Windows LiveID SSO Kit_v4 2(Documentação Oficial)
-
Upload
aldy-salvino -
Category
Documents
-
view
216 -
download
0
Transcript of Windows LiveID SSO Kit_v4 2(Documentação Oficial)
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 1/41
Windows LiveID SSO Kit
Single Sign-On Kit for Windows LiveIDVersion 4.2
December 2009
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 2/41
Table of Contents
Overview ...............................................................................................................................4
Prerequisites ..........................................................................................................................4
Recommended options ............................................................................................................ 4
Working with this document ..................................................................................................5
Solution Introduction .............................................................................................................5
Key Terminology ....................................................................................................................6
Implementation Scenarios ......................................................................................................9
Scenario A: "Active Directory ID equals Windows Live ID” ........................................................... 10
Scenario B: "Windows Live ID is different from internal network ID" .......................................... 12
Diagram walkthrough ............................................................................................................. 13
Scenario C: Third-party Web-Portal Platform (without IIS server presence) ................................ 15
Diagram walkthrough ............................................................................................................. 16
Installation Procedures ........................................................................................................ 17
Assumptions ........................................................................................................................... 17
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 3/41
Troubleshooting ................................................................................................................... 26
Multiple Versions of .NET Framework Installed on Server ........................................................... 26
Mutex could not be created .......................................................................................................... 26
URL cannot be resolved ................................................................................................................. 26
Example .................................................................................................................................. 26
Verification of URLs ....................................................................................................................... 27
Windows Live Credential Server ............................................................................................ 27
Windows Live "Login Server" ................................................................................................. 27
Appendix A – Installing and setting ACL assignments to a security certificate ........................ 28
Adjusting access control lists on security certificate ............................................................. 28
Windows HTTP Services Certificate Configuration Tool ........................................................ 28
Installing the security certificate ............................................................................................ 28
Adding ACL Assignments to an existing certificate ................................................................ 28
Certificate Name .................................................................................................................... 29
Appendix B - Portal Web Site Configuration (IIS) ................................................................... 30
Appendix C - Understanding the structure of the StudentLogins.xml file ................................ 37
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 4/41
OverviewThis document describes the Windows Live ID one-way single sign-on (SSO) feature for managed
namespaces of the Microsoft Live@Edu program. Enrolled organizations can use the provided
code as a software development kit (SDK) to implement a single sign on solution for an existing
web portal.
You can customize this SDK solution to enable the LiveID SSO solution to pre-authenticate users
and seamlessly transfer them to a Windows Live or Outlook Live mailbox from an internal web
portal without a secondary credential challenge from Windows Live servers.
This document provides guidelines and several possible implementation scenarios for
configuring an internal web portal that enables automatic login to hosted e-mail based on
intranet portal credentials.
PrerequisitesThe SSO SDK assumes that your organization
has already enrolled in a hosted e-mail service
that uses Live ID for authentication, such as Windows Live Mail or Outlook Live. Additionally, this
SDK assumes that both internal directory service and Windows Live accounts exist for all users
who will access the SSO solution.
The server where you will implement this solution must meet the following prerequisites. You
should complete this configuration before you begin working with the SSO SDK:
Windows Server 2003 or later is installed
.NET Framework 2.0 or later is installed. You can download Microsoft .NET Framework
3 5 Service Pack 1 here
NOTE: Microsoft only supports IIS-based
scenarios.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 5/41
Working with this document Due to the reference nature of this document we recommend that you print it or open it in
multiple windows to allow easier navigation between the appendices and installation guide.
Solution IntroductionThis SDK provides an open platform to create a custom single sign-on (SSO) solution that can be
used to access Live@edu mailboxes from an internal web portal without a secondary credential
challenge from Windows Live Services.
When implemented, this solution will allow users to access a Windows Live or Outlook Live
mailbox without typing additional user information or passwords, presuming that the user is
first authenticated (identified) by an internal web portal.
Figure 1 illustrates the basic principle of operation for a single sign-on solution.
A user is authenticated to an organization's internal web portal and presented with a "My
Mailbox" button or link.
