Home > ASP.NET Applications > ASP.NET Web Application Security > ASP.NET Authentication > The Passport Authentication Provider

ASP.NET Web Applications   ASP.NET Web Application Security   ASP.NET Authentication

---

Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. This benefits the user because it is no longer necessary to log on to access new protected resources or sites. If you want your site to be compatible with Passport authentication and authorization, this is the provider you should use. This document provides some introductory material about Microsoft Passport and the ASP.NET support for it. For more information, see the Passport documentation. In order to access the documentation, you must get a passport and register.

Passport is a forms-based authentication service. A sample conversation using Passport authentication might look similar to the following:

1. A client issues an HTTP GET request for a protected resource, such as http://www.contoso.com/default.aspx.
2. The request does not contain a valid Passport ticket ( form ), so the server returns 302 and redirects the client to the Passport Logon Service, passing encrypted parameters about the original request on the query string.
3. The client follows the redirect and issues an HTTP GET request to the logon server with the supplied query string.
4. The Passport logon server presents the client with a logon form.
5. The client fills out the form and does a POST back to the logon server, using Secure Sockets Layer ( SSL ).
6. The logon server authenticates the user and redirects back to the original URI ( http://www.contoso.com/default.aspx ) with the authentication ticket encrypted in the query string.
7. The client follows the redirect and requests the original protected resource again with the ticket encrypted on the query string.
8. Back on the originating server, the PassportAuthenticationModule detects the absence of the form and the presence of the ticket on the query string and issues the authentication form. The request is then authenticated.

Subsequent requests for protected resources at the site are authenticated at the originating server using the supplied ticket. Passport also makes provisions for ticket expiration and reusing tickets on other member sites.

Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site-specific key. The Passport logon server uses this to encrypt and decrypt the query strings passed between sites.

NOTE: To use Passport authentication you must register your site with the Passport service, accept the license agreement, and install the Passport SDK prior to use.

The PassportAuthenticationModule provides a wrapper around the Passport SDK for ASP.NET applications and provides Passport authentication services and profile information from an IIdentity-derived class called PassportIdentity.

As is the case with WindowsIdentity, the primary purpose of handling the PassportAuthentication_OnAuthenticate event is to attach a custom IPrincipal object to the context. A special IIdentity-derived class called PassportIdentity provides an interface to the Passport profile information and methods to encrypt and decrypt Passport authentication tickets.

1. Download, install, and configure the Passport SDK. You must register and pay a fee to obtain the SDK.
2. Set up Passport as the authentication mode in the application configuration file as follows:

   <authentication mode = "Passport"></authentication>

3. Using the Passport documentation and the Passport SDK functionality, implement Passport authentication and authorization.

The Windows Authentication Provider   The Forms Authentication Provider