Microsoft® .NET Passport is an online service that provides common Internet authentication across participating Web sites. Using a .NET Passport account, a user can move among participating sites without the need to authenticate with each of them. These sites become participating .NET Passport sites by implementing support for the .NET Passport authentication service through the .NET Passport single sign-in (SSI). This implementation includes a link to login through Passport using a common interface that supports co-branding. Users that are already logged into Passport will automatically be authenticated with the site, by means of a browser redirect to acquire Passport identity, and creation of site cookies containing the Passport identity. However, Passport does not authorize or deny a specific user's access to participating sites or resources.
The Passport identity does not contain any data for authorization. The only field that can be used to derive identity and subsequently permissions is the Passport Unique ID (PUID). SiteMinder uses this PUID to map to a local identity that is used to personalize the site and to authorize access to resources protected by SiteMinder policies.
The PUID is converted to a string and is mapped to a SiteMinder identity through a user directory attribute. In the following diagram, the user DN for "Joe User" is mapped to a Passport PUID through the directory attribute "altSecurityIdentities".
Since Passport authentication in SiteMinder is based on mapping the Passport identity to a SiteMinder user, registration is a required component for using Passport for authentication or personalization.
Registration is controlled through a registration URL that is configured in the authentication scheme. The configuration parameter is ?registrationurl=? followed by a registration page or the keyword "FORM=" and SiteMinder form URL. This model provides two methods for registration of Passport users.
The first method uses a site-provided web application to link the Passport identity with a SiteMinder user account through the attribute configured in the authentication scheme. This requires the site to develop the web pages to accept registration data and to provide a service for setting the user directory attribute. SiteMinder can be used to provide the interfaces to the user directory and the secure tunnel behind the firewall using a tunnel service.
The second method of registration leverages the SiteMinder FCC and the forms authentication model. When the registrationurl includes the keyword FORM=, the subsequent URL is treated as a forms redirect. SiteMinder provides the passport.fcc file to use as a template for developing a Passport registration page using forms.
SiteMinder r12.0 SP3 provides a Passport Authentication Scheme template. The library name is smauthmspp. This authentication scheme can be used on both Windows and UNIX Policy Servers.
Copyright © 2012 CA.
All rights reserved.
|
|