Once the "My Mailbox" button/link is clicked, the internal web portal looks up a user's Windows
Live ID in the internal directory service.
A Simple Object Access Protocol (SOAP) request is issued to Windows Live Services.
As a result, a link is presented back to the user’s Internet browser and the user is seamlessly
transferred to their Windows Live or Outlook Live mailbox.
Figure 1
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 6/41
This document provides guidance for implementing an SSO solution for three common
scenarios. You can customize the example code included in this SDK to implement a solution
based on your organization’s particular needs.
Key Terminology
Term Definition
Certificate or digital certificate A certificate is a digital document that is
used to encrypt and decrypt data and verify
the identity of an entity.
Directory services and Active Directory A directory is a hierarchical structure that
stores information about objects on the
network. A directory service, such as Active
Directory®, provides the methods for
storing directory data and making this data
available to network users andadministrators. For example, Active
Directory stores information about user
accounts, such as names, passwords, phone
numbers, and so on, and enables other
authorized users on the same network to
access this information.
Epoch format Epoch format is used to express the currenttime as seconds elapsed since midnight,
January 1st
, 1970. For example, the date and
time of 09/11/2008 07:30:22 displays as
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 7/41
Microsoft Identity Integration Server (MIIS) Microsoft Identity Integration Server (MIIS)
2003 is a centralized service that stores and
integrates identity information for
organizations with multiple directories. The
goal of MIIS 2003 is to provide organizations
with a unified view of all known identity
information about users, applications, and
network resources.
Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) is a protocol that
provides secure communications on the
Internet. This protocol enables
communications privacy for web browsing,
e-mail, and other data transfers.
Short Lived Token (SLT) A Short Lived Token (SLT) is a string that is
issued by the Windows Live ID SOAP Service
that can be used by the Web portal insteadof credentials (username and password) to
authenticate a user to the Windows Live ID
service. This SDK contains the GetSLT
function (C#), which can be customized for
specific needs. For more information, see
GetSLT Method in the developer reference
section of this document.
Simple Object Access Protocol (SOAP) SOAP (Simple Object Access Protocol) is a
protocol for exchanging XML-based
messages over a computer network,
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 8/41
Third-party platforms or technologies Third-party platforms or technologies refer
to Non-Microsoft technologies.
User’s Network ID A User Network ID is a unique ID issued to a
user by the organization’s directory service
(for example, Active Directory™,
eDirectory™, SunOne™, etc.) and/or a
unique ID used by a person to authenticate
to a school’s intranet web portal.
Web portal Web portal refers to a web server serving asan intranet portal and capable of
authentication and authorization against a
local directory service.
Web.config file The web.config XML file defines the
configuration of your SSO application.The
web.config XML file must be customized for
your environment.
Windows Live ID A Windows Live is a unique ID issued to a
user by Windows Live Services for
authentication and authorization. It is in
the format of an e-mail address.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 9/41
Implementation ScenariosThis SDK provides methods for implementing a single sign-on (SSO) solution to meet the
requirements of three different scenarios. Review the scenarios and select the method that
aligns most closely with your infrastructure. In each scenario a SLT is retrieved from the
Windows Live ID Service and used to silently authenticate the user.
The following solutions are included in this document:
Scenario A: Active Directory ID equals Windows Live ID Follow the procedures related
to this scenario if the user name in Active Directory is the same as the Windows Liveuser name. To achieve this scenario, the administrator can use ILM to provision the user
accounts, or can export account information from Active Directory to a CSV file and then
use bulk user management tools to import the CSV file to Windows Live. Outlook Live
uses Windows PowerShell remoting for bulk user management.
Scenario B: Windows Live ID is different from internal network ID Follow the
procedures related to this scenario if the user name in the internal directory service is
not the same as the Windows Live ID. Scenario C: Third-Party Web portal platform (without Internet Information Services
server presence) In this scenario, a third-party platform is used to host the
organization’s web portal. This SDK provides guidelines for developing custom code to
communicate with Windows Live Services.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 10/41
Scenario A: "Active Directory ID equals Windows Live ID”
This scenario assumes that your organization is using Active Directory to authenticate users to
an internal web portal which is hosted by Internet Information Server (IIS), and that the user's ID
(sAMAccountName) in Active Directory equals the username portion of the user’s Windows Live
ID. For example: john.smith @myuniversity.edu.
