[This is preliminary documentation and subject to change]
Passport's primary service is user authentication, referred to as the Passport single sign-in (SSI) service. Passport supports authentication across multiple sites and services by hosting:
When a registered Passport user clicks the standard Passport sign-in scarab on a Passport SSI participating site, a silent HTTP redirect displays the (cobranded) Passport sign-in page. On the sign-in page, the user enters his or her Passport sign-in name and password. Passport authenticates the user, writes Passport cookies to the user's browser, and provides encrypted authentication (a "ticket" containing the PUID) and Passport profile information to the participating site as parameters on the HTTP query string. A simple server-side COM object, called the Passport Manager, on the participating site decrypts the information, manages authentication and profile access, caches the user's authentication and profile information in cookies on the user's browser, and silently re-verifies the cookies as the user moves from page to page at the site. The site may use information in the profile cookie to personalize the user's experience in some way (for example, by displaying the user's name or special offers targeted to the user's demographics).
The site can specify the "freshness" of the authentication ticket by requesting that the user have entered his or her sign-in name and password within a site-specified time window. If the time window has expired, the site will display the cobranded Passport sign-in page and the user will be asked to reenter his or her sign-in name and password before proceeding.
There is no direct server-to-server communication of users' authentication and profile information between Passport and participating sites. The information exchange occurs through the client's browser using HTTP redirects and cookies. However, the Passport Manager on the participating site's server does periodically download a centrally hosted configuration file; this is an XML document that contains current URLs for the Passport servers and the current Passport profile configuration (or "profile schema").
After signing in at one Passport participating site, a user can sign in to others during the same Internet session simply by clicking the Passport sign-in link on each site. The HTTP redirects still occur, but Passport issues a set of encrypted cookies to enable silent, seamless re-authentication across sites. (However, participating sites do have the option of requiring the user to reenter sign-in name and password regardless of the user's authentication state, for added security.)
Users can also choose to be signed in automatically by saving their Passport sign-in name and password on a given computer. This option keeps a consumer signed in to Passport at all times on that computer, even if the consumer disconnects from the Internet, closes the browser, or turns off the computer.
When a user signs out by clicking the Passport sign-out scarab on a participating site, all Passport cookies from all of the sites visited during the browser session are deleted from the user's computer. This is accomplished by means of HTML image tags and HTTP redirects.
Note
Passport offers two optional services,
Passport Express Purchase (EP) and Kids Passport. The
Microsoft Passport Business Services home page and the
Passport whitepaper offer step-by-step instruction for implementing
Passport and these other Passport services on your Web
site.
Related Topics