Windows LiveID SSO Kit_v4 2(Documentação Oficial)

8/2/2019 Windows LiveID SSO Kit_v4 2(Documentação Oficial)

http://slidepdf.com/reader/full/windows-liveid-sso-kitv4-2documentacao-oficial 1/41

Windows LiveID SSO Kit

Single Sign-On Kit for Windows LiveIDVersion 4.2

December 2009



Table of Contents

Overview ...............................................................................................................................4

Prerequisites ..........................................................................................................................4

Recommended options ............................................................................................................ 4

Working with this document ..................................................................................................5

Solution Introduction .............................................................................................................5

Key Terminology ....................................................................................................................6

Implementation Scenarios ......................................................................................................9

Scenario A: "Active Directory ID equals Windows Live ID” ........................................................... 10

Scenario B: "Windows Live ID is different from internal network ID" .......................................... 12

Diagram walkthrough ............................................................................................................. 13

Scenario C: Third-party Web-Portal Platform (without IIS server presence) ................................ 15

Diagram walkthrough ............................................................................................................. 16

Installation Procedures ........................................................................................................ 17

Assumptions ........................................................................................................................... 17



Troubleshooting ................................................................................................................... 26

Multiple Versions of .NET Framework Installed on Server ........................................................... 26

Mutex could not be created .......................................................................................................... 26

URL cannot be resolved ................................................................................................................. 26

Example .................................................................................................................................. 26

Verification of URLs ....................................................................................................................... 27

Windows Live Credential Server ............................................................................................ 27

Windows Live "Login Server" ................................................................................................. 27

Appendix A – Installing and setting ACL assignments to a security certificate ........................ 28

Adjusting access control lists on security certificate ............................................................. 28

Windows HTTP Services Certificate Configuration Tool ........................................................ 28

Installing the security certificate ............................................................................................ 28

Adding ACL Assignments to an existing certificate ................................................................ 28

Certificate Name .................................................................................................................... 29

Appendix B - Portal Web Site Configuration (IIS) ................................................................... 30

Appendix C - Understanding the structure of the StudentLogins.xml file ................................ 37



OverviewThis document describes the Windows Live ID one-way single sign-on (SSO) feature for managed

namespaces of the Microsoft Live@Edu program. Enrolled organizations can use the provided

code as a software development kit (SDK) to implement a single sign on solution for an existing

web portal.

You can customize this SDK solution to enable the LiveID SSO solution to pre-authenticate users

and seamlessly transfer them to a Windows Live or Outlook Live mailbox from an internal web

portal without a secondary credential challenge from Windows Live servers.

This document provides guidelines and several possible implementation scenarios for

configuring an internal web portal that enables automatic login to hosted e-mail based on

intranet portal credentials.

PrerequisitesThe SSO SDK assumes that your organization

has already enrolled in a hosted e-mail service

that uses Live ID for authentication, such as Windows Live Mail or Outlook Live. Additionally, this

SDK assumes that both internal directory service and Windows Live accounts exist for all users

who will access the SSO solution.

The server where you will implement this solution must meet the following prerequisites. You

should complete this configuration before you begin working with the SSO SDK:

Windows Server 2003 or later is installed

.NET Framework 2.0 or later is installed. You can download Microsoft .NET Framework

3 5 Service Pack 1 here

NOTE: Microsoft only supports IIS-based

scenarios.

http://www.microsoft.com/downloads/details.aspx?FamilyID=AB99342F-5D1A-413D-8319-81DA479AB0D7&displaylang=en






Working with this document Due to the reference nature of this document we recommend that you print it or open it in

multiple windows to allow easier navigation between the appendices and installation guide.

Solution IntroductionThis SDK provides an open platform to create a custom single sign-on (SSO) solution that can be

used to access Live@edu mailboxes from an internal web portal without a secondary credential

challenge from Windows Live Services.

When implemented, this solution will allow users to access a Windows Live or Outlook Live

mailbox without typing additional user information or passwords, presuming that the user is

first authenticated (identified) by an internal web portal.

Figure 1 illustrates the basic principle of operation for a single sign-on solution.

A user is authenticated to an organization's internal web portal and presented with a "My

Mailbox" button or link.

Once the "My Mailbox" button/link is clicked, the internal web portal looks up a user's Windows

Live ID in the internal directory service.