Figure 2
UniversityWeb-portal server
Authenticatesto portal
Windows Live IDLogin Service
Windows Live IDSOAP Service
Student’s PC
withBrowser
HTTP with linkto email
Click the link
SOAP call (SSL)
Redirection with SLT
1
2
3
SLT
6
Redirection with SLT
7
8 Redirection withticket for service
provider
Redirection with ticket
9
Redirection with10
4
5
Attention: If you delete a user from your local directory you must also de-provision the Live ID in your account management solution to
evict this member from your namespace.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 11/41
https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&ct={0}&wp={1}&wreply=http{2}&lc=1033&id={3}&slt={4}
The variables represented by integers 0 through 4 are replaced with the following data:
0: Current time in epoch format
1: Destination AuthPolicy
2: Destination URL (URL Encoded)
3: Destination site ID
4: SLT token
7. The client’s browser is re-directed to the URL generated in Step 6.
8. The Windows Live ID Login Service issues a ticket for requested service (Mail).
9. The client browser is redirected to the Windows Live Mail or Outlook Live service with
the ticket provided in step 8 as POST data.
10. The Windows Live Mail or Outlook Live service displays the user’s inbox.
To implement Scenario A, please see Scenario A Installation in this document.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 12/41
Scenario B: "Windows Live ID is different from internal network ID"
This scenario assumes that a university's internal student's login ID does not equal their
Windows LiveID. A directory such as Microsoft ADAM, Novell’s eDirectory or Sun’s SunOne
Directory or relational data base or any structured directory/file data-repository may be used
for internal directory services. Microsoft IIS may or may not be used as a host server for the
internal web portal. The authentication process for this scenario is illustrated in Figure 4,
below.In the "Windows Live ID is different from Internal ID" scenario, you will need to establish
a mechanism to look-up/search for Windows LiveID in some sort of directory or database.
In the provided example, The XML file/dictionary is used as the "Look-up directory" forillustration purposes.
You can use any other data source such as Active Directory, ADAM, any LDAP or SQL data source
to look-up user information.
You could extend Active Directory with an additional attribute to contain the Windows Live ID
or reuse any of the existing attributes and store the user's Windows Live ID in it. Thereafter, this
scenario could be applied to look-up a value for a Windows Live ID in Active Directory, versus a
third-party directory or a file.
As you shown in figure 3, User John Smith has an account in AD. His Network ID is jsmith. John's
record exists in the XML directory. The XML dictionary contains pair of attributes:
"WindowsLiveID" containing John’s Windows Live ID, and another attribute "sAMAccountName"
containing John’s Active Directory network ID.
Attention: If you delete a user from your local directory you must also de-provision the Live ID in your account management solution to
evict this member from your namespace.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 13/41
The portal site will "query" XML dictionary for John’s Active Directory ID and will retrieve the
corresponding Windows Live ID belonging to the user.
The received Windows Live ID will be used to retrieve John’s mailbox hosted on the Windows
Live. Figure 4 illustrates the authentication process for this scenario.
Figure 4
UniversityWeb-portal server
Authenticatesto portal
Windows Live ID
Login Service
Windows Live IDSOAP Service
Student’s PC
withBrowser
HTTP with linkto email
Click the link
SOAP call (SSL)
Redirection with SLT
1
2
3
4
SLT
5
8
Redirection with SLT
9
10 Redirection with
ticket for serviceprovider
Redirection with ticket
11
University directory
InternalPortal ID
Windows LiveID
6
7
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 14/41
6. The internal web portal server passes the Windows Live ID along with the pre-installed
certificate (provided to university by Microsoft) to the Windows Live™ ID SOAP (Simple
Object Access Protocol) Service requesting a short-lived token (SLT) by using the GetSLTmethod (provided with this SDK) over SSL.
7. An SLT is received by the internal web portal server over SSL.
8. The internal web portal server converts the SLT into a URL. Example:
https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&ct={0}&wp={1}&wreply=http{2}&lc=1033&id={3}&slt={4}
9.
