also function on Windows XP Professional and Windows 2000 Professional. If you are running a system with NT 4.0, you should use the Passport SDK Version 1.4.
Once you install the SDK, the Passport Manager Administration Utility will allow you to make changes to your Passport environment, such as configuring language settings and forcing the user to log in within a predetermined span of time. Note that you must have the .NET Framework installed on your development machine before you can use the SDK. You can download the .NET Framework here.
Create an application in the .NET Services Manager
Now you must submit your application information to Microsoft using the Microsoft .NET Services Manager. This allows your ASP.NET application to access the Microsoft Passport servers.
You can set up your development Passport application at no cost, and the registration process is fairly straightforward. You will need to enter the particulars regarding your application server and cobranding details. The processing of your application may take up to two days.
At the end of the process, you will obtain a Site ID and a Passport encryption key for your Web site. All you have to do is run the Passport Manager Administration utility to set the correct Site ID by clicking Start | Programs | Microsoft Passport | Passport Management Administration.
To obtain the key, select the Download A Key option in .NET Services Manager. This will download an .exe file called Partner###_#.exe (where the series of #s corresponds to your Site ID). Then, enter the following line commands with options:
Partner###_#.exe /makecurrent /t 0
Just reboot your server, and you'll have completed the installation and configuration of Passport on your test development machine.
Unfortunately, you can’t use a standard Microsoft Passport to test your Preproduction (PREP) Passport Web site. You must create a specific PREP Passport to make it work. You can register for an account on the .NET Passport PREP Registration server by filling out this form.
If you installed the Passport SDK on Windows XP, you will have to modify the registry to access your ASP.NET application. The built-in Passport support in XP will prevent you from authenticating using the PREP servers instead of the standard production servers. The registry modification information can be found on the SDK.
If you are planning to roll out a production version of your ASP.NET application (which will essentially make it accessible to all Passport users), you'll have to sign a three-year nonexclusive .NET service agreement. Microsoft has imposed steep licensing fees to deploy this service on a production system: $1,500 USD for testing the compliance of your application on a periodic basis and a $10,000 USD per year fee for provisioning costs (access to Passport logon servers, etc.).
Add Passport code to your ASP.NET application
Passport uses SSL, XML, forms, and cookies as the basis of the authentication service. You should have a basic knowledge of these standard Web technologies before attempting to create Passport-based applications. In terms of browser support, Passport can handle Navigator/Communicator 4.08 through 4.8. Microsoft .NET Passport does not officially support Netscape 6.0 and 6.1.
To develop a Passport-enabled application, you can choose from many development languages, including C#, VBScript, and C++. The API for each of these languages is covered in depth in the Passport SDK.
Two security concepts are in use in the configuration of Passport: authentication and authorization. Authentication is the process in which a user must enter credentials (username and password) to establish identity. Authorization is the process in which authenticated users are either allowed or disallowed access to resources and files.
First, you need to define which resources a Passport-authenticated user can access. In the directory containing your protected content, you must specify the authentication and authorization settings in the Web.config file, as shown in Listing A.
This code defines the following:
- · Passport is the authentication mode.
- · All unauthenticated users should be redirected to loginpage.aspx.
- · All users are authorized to access loginpage.aspx. (The asterisk [*] signifies “all users.”)
- · Once a user has been authenticated, the location of the protected content is protectedcontent.aspx.
- · Unknown and unauthenticated users are denied access to the protectedcontent.aspx page. (The question mark signifies “unauthenticated users.”)
In VBScript, you can instantiate the Passport object. For example:
To check whether a user has logged in to Passport, you can use an IF statement:
If objPassManager.IsAuthenticated Then
To add in a link to the login page, enter this code:
This will generate the image and link shown in Figure A.
Easy to integrate Passport
Although we've provided only a simplified overview of the code and objects available in Passport, it should help you get started. For the complete API, you can refer to the Passport SDK.
With minimal code, you can integrate Passport into your application. If you work for a midsize to large organization, you can roll out Passport to provide millions of users—including those with Hotmail accounts—with secure access to your site. To find out more about the Passport service, be sure to check out the .NET Passport review guide.