Server-to-Server Authentication with Impersonation
[Applies to: Microsoft Dynamics CRM 4.0]
This authentication scenario is used when an ISV wants to provide a service, for example an online store front, to a customer and is required to make business data changes in Microsoft Dynamics CRM Online on the customer's behalf in order to provide that service. The ISV would typically implement a custom Web page that provides a user interface to the service and a custom Windows Live logon Web page. Optionally, the custom Web page could be embedded in an IFRAME within the Microsoft Dynamics CRM Online Web application.
The sequence of events that the user sees is as follows. If the user has not logged into Windows Live or Microsoft Dynamics CRM Online, the user is redirected to the ISV's custom logon page where the user can log on using their Windows Live credentials. After a successful logon, the user is redirected to the ISV's custom Web page where the service can be provided. Any Microsoft Dynamics CRM Online data changes that the custom Web page performs on the user's behalf is recorded in the database as being owned by the user. The ISV user who made the data change is also recorded.
The behind the scenes sequence of events for this scenario is shown in the following diagram and described in the text that follows the diagram.
Important This process uses a lightweight authentication method where the user name, password, and device ID information can be used to authenticate the user instead of certificates. This is the preferred method to authenticate a user with Microsoft Dynamics CRM Online.
Important The RPS (Relying Party Suite) SDK that is required to implement this authentication scenario is available only to those developers who are members of Microsoft's PartnerSource. For more information, see A HREF="http://go.microsoft.com/fwlink/?LinkID=189153&clcid;=0x409" TARGET="_blank"PartnerSource for Microsoft Dynamics.
The Microsoft Dynamics CRM Online authentication process for this scenario involves the following sequence of steps:
- (1) Retrieve an RPS ticket that contains a PUID (Passport Unique ID) of the logon user. This step is only required if an RPS ticket does not exist in a cookie of the logon server.
- (2) Retrieve a policy from the CrmDiscoveryService Web service using the RetrievePolicyRequest request.
- (3) Retrieve a Windows Live ID (WLID) ticket for the ISV's service account from the Windows Live ID service using the LiveIdTicketManager.RetrieveTicket method.
- (4) Retrieve detailed information about the specified organization from the CrmDiscoveryService Web service. Next, retrieve the logged-on user's Microsoft Dynamics CRM user ID using the RetrieveCrmUserIdByExternalIdRequest request. This request class is available in the WSDL obtained from the Microsoft Dynamics CRM Online Web service.
- (5) Retrieve a (Crm) ticket from the CrmDiscoveryService Web service using the WLID ticket of the ISV's service account in the RetrieveCrmTicketRequest request. The ticket applies to a single organization and contains an organization-specific CrmService URL.
- (6) Create an instance of the CrmAuthenticationToken class that has the CrmTicket and OrganizationName properties set to the correct values. Also set the CallerId property of the token to the logged-on user ID to impersonate the user.
- (6) Create an instance of the CrmService class that has the Url property value and the CrmAuthenticationTokenValue property value set.
- (6) Invoke CrmService Web service methods.
In order to perform step 3 shown earlier in this topic, an ISV must first set up a service account. The service account represents a virtual Microsoft Dynamics CRM Online (ISV) user who performs business data changes to the Microsoft Dynamics CRM Online database on the logged-on user's behalf through Microsoft Dynamics CRM SDK Web service calls. As with any other Microsoft Dynamics CRM user account, the service account must be added to each desired organization where business data is to be changed.
To access the Windows Live ID authentication service over the Internet and obtain a Windows Live ID ticket, use the LiveIdTicketManager class that is provided as source code in the Server\Helpers\CS\CrmOnlineAuth\WLIDTicket.cs file of the SDK download.
Notice that if the (Crm) ticket expires during application execution, a new ticket must be obtained and assigned to the CrmTicket property of the CrmAuthenticationToken instance. If you try to access the CrmService Web methods with an expired ticket, a SOAP exception is thrown. The SoapException.Detail.Innertext property contains the error code value of "8004A101".
Obtaining the user's PUID from RPS
The RPS Ticket Request path in the diagram handles the following possible conditions:
- An RPS ticket is stored in a cookie on the logon server and is not valid.
- An RPS ticket does not exist.
If a valid RPS ticket is stored in a cookie on the logon server, the RPS Ticket Request step is not required.
If an RPS ticket must be obtained, the user is redirected to a sign-in Web form that can be customized by the ISV. Refer to the RPS SDK documentation for more information.
© 2010 Microsoft Corporation. All rights reserved.