The client’s browser is re-directed to the URL generated in Step 8.10. The Windows Live ID Login Service issues a ticket for the requested service (Mail).
11. The client browser is redirected to the Windows Live Mail or Outlook Live service with
the ticket provided in step 10 as POST data.
12. The Windows Live Mail or Outlook Live service displays the user’s inbox.
To deploy this solution, please see Scenario B Installation in this document.
Although this current SDK provides an example
of LDAP query toward Active Directory (AD) or
Active Directory Application Mode (ADAM) an
organization can develop custom code to call any other LDAP provider to resolve internal
login ID to Windows LiveID. You can use any
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 15/41
Scenario C: Third-party Web-Portal Platform (without IIS server
presence)
In this scenario, a non-Microsoft web-server is used as the only web portal server in the
infrastructure. The third-party web portal server identifies a user and makes SOAP calls to
Microsoft Live Services independently.
Provided code (C#.NET) cannot be used in this scenario but can serve as a guideline for internal
developers to write custom code native to their web portal server to make all calls to Microsoft
Windows Live Services. Please refer to Figure 5 below for a conceptual overview of this type of
implementation.
Figure 5
Authenticatesto portal
HTTP with link
to email
SOAP call (SSL)
1
2SLT
4
5
Custom code must bewritten by university to
make all interactions with
client and make SOAP
calls to Windows LiveInfrastructure
NOTE: Microsoft only supports IIS-based scenarios.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 16/41
Diagram walkthrough
1. The User is authenticated to the third-party web portal.
2. The web portal provides the student with an HTML page containing a link or a button totheir mailbox.
3. An authenticated user clicks on the provided link or button and a request is sent to the
third party web server.
4. The web portal executes custom code to read the certificate and makes SOAP call to
Windows Live Service to receive a Short Lived Token (SLT).
5. An SLT is received by the web portal.
6. A link with the SLT is returned to the user's web browser.7. The user is redirected to the Windows Live ID Login Service.
8. A token is issued and redirection is returned to the user's browser.
9. The user is redirected to the appropriate service (mail server in this example) with a
valid token attached.
10. The Windows Live Mail or Outlook Live service displays the user’s inbox.
Attention: If you delete a user from your local directory you must also de-provision the Live ID in your account management solution to
evict this member from your namespace.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 17/41
Installation Procedures
The following steps need to be performed on the internal web portal for proper integration of
Windows Live ID email login portal
Assumptions
A properly issued security certificate has been issued by Microsoft to your institution
Administrator has sufficient rights to install new software packages and modify
configuration of the server
An administrator understands the concept of Windows Live ID web SSO The appropriate scenario is selected and understood
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 18/41
Scenario A Installation
In this scenario, a student’s Active Directory ID (AD's sAMAccountName attribute value) equals
their Windows Live ID. The web portal needs to be configured using the following steps.
1. Import provided security certificate into
LocalComputer\Personal store. Follow the procedure in
Appendix A - Security Certificate Installation.
2. Copy demo-site files to created web-site root directory (for
example, "C:\inetpub\wwwroot\SSOPortal")
3. Create and configure a web site for your SSO Portal in IIS.Follow the procedures in Appendix B - Portal Web Site
Configuration (IIS).
4. Modify the access control list (ACL) for the previously installed
certificate. Grant read access to the account running
"Application Pool" (Network Service by default) of your SSO
Site with winhttpcertcfg.exe utility. Follow the procedures in
Appendix C - ACL assignments to a security certificate. 5. Adjust the configuration file variables as indicated below. For
more information see Appendix E - WEB.CONFIG parameters:
a. Thumbprint . See Appendix F - Identifying Certificate's
Thumbprint for more details about retrieving the
certificate thumbprint.
b. Scenario. Set the value of "A" to reflect this scenario.
c. loginSeconds, to the desired time, measured inseconds
d. domain, to match your school’s public domain name
i ID h h i ID i d h l
ATTENTION: The Network
Service Account (or an
account that is running IIS
application pool for your
web application) should
have access to read the
certificate installed in the
Certificate Store. Please
refer to " Appendix C -
ACL assignments to a
security certificate"
LoginSeconds is the number
of seconds since the user
typed the username and
password. A value of "0"
means that the issued
certificate never expires. It
is recommended that you
only use a zero value for
testing purposes. Adjustthe value dependent upon
your network connectivity
speed and the performance
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 19/41
Scenario B installation
In this scenario, Windows Live ID is different from the internal network ID. The web portal
needs to be configured using the following steps.