A Simple Object Access Protocol (SOAP) request is issued to Windows Live Services.

As a result, a link is presented back to the user’s Internet browser and the user is seamlessly

transferred to their Windows Live or Outlook Live mailbox.

Figure 1



This document provides guidance for implementing an SSO solution for three common

scenarios. You can customize the example code included in this SDK to implement a solution

based on your organization’s particular needs.

Key Terminology

Term Definition

Certificate or digital certificate A certificate is a digital document that is

used to encrypt and decrypt data and verify

the identity of an entity.

Directory services and Active Directory A directory is a hierarchical structure that

stores information about objects on the

network. A directory service, such as Active

Directory®, provides the methods for

storing directory data and making this data

available to network users andadministrators. For example, Active

Directory stores information about user

accounts, such as names, passwords, phone

numbers, and so on, and enables other

authorized users on the same network to

access this information.

Epoch format Epoch format is used to express the currenttime as seconds elapsed since midnight,

January 1st

, 1970. For example, the date and

time of 09/11/2008 07:30:22 displays as



Microsoft Identity Integration Server (MIIS) Microsoft Identity Integration Server (MIIS)

2003 is a centralized service that stores and

integrates identity information for

organizations with multiple directories. The

goal of MIIS 2003 is to provide organizations

with a unified view of all known identity

information about users, applications, and

network resources.

Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) is a protocol that

provides secure communications on the

Internet. This protocol enables

communications privacy for web browsing,

e-mail, and other data transfers.

Short Lived Token (SLT) A Short Lived Token (SLT) is a string that is

issued by the Windows Live ID SOAP Service

that can be used by the Web portal insteadof credentials (username and password) to

authenticate a user to the Windows Live ID

service. This SDK contains the GetSLT

function (C#), which can be customized for

specific needs. For more information, see

GetSLT Method in the developer reference

section of this document.

Simple Object Access Protocol (SOAP) SOAP (Simple Object Access Protocol) is a

protocol for exchanging XML-based

messages over a computer network,



Third-party platforms or technologies Third-party platforms or technologies refer

to Non-Microsoft technologies.

User’s Network ID A User Network ID is a unique ID issued to a

user by the organization’s directory service

(for example, Active Directory™,

eDirectory™, SunOne™, etc.) and/or a

unique ID used by a person to authenticate

to a school’s intranet web portal.

Web portal Web portal refers to a web server serving asan intranet portal and capable of

authentication and authorization against a

local directory service.

Web.config file The web.config XML file defines the

configuration of your SSO application.The

web.config XML file must be customized for

your environment.

Windows Live ID A Windows Live is a unique ID issued to a

user by Windows Live Services for

authentication and authorization. It is in

the format of an e-mail address.



Implementation ScenariosThis SDK provides methods for implementing a single sign-on (SSO) solution to meet the

requirements of three different scenarios. Review the scenarios and select the method that

aligns most closely with your infrastructure. In each scenario a SLT is retrieved from the

Windows Live ID Service and used to silently authenticate the user.

The following solutions are included in this document:

Scenario A: Active Directory ID equals Windows Live ID Follow the procedures related

to this scenario if the user name in Active Directory is the same as the Windows Liveuser name. To achieve this scenario, the administrator can use ILM to provision the user

accounts, or can export account information from Active Directory to a CSV file and then

use bulk user management tools to import the CSV file to Windows Live. Outlook Live

uses Windows PowerShell remoting for bulk user management.

Scenario B: Windows Live ID is different from internal network ID Follow the

procedures related to this scenario if the user name in the internal directory service is

not the same as the Windows Live ID. Scenario C: Third-Party Web portal platform (without Internet Information Services

server presence) In this scenario, a third-party platform is used to host the

organization’s web portal. This SDK provides guidelines for developing custom code to

communicate with Windows Live Services.



Scenario A: "Active Directory ID equals Windows Live ID”

This scenario assumes that your organization is using Active Directory to authenticate users to

an internal web portal which is hosted by Internet Information Server (IIS), and that the user's ID

(sAMAccountName) in Active Directory equals the username portion of the user’s Windows Live

ID. For example: john.smith @myuniversity.edu.

