An Authorization Service using .NET Passport™ as

underlying Authentication Scheme

Bar-Hen RonHochberger Daniel

Winter 2002

Technion – Israel Institute of Technology

MotivationsCreating a generic Authorization service for the Technion which takes advantage of the .NET Passport ™ Authentication Scheme:

Building a generic Administrator Software for setting permissions Finding an interesting real-world application and integrating it into

the application:The Software Systems Lab – users are students, instructors, lecturers, secretaries, administrators and so on…

Creating participating sites which support multiple levels of access:

A “Grades” system in which students see their grades, instructors and lecturers set grades, and secretaries create new projects.

Prerequisites

• Learn Microsoft™ .NET environment

• Learn the C# Programming Language

• Be familiar with the concepts of ADO.NET

• Study Microsoft™ Passport SDK

• Learn how to configure a new participating site

Authentication vs. Authorization

• Authentication: are you who you pretend you are?

performed by .NET Passport

• Authorization: if you are who you pretend you are, do you have access to a given page?

performed locally by the participating site’s authorization scheme

How Microsoft Passport™ works?

• Participating sites should register their URL and returned URL to be assigned a site ID and a secret encryption key shared with Microsoft.

• Users should have an account on Microsoft Passport: a universal login name and a password used for accessing each participating site.

• users are identified by a Unique User ID (PUID).

How Microsoft Passport ™ works? (cont.)

• When a user clicks the sign in logo or tries to access a protected webpage, a silent “HTTP redirect” displays the sign in page. If the user has previously log in to a .NET Passport participating site (namely, he has valid cookies), all the process described below is silent.

• On the sign in page, the user is asked to enter his sign in name and password. If they match an entry in the Microsoft database, the user is authenticated and the Passport login server creates three .NET Passport cookies which include the PUID of the user, a timestamp, and other required information.

• The browser automatically redirects the user to the participating site, and the encrypted .NET Passport cookies are passed to the participating site as query string parameters.  The participating site decrypts cookie information, receives the PUID which authenticates the user and can process the authorization scheme using PUID.

How Microsoft Passport ™ works? (cont.)

Authentication and Authorization implementation

• Each time a page is loaded, it performs silent authentication: the authentication process is implemented in the

base class of all the frames in the site using .NET Passport function calls.

• if the page is not restricted, this page will be opened even if no user is signed-in, but in case it is restricted, the user will be forced to sign-in and the authorization process will take place

Authentication and Authorization implementation (cont.)

• A user which has no passport will be denied to access a restricted page.

• A new user which attempt to access a restricted page for the first time, has a legal Passport account, but is still not a registered user of the Lab. is redirected to a special web form, asking him to enter his details. This user, referred to as a "Pending User", will become a legal user only when an administrator will allow him through the Administrator program.

• A legal user of the Lab. attempting to access a restricted page is checked against the Authorization Database to decide whether he is allowed to view it. If this is not the case, he is redirected to a "Permission denied" page, otherwise, the restricted page is opened.

Involved entities

Data repository

Permissionsrepository

Registration Form

Administrator S/W GUI(users related)

Administrator S/W GUI (groups related)

Administrator S/W GUI (total permissions)

The “Grades” System• A special restricted page, typically accessible by secretaries,

permits to create new projects, fixing the two students, the instructor and the lecturer participating to this project.

• A restricted page called "Grades" presents to the currently signed-in user all the grades he is allowed to view or to set according to the Data Repository database and the group he belongs to as specified in the Authorization database.

Typically, a student should be able to see his grades, an instructor and a lecturer should be able respectively to set 90% and 10% of the grade of each one of their students.

The grade system is totally generic: an instructor can be a student, a lecturer can be an instructor and so on: in all the cases, the currently logged in user can view or set only what he is allowed to and all this appears in one single table.

Create project page

The grades page