1. Import the provided security certificate to LocalComputer\Personal store. Perform the
procedure in Appendix A - Security Certificate Installation.
2. Copy the demo-site files into a created web-site root directory (for example,
"C:\inetpub\wwwroot\SSOPortal")
3. Create and configure a web-site for your SSO Portal on the IIS server. See Appendix B -
Portal Web Site Configuration (IIS). 4. Modify the access control list (ACL) for the previously installed certificate. Grant read
access to the account running "Application Pool" (Network Service by default) of your
SSO Site. See Appendix C – ACL assignments to a security certificate.
5. Modify "..\App_Data\StudentLogins.XML" file to include at least one user ID on the local
network and the corresponding Windows Live ID for the same user. For more
information refer to Appendix D - Understanding the structure of the StudentLogins.xml
file. 6. Adjust the configuration file variables. See Appendix E - WEB.CONFIG parametersf or
more information:
a. Thumbprint . See Appendix F - Identifying Certificate's Thumbprint for more
details about retrieving the certificate's thumbprint
b. Scenario. Set value of "B" to reflect this scenario
c. loginSeconds, to the desired time, measured in seconds
d. domain, to match your school’s public domain name e. siteID, to match the siteID issued to your school
7. Review the configuration file variables:
" bP " if h f l l (if )
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 20/41
Developer Reference
Methods Details
GetSLT Method
You can use the GetSLT method to retrieve a short lived token (SLT) (see definition in the key
terminology section) credential package for an authenticated namespace user that can be sent
to the Windows Live ID login server in order to obtain a Windows Live service ticket. The service
ticket can then be used to access a Windows Live service, like Windows Live Mail or Outlook
Live, on behalf of the authenticated user without the user having to reenter his or her password.
The GetSLT method call must go through mutual Secure Sockets Layer (SSL) authentication.
Syntax:
public void GetSLT( tagPASSID PassIDIn,uint loginSeconds,out string
pbstrSLT);
Parameters
PassIDIn
The tagPASSID element type is used to uniquely identify a credential. You can use the
PASSIDTYPE element type to specify a type of tagPASSID element and determine the
information that must be included in the tagPASSID element within which it is contained.
<PASSIDTYPE>...</PASSIDTYPE>
Note: This token gives the client
access to that member's/student's
Live ID service . Avoid implementing
any custom code that might provide
this token to another user.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 21/41
PASSID_PPSACREDENTIALID
The bstrID element of the tagPASSID should contain the
CredentialID element that identifies a credential. For more details,
see CredentialID XML Block.
PASSID_PUID_SIGNINNAME
The bstrID element of the tagPASSID should contain a PID XML
block, as displayed in the following example, which contains the 16-
digit hexadecimal NetID and the sign-in name of the credential that
is being identified.
<PID>
<PUID>00037FFE80642602</PUID>
<SIGNINNAME>[email protected]</SIGNINNAME>
</PID>
Remarks
The format of this element is defined in the Credential Server WSDL file as the typePASSIDTYPE. The name of the element of this type in Credential Server SOAP requests,
however, is pit. The following code example shows the tagPASSID that contains a PASSIDTYPE
element.
