Integrating Passport Single Sign In

  • Article

Microsoft Commerce Server 2002 provides for the separation of authentication and profiles. Commerce Server profiles can be used subsequent to the authentication process, even if Commerce Server is not used for authentication. This separation allows you to integrate the Microsoft Passport Single Sign In authentication service, replacing the built-in authentication modes supplied with Commerce Server, while still preserving the integrated capabilities of the Commerce Server Profile service.

Passport Authentication Processing Steps

Passport authentication involves the following steps:

  1. An unauthenticated user attempts to access a protected page on a merchant Web site.
  2. Code on the page calls the Passport Manager object, which re-directs the user's browser to the logon page on the Passport Web site. The re-direction URL includes a query string that contains, among other items, a return URL.
  3. The user supplies their standard Passport credentials on the logon page on the Passport Web site.
  4. Assuming that the credentials of the user are accepted, the Passport Web site re-directs the user's browser back to the merchant Web site, including encrypted Passport profile data in the query string.
  5. The Passport Manager object parses and cleans the query string data, and sends a session cookie to the user's browser.
  6. Session or persistent cookies are set depending on the login preferences of the user.
  7. Subsequent authentication to the protected merchant pages is based on the Passport cookies.

The recommended approach for Passport authentication integration involves integrated use of the Commerce Server Profile service with the Passport Single Sign In authentication service. This approach preserves the benefits of the built-in integration between the Commerce Server Profile service and the other features of Commerce Server.

Once a user is successfully authenticated through Passport, their corresponding user profile is retrieved from the Commerce Server Profile service and is used for the remainder of their session. In order to accomplish this type of integration, the following methodology is recommended:

  • The user profile will need to be modified to include a new property called PassportID. This property will be set to the 64-bit unique user ID employed by the Passport service, known as the Passport Unique ID (PUID). For more information about PUIDs, see the Passport SDK documentation.

  • After Passport has successfully authenticated a user, retrieve the MemberIDHigh and MemberIDLow properties from the Passport core profile and calculate the corresponding PUID using the following formula:

    dim sPassportKey, sHex
sHex = Hex(nMemberIDHigh)
sPassportKey = String(8 - len(sHex), "0") & sHex
sHex = Hex(nMemberIDLow)
sPassportKey = sPassportKey & String(8 - len(sHex), "0") & sHex

    For more thorough examples of calculating the PUID, see the Passport Web site at https://go.microsoft.com/fwlink/?LinkId=6740.

  • Use the calculated PUID to retrieve the corresponding Commerce Server user profile, using code that looks something like this:

    Dim csUserProfile
Set csUserProfile = ProfileService.GetProfileByKey( _
                                      "PassportID", _
                                      sPassportKey, _
                                        "UserObject")

  • Set the ticket type and user ID for this user using the AuthManager object. The following two lines of code, from the function LogOnUser in the file Include\Profilelib.asp of the Passport Sitelet in the Commerce Server SDK, demonstrate how these values can be set:

    objAuthMgr.SetAuthTicket strUserName, fCookieSupport, strTimeout
objAuthMgr.SetUserID enumMSCS_ProfileTicketType, _
                     objProfile.Fields(USER_ID).Value

    For more information, see AuthManager.SetAuthTicket and AuthManager.SetUserID, respectively.

  • If the corresponding Commerce Server user profile is not found, one should be created for the new user, storing their PUID in the PassportID property, using a test that looks something like this:

    If ( csUserProfile Is Nothing ) Then
    ' Use your standard method for creating new
    ' user profiles here, probably involving calls
    ' to GenID.GenGUIDString and ProfileService.CreateProfile.
    ' Don't forget to store the PUID so that the proper
    ' profile can be stored next time. For example:
    CreateNewUserProfile(sPassportKey)
End If

  • If the corresponding Commerce Server user profile is found, you may want to consider synchronizing the latest Passport profile data with the corresponding data in the Commerce Server profile. In this way, the user will get the expected results — that changes to their personal data on the Passport Web site is used by participating Passport merchant Web sites.

    The Passport profile contains a ProfileVersion property that allows you to determine if the user's profile data has changed since their last visit.

You could also develop an authentication solution that offers Passport Single Sign In for Passport users, and uses the Commerce Server authentication mechanisms for non-Passport users.

Copyright © 2005 Microsoft Corporation.
All rights reserved.