The Passport Sign-out Procedure
The Microsoft Passport Server needs an expire cookies URL when creating a new Passport-enabled application. The expire cookies URL is the address that Passport server invokes when a user of this application presses the Sign-out button. When a user presses the Sign-out button on any Passport-enabled application, it generates the following URL:
As you can see, the URL points to the Microsoft Passport server. The Passport server keeps a record of all sites that a user signs -in during a login session. The logout page on the Passport server automatically detects all Passport-enabled applications that the user currently has signed in. Once the Passport server knows the list of all Passport-enabled applications that the user currently has signed in, it invokes the expire cookies URL of each of the Passport-enabled applications on the list.
The purpose of this logout procedure is for the Passport server to provide each Passport-enabled application an opportunity to take some action when a user signs out. It is up to the Passport-enabled application to decide which logout logic it needs. This is analogous to having object destructors in object-oriented programming languages like C++ and Java to implement cleanup logic when an object is deleted.
The simplest logout possibility (when you don't want to do anything during logout) is to use the following code:
<%@ Page Language="vb" AutoEventWireup="false"
Response.ContentType = "image/gif"
Response.Expires = -1
This code does nothing more than send a GIF image back to the Passport server. The image is normally a green check mark that indicates the user has been successfully signed out of the application. Look at the
Response.WriteFile line in the above code. This line writes the
signout_good.gif image on the response stream. Passport-enabled applications can download the standard green check mark image
http://www.passportimages.com/1033/signout_good.gif before writing it to the response stream. Each Passport-enabled application to which the user was signed in will send one image. Microsoft Passport server will show the image next to the application on the successful sign out page (see Figure 8).
|Figure 8: A Successfully Signed-out Page|
Author Note: The code above includes a
Response.AddHeader line, which adds a P3P header to the response stream. P3P (Platform for Privacy Preferences) is a W3C standard that expresses privacy policies. P3P-aware browsers like IE 6 require this header to allow deleting browser cookies. Refer to the official P3P page at http://www.w3.org/P3P/ for more details about P3P.
The successfully signed-out page shown in Figure 8 is displayed to the user for a few seconds after successful sign-out from all sites. The user is then redirected back to the original calling page where he or she pressed the Sign-out button.
The Passport server needs a GIF image returned in response to the expire cookies URL. If the page at expire cookies URL does not return an image or sends something else in response, the Passport server gets confused and puts a red mark against the Passport-enabled site's name on the successfully logged-out page. Figure 9 shows this mark where the Passport-enabled application failed to return a GIF image in response to the logout URL.
|Figure 9: A Page Showing Sign-out Failure|
This image is the only requisite of the Passport server. You are free to do other processing (e.g., destruction of server-side session objects on logout) in addition to serving the image back to the Passport server. However, remember that the response from the expire cookies URL should contain only the GIF image. Whatever server-side sign-out processing you want to perform, your Expire Cookie page should not write anything else on the response stream.
Notice one last thing about signing out of Passport-enabled sites. If you don't check the Sign me in automatically box while signing in, then you will have to sign out of all the Passport-enabled sites individually. You can verify this option by logging into several Passport sites without clicking the "Sign-me automatically" button and then trying to sign out.
What Have We Learned?
This article demonstrated the use of Passport for SSO applications. It started by explaining the features that are collectively known as SSO. It then explained the flow of information that occurs when a user logs on to a Passport-enabled application. The next section demonstrated the actual SSO and explained how different Passport-enabled applications can customize the user's SSO experience according to the unique requirements of a particular Passport application. The last section explained the sign-out logic in Passport-enabled applications.