<tagPASSID>
<pit>PASSID_SIGNINNAME</pit>
<bstrID>[email protected]</bstrID>
</tagPASSID>
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 22/41
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Header><PPSoapHeaderxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1" /><WSSecurityHeaderxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1"><version>eshHeader25</version><ppSoapHeader25><s:ppSoapHeader
xmlns:s="http://schemas.microsoft.com/Passport/SoapServices/SoapHeader"version="1.0"><s:lcid>1033</s:lcid><s:authorizationLicence></s:authorizationLicence><s:sitetoken><t:siteheaderxmlns:t="http://schemas.microsoft.com/Passport/SiteToken"id="33333" /></s:sitetoken></s:ppSoapHeader>
</ppSoapHeader25></WSSecurityHeader></soap:Header><soap:Body><GetSLTxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1">
<PassIDIn><pit>PASSID_SIGNINNAME</pit><bstrID>[email protected]</bstrID>
</PassIDIn><LoginSeconds>0</LoginSeconds></GetSLT>
</soap:Body>
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 23/41
SOAP Fault Response
The following XML code example shows a fault response that is returned from the request.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>SOAP:Server</faultcode><faultstring>SOAP Server Application Faulted</faultstring><detail><psf:error
xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048101</psf:value><psf:description>
<psf:lcid>1033</psf:lcid><psf:text>The header in the soap request is invalid </psf:text>
</psf:description><psf:internalerror><psf:code>0x80044024</psf:code><psf:text>The client certificate is invalid.</psf:text>
</psf:internalerror><psf:serverInfo>SQ2 2006.10.23.22.29.58</psf:serverInfo>
</psf:error>
</detail></soap:Fault>
</soap:Body></soap:Envelope>
Common Error Codes
The following table lists possible errors for the GetSLT method.
Error code Description
0x80045024 The specified user is not authorized to perform the requested operation.This occurs when SSL is not used when calling the API or if the calling site
is not authorized. Please contact the Windows Live Commercial Partner
Center to verify that your SSO permissions have been granted by using
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 24/41
Remarks
The GetSLT method call must go through mutual SSL authentication.
GetSLT Method Example
The following C# code example shows how to call the GetSLT method using a proxy class. Two
C# code files accompany this document, index.aspx.cs, part of which is shown as the following
code example and CredentialServiceAPISoapServer.cs, which contains the auto-generated proxy
class.
The serverURL value to call the GetSLT Method is the destination url of this fwd link:http://go.microsoft.com/fwlink/?LinkId=168259
If you copy and reuse this code, you will need to make changes to match your environment.
private static string GetSLT(string userName, string certString, intloginSeconds, string serverURL, string siteID)
{
string slt = string.Empty;bool certAvailable = certificateString.Length > 0;if (userName.Equals(string.Empty) == true ||
certString.Equals(string.Empty) == true ||serverURL.Equals(string.Empty) == true ||
siteID.Equals(string.Empty) == true){
string message =string.Format("User Name:{0}; certificate successfully read:
{1}; Login Seconds: {2}; Server URL {3}; Site ID: {4};", userName,certAvailable.ToString(), loginSeconds.ToString(), serverURL, siteID);
throw new Exception(message);}try
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 25/41
passID.bstrID = userName;//call GetSLT
slt = credServer.GetSLT(passID, loginSeconds);Console.WriteLine("SLT: " + slt);}catch (Exception ex){
throw new Exception(ex.Message);}
return slt;}
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 26/41
Troubleshooting
This section provides common troubleshooting tips for any problems you might encounter.
Multiple Versions of .NET Framework Installed on Server
The Microsoft Live@Edu program requires the use of the .NET Framework 2.0. If you have
more than one version of the .NET Framework installed on your server, make sure your Web
Site is using the 2.0 version of the framework by viewing the Web Site properties in the Internet
Information Services Manager and selecting the ASP.NET tab.
You can optionally use the command line tool aspnet_regiis.exe to perform this action. For
information on using the aspnet_regiis.exe tool, see http://msdn2.microsoft.com/en-
us/library/k6h9cz8h(VS.80).aspx
Mutex could not be created
If you are customizing your solution using Microsoft’s Visual Studio 2005, during the debugging
process, you may encounter an error that reads “Mutex could not be created”. If this occurs,
follow these steps to solve the issue:
If you have Visual Studio 2005 open, close it.
Go to the ASP.NET temporary folder for v2.0 of the framework <Windows
dir>\Microsoft.Net\Framework\v2.0<release numbers>\Temporary ASPNET pages.
Remove the folder for your web application (or all of them).
Reset IIS (on a command line window, iisreset ).
