通过

Single Sign-In Overview

Hard Sign-In: Step By Step

There is more than one way to implement Microsoft® .NET Passport on your site. The method that is right for your site depends on the user experience you wish to present. Hard sign-in is a technique that requires a user to be signed in to view any page content. If users visit the page and are not signed in, they will be redirected to the Login server. After they have been authenticated, the Login server will redirect them back to your page which, because they are now authenticated, will be displayed.

Implementing Hard Sign-In

The following are the basic coding steps used to implement hard sign-in:

  1. Create an instance of the Passport Manager server-side object on the page.

    This is usually done using the Active Server Pages (ASP) Server object, as shown in the following example.

    2. 



Server.CreateObject("Passport.Manager")


You can also use the **Factory** object of the .NET Passport application programming interface (API) with application scope to take advantage of object-pooling optimizations in ASP. For more information, see [Passport Factory Object](ms816788\(v=msdn.10\).md).



    

  1. If the user has just returned from the .NET Passport server, the query string will contain authentication-related data that you must dispose of to help promote security. To determine if the user is coming from the Login server, check the FromNetworkServer property of the Passport Manager object. This property will be True if the user was redirected to the current page from the .NET Passport server. To clear the query string, redirect the user to the URL of the current page. The page will be reloaded, without the query string.
    

    2. 

  2. Call the IsAuthenticated method of Passport Manager. When called using no arguments, this method will return True if the user has a valid, unexpired .NET Passport Ticket cookie. If the optional TimeWindow is provided and True is supplied as the ForceLogin parameter, then the method will return True only if the user has manually signed in within the specified time window.
    

    3. 

  3. If the user is not authenticated (that is, IsAuthenticated returns False), redirect the user to the .NET Passport Login server using the LoginUser method of the Passport Manager object. After the user is authenticated, the Login server redirects the user to the address specified by the returnURL parameter in the LoginUser call. It is common practice for a script to supply its own address as the returnURL parameter so that after users sign in, they are redirected back to the page they were trying to view before being sent to the Login server.
    

    4. 

  4. You must verify that the user has given your site consent to use his or her .NET Passport profile information. Users' .NET Passport Unique IDs (PUIDs) and consent status for your site should be stored by your site in a database. After the user has been authenticated, you should check the database to retrieve the user's consent status. If consent has not been given, your code should direct the user to a page you supply that asks the user for consent and, if given, stores the information in the database. (Typically, the consent page will return the user to the calling page after the database entry has been made.) The actual implementation of the database query and the consent page are not included in the following example. For more information, see Adding a Personal Consent Page.
    

    5. 

  5. Display the .NET Passport link on the page by calling the LogoTag2 method of the Passport Manager object. Because of the structure of a page that implements hard sign-in, the user must be signed in to reach the LogoTag2 method call, so the .NET Passport link will always display Sign Out.
    

    The LogoTag2 method accepts an optional returnURL parameter that indicates to which address the user should be redirected by the Login server. When the user is signed in (that is, Sign Out is displayed), the returnURL parameter should be your site's sign-out script. For more information about creating a sign-out script, see Implementing Sign-Out and Deleting Cookies.
    

    6. 



Example Code for Hard Sign-In


The following is an example of an Active Server Pages (ASP) page that uses hard sign-in.


<%
Dim oMgr 'Passport Manager object
Set oMgr = Server.CreateObject ("Passport.Manager")

Dim thisURL, logoutURL

'The URL of this page.
thisURL = "https://" & Request.ServerVariables("SERVER_NAME") & _
   Request.ServerVariables("SCRIPT_NAME")

'The URL of the sign-out page
logoutURL = "https://" & Request.ServerVariables("SERVER_NAME") & _
   "/logoutuser.htm"


If oMgr.FromNetworkServer Then
   Response.Redirect(thisURL) 'Clears query string if ticket has
                              'just arrived.
End If

If Not oMgr.IsAuthenticated(3600) Then 'Ticket must be less than one
                                   'hour old (3600 seconds) or it 
                                   'will be considered stale.
                                   'This parameter is optional.

   'Either get new ticket or refresh existing stale one.
   'Either case should do the same thing:
   '  redirect to the Login server.
   oMgr.LoginUser Server.URLEncode(thisURL),3600

End If

'Determine user's PUID.
Dim nickname, memberidhigh, memberidlow
memberidhigh = oMgr.Profile("MemberIDHigh")
memberidlow = oMgr.Profile("MemberIDLow")

' Check for this user's record in your consent 
' database.  ConsentInDatabase method is created
' by participating sites and determines user's 
' consent status on their site.
If Not ConsentIsInDatabase(memberidhigh,memberidlow) Then

      If oMgr.TimeSinceSignin < 10 Then
         ' The user clicked Sign In to enter your site,
         ' providing implicit consent, so no consent page
         ' is necessary.
         AddPUIDToConsentDatabase(memberidhigh,memberidlow)

      Else

         'If user has not given consent, show consent page.

         Response.Redirect("https://" & Request.ServerVariables("SERVER_NAME") & _
         "gather_consent.asp?returnTo=" & Server.URLEncode(thisURL))

         'Gather_consent.asp will present the consent UI.
         'If consent is given, a database entry
         'will be made and redirect back to this 
         'page using the returnTo parameter 

      End If

   End If



' This link always displays Sign Out here;
' if user needed to sign in, or hadn't given consent he
' or she would be redirected away before seeing this.

Response.Write(oMgr.LogoTag2(Server.URLEncode(logoutURL),3600))
Response.Write("<HR>")



'Display all the content that is protected by
'.NET Passport authentication.
Response.Write("Welcome.  Begin your page's content here.")
%>



See Also


Passport Manager Object | Soft Sign-In: Step By Step | Manager.IsAuthenticated | Manager.LoginUser | Manager.LogoTag2 | Manager.AuthURL2



					
		

	 
		
		
	
					
				

				
		

			
			
			 
		
	 
		
	 
		
	
		

	 
		

			

			
    
				
  • 
			
				Last updated on 
			
		
    •