Data Formats and Information Flow in Passport-based SSO
To fully demystify the Passport technology, this section discusses the data formats used during Passport-based authentication. The authentication information flows over the Internet in the form of HTTP URLs. This section lists all the URLs and explains which information they carry. (Refer back to Figure 1 and the explanation of each authentication step in "Set Up Passport Authentication in ASP.NET.")
URL That Identifies Passport-enabled Applications
The first URL involved in the Passport process is the URL that identifies Passport-enabled applications (for example,
http://www.MyPassportEnabledApplication.com, a fictitious URL). The user enters this URL in his or her browser and starts browsing. In the previous article, I instantiated a
PassportIdentity object and then called its
LogoTag2 method. The
LogoTag2 method of the
PassportIdentity object in a Passport-enabled application checks whether the request from the user contains any authentication information. If no authentication information accompanies the request, the
LogoTag2 method serves a sign-in button in response.
For example, because the example URL in the previous paragraph does not contain any authentication data, the
LogoTag2 method in a Passport-enabled application would serve the
sign-in button in response to it. Figure 1 (a screen shot of a fictitious tour operator) shows how the
sign-in button looks. (The ASP.NET page for this application is included in the code download for this article.)
|Figure 1: A Web Page with a Sign-in Button|
The code for the Figure 1 sign-in button looks something like this:
ALT="Sign in with your Passport."/>
HREF attribute of the
<A> tag points to a target URL address (www.MyPassportEnabledApplication.com/ along with some parameter-value pairs), while the
<IMG> tag points to the source of the sign-in button image. When the user presses the sign-in button, his or her browser visits the target URL (which is the value of the
HREF attribute of the
This URL is the same as the example Passport-enabled application (
http://www.MyPassportEnabledApplication.com), along with some parameters. So pressing the sign-in button sends the parameters to the example Passport-enabled application.
URL for the Address of the Passport Login Site
PassportIdentity class in a Passport-enabled application sees the parameters described in the sidebar coming from the browser, it redirects the user to another URL, as shown below:
This URL is the address of the Passport login site, which serves the login page (see Figure 2).
The user enters his user name and password and presses the
sign-in button. This time the app sends a secure HTTP request to the secure HTTP server that Microsoft hosts for Passport login. This secure channel maintains the confidentiality of the user's password as it goes to the Passport server.
Notice that the login page in Figure 2 has two check boxes:
Sign me in automatically and
I'm using a public computer. These boxes are the opposite of each other and checking one automatically unchecks the other. The boxes control whether the app stores authentication data in the user's browser (as cookies). If the
Sign me in automatically box is checked, the data is stored in the user's browser. If the user is browsing from a public computer (e.g., in an Internet caf