Browse your page from Internet Explorer (http://localhost/your app)
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 27/41
*where 0.0.0.0 is your internal proxy server IP address
If you need a proxy server, you should add the following code to the GetSLT file:
WebProxy webproxyobject = new WebProxy("http:// yourproxyserver:80", true);credServer.Proxy = webproxyobject;
Verification of URLs
Configuration file web.config as well as some portions of the provided code contains reference
to certain Windows Live services.
You can determine the settings that apply to your environment by referencing web.config andthe sample code with the online document:
https://nexus.passport.com/public/partner/partner4.xml
Windows Live Credential Server
Element <ServiceAPICredentialServer> contains Windows Live credential Service URL.
Windows Live "Login Server"
Element <Post> contains URL for posting your SLT request.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 28/41
28
Appendix A – Installing and setting ACL assignments to a security certificate
Adjusting access control lists on security certificate
All "code behind" of ASP.NET application/site will be executed under the user credentials of the Application Pool assigned to run your site on IIS.
To ensure that code can access certificate storage you need to assign read permission to the account running your web application. This will let the
account read the installed security certificate from storage at runtime.
Windows HTTP Services Certificate Configuration Tool
To assign read rights to the correct account you will need to download Windows Server SDK tool WinHttpCertCfg.exe
It is available on Microsoft Download Center. Click here to access it. The default installation paths are as follows:
X86 : %programfiles%\”windows Resource Kits”\tools
X64 : : %programfiles(x86)%\”windows Resource Kits”\tools
Installing the security certificate
You can use the WinHttpCertCfg.exe program to install your certificate and assign the appropriate permissions in one step. To do this, use the
following command:
WinHttpCertCfg.exe -I “PFXFilePathHere” –c LOCAL_MACHINE\My -p “PasswordHere” -a “NetworkService”
Replace the PFXFilePathHere with the path to location of your certificate. If your certificate is not password protected, omit the –p switch and the
password that follows the switch.
Adding ACL Assignments to an existing certificate
The full syntax of the tool can be displayed by running this tool from the command line without any switches.
This example shows the syntax that you use to assign read permission to a user account:
winhttpcertcfg.exe -g -a domain\user -c LOCAL_MACHINE\My -s sapipartner.com
Where:
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 29/41
29
-g: Grant read permission
-a: Account name
-c: Certificate Location
-s: Certificate "name"
Certificate Name
The name of the certificate is displayed in the "Issued To" column of the Certificates MMC snap-in. The figure below shows where the certificate
name is displayed. Please note that for most EDU partners, the certificate is issued to sapipartner.com. This is correct and should not be replaced
by your domain name.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 30/41
30
Appendix B - Portal Web Site Configuration (IIS)This section describes how to create and configure a Microsoft Internet Information Services (IIS) web site to be suitable for the provided kit/demo
code.
Task How to Illustration
Start IIS snap-in Click "Start"
Select "Control Panel"
Select "Administrative Tools"
Select "Internet Information Services (IIS)
Manager"
Create Virtual
Directory
Step 1 of 7
Expand "Web Sites"
Select a web-site to create a virtual directory in
(such as "Default Web Site")
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 31/41
31
Task How to Illustration
Create Virtual
Directory
Step 2 of 7
Click "Action"
Click "New"
Click "Virtual Directory"
Create Virtual
Directory
Step 3 of 7
Click "Next >"
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 32/41
32
Task How to Illustration
Create Virtual
Directory
Step 4 of 7
In "Alias" textbox type Site's name
Click "Next >"
Create Virtual
Directory
Step 5 of 7
In "Path:" textbox type the path to the physical
folder where you will copy kit/demo files for the
SSO web-site
Click "Next >"
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 33/41
33
Task How to Illustration
Create Virtual
Directory
Step 6 of 7
Confirm that "Read" checkbox is selected
Click "Next >"
Create Virtual
Directory
Step 7 of 7
Click "Finish"
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 34/41
34
Task How to Illustration
Application Creation
Step 1 of 2
Select your "Virtual Directory" by navigating to
"Web Sites"
Select "Default Web Site"
Right-click "SSOPortal"
Click "Properties"
Application Creation
Step 2 of 2
On "Virtual Directory" tab
Click "Create" button
Select "Scripts only" in "Execute permissions"
drop-down menu
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 35/41
35
Task How to Illustration
Windows
Authentication
Step 1 of 1
Click on "Directory Security" tab
Click "Edit" button in "Authentication and Control
Access" group
Make sure that "Enable Anonymous Access"
check-box is NOT checked
Make sure that "Integrated Windows
authentication" check-box is checked
Click OK
Framework
Verification
Step 1 of 1
Click on ASP.NET tab
Ensure that .NET 2.0 is selected
Click OK
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 36/41
36
Step How to Illustration
Restarting IIS
Step 1 of 1
Click Start
Click Run
Type "IISRESET" in "Open" text-box
Click "OK"
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 37/41
37
Appendix C - Understanding the structure of the StudentLogins.xml file
Every "entry" node of the XML document represents a single user and references two accounts; one account in a local directory or on a local portal
and another account in the Windows Live "cloud".
Each "entry" node contains the following attributes:
windowsLiveID
Attribute containing the value of the Windows Live ID of a particular user
sAMAccountName
Attribute containing the value of the user's local network or local web portal account
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 38/41
38
Appendix D - WEB.CONFIG parameters
The Web.config XML fileThe Windows Live e-mail integration portal requires the presence of a properly configured web.config XML file. The web.config file is used for the
configuration of ASP.NET web applications. In this case it is used specifically for the web portal application.
The web.config file should be placed where the IIS application is installed; in this case it should be located in the web portal directory (for example,
C:\Inetpub\wwwroot\SSOportal). The format of the file may change in the future but all of the attributes/keys listed should remain the same.
The keys or attributes are used to alter the behavior and configuration of the web portal application. Most of these values are self explanatory and
once set should rarely change.
Syntax<?xml version="1.0" encoding="utf-8" ?> <configuration><appSettings>
Scenario value
Change the value to match your scenario here.
Scenario value 1 refers to SSO Scenario A, where the Active Directory ID (AD) equals the user’s Windows Live ID. See Scenario A Installation in this
document for more information.
Scenario value 2 refers to SSO Scenario B, where the user’s Windows Live ID is different from the user’s internal network ID. See
To implement Scenario A, please see Scenario A Installation in this document.
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 39/41
39
Scenario B: "Windows Live ID is different from internal network ID" in this document for more information.
Syntax
<add key = "scenario" value = "1"/>
serverURL
This attribute determines the URL/location of the Windows Live ID credential server. The URL should be obtained from your Microsoft
representative.
Syntax
<add key = "serverURL" value = "https://ppsacredential.service.passport.net/PPSACredential.srf"* />
* Please refer to document partner4.xml (follow this link) which contains current URL information for the Windows Live Credential Server. Locate the
value of <ServiceAPICredentialServer/> tag.
siteID
Each enrolled domain receives a unique site ID that should be configured here.
Syntax
<add key = "siteID" value = "33333" />
loginSeconds
The number of seconds since the user typed the username and password. Use zero value only for testing purposes. A zero value will not expire
certificate.
Syntax
<add key = "loginSeconds” value = “0” />
certThumb
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 40/41
40
The Certificate Thumbprint value.
Syntax
<add key = "certThumb” value = “cf 60 95 68 3d 30 dd f8 f4 76 92 43 2a 72 bf 4a 3f d7 74 ab ” />
domain
This is your public domain name used for Windows Live ID e-mail addresses, for example, [email protected], where msnuniversity.edu is
the public domain name for MSN University.
Syntax
<add key = "domain” value = “msnuniversity.edu” />
8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)
http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 41/41
41
Appendix E - Identifying Certificate's Thumbprint
This section describes how to locate the security certificate thumbprint. Certificate thumbprint is used by ASP.NET code to read the certificate
during runtime execution.
Refer to Error! Reference source not found. for information on
how to open an MMC snap-in
To identify the certificate thumbprint, locate the installed
certificate in the appropriate certificate store (generally Local
Machine\Personal)
Open the certificate by double-clicking on it
Click the Details tab
Locate the "Thumbprint" entry (see illustration)
Copy the thumbprint from the details pane