Figure 2

UniversityWeb-portal server

Authenticatesto portal

Windows Live IDLogin Service

Windows Live IDSOAP Service

Student’s PC

withBrowser

HTTP with linkto email

Click the link

SOAP call (SSL)

Redirection with SLT

1

2

3

SLT

6


7

8 Redirection withticket for service

provider

Redirection with ticket

9

Redirection with10

4

5

Attention: If you delete a user from your local directory you must also de-provision the Live ID in your account management solution to

evict this member from your namespace.



https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&ct={0}&wp={1}&wreply=http{2}&lc=1033&id={3}&slt={4}

The variables represented by integers 0 through 4 are replaced with the following data:

0: Current time in epoch format

1: Destination AuthPolicy

2: Destination URL (URL Encoded)

3: Destination site ID

4: SLT token

7. The client’s browser is re-directed to the URL generated in Step 6.

8. The Windows Live ID Login Service issues a ticket for requested service (Mail).

9. The client browser is redirected to the Windows Live Mail or Outlook Live service with

the ticket provided in step 8 as POST data.

10. The Windows Live Mail or Outlook Live service displays the user’s inbox.

To implement Scenario A, please see Scenario A Installation in this document.



Scenario B: "Windows Live ID is different from internal network ID"

This scenario assumes that a university's internal student's login ID does not equal their

Windows LiveID. A directory such as Microsoft ADAM, Novell’s eDirectory or Sun’s SunOne

Directory or relational data base or any structured directory/file data-repository may be used

for internal directory services. Microsoft IIS may or may not be used as a host server for the

internal web portal. The authentication process for this scenario is illustrated in Figure 4,

below.In the "Windows Live ID is different from Internal ID" scenario, you will need to establish

a mechanism to look-up/search for Windows LiveID in some sort of directory or database.

In the provided example, The XML file/dictionary is used as the "Look-up directory" forillustration purposes.

You can use any other data source such as Active Directory, ADAM, any LDAP or SQL data source

to look-up user information.

You could extend Active Directory with an additional attribute to contain the Windows Live ID

or reuse any of the existing attributes and store the user's Windows Live ID in it. Thereafter, this

scenario could be applied to look-up a value for a Windows Live ID in Active Directory, versus a

third-party directory or a file.

As you shown in figure 3, User John Smith has an account in AD. His Network ID is jsmith. John's

record exists in the XML directory. The XML dictionary contains pair of attributes:

"WindowsLiveID" containing John’s Windows Live ID, and another attribute "sAMAccountName"

containing John’s Active Directory network ID.





The portal site will "query" XML dictionary for John’s Active Directory ID and will retrieve the

corresponding Windows Live ID belonging to the user.

The received Windows Live ID will be used to retrieve John’s mailbox hosted on the Windows

Live. Figure 4 illustrates the authentication process for this scenario.

Figure 4

UniversityWeb-portal server


Windows Live ID

Login Service

Windows Live IDSOAP Service

Student’s PC

withBrowser

HTTP with linkto email

Click the link

SOAP call (SSL)


1

2

3

4

SLT

5

8


9

10 Redirection with

ticket for serviceprovider

Redirection with ticket

11

University directory

InternalPortal ID

Windows LiveID

6

7



6. The internal web portal server passes the Windows Live ID along with the pre-installed

certificate (provided to university by Microsoft) to the Windows Live™ ID SOAP (Simple

Object Access Protocol) Service requesting a short-lived token (SLT) by using the GetSLTmethod (provided with this SDK) over SSL.

7. An SLT is received by the internal web portal server over SSL.

8. The internal web portal server converts the SLT into a URL. Example:

https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&ct={0}&wp={1}&wreply=http{2}&lc=1033&id={3}&slt={4}

9.

The client’s browser is re-directed to the URL generated in Step 8.10. The Windows Live ID Login Service issues a ticket for the requested service (Mail).

11. The client browser is redirected to the Windows Live Mail or Outlook Live service with

the ticket provided in step 10 as POST data.


To deploy this solution, please see Scenario B Installation in this document.

Although this current SDK provides an example

of LDAP query toward Active Directory (AD) or

Active Directory Application Mode (ADAM) an

organization can develop custom code to call any other LDAP provider to resolve internal

login ID to Windows LiveID. You can use any

https://login.live-int.com/ppsecure/post.srf?wa=wsignin1.0&ct=%7b0%7d&wp=%7b1%7d&wreply=http%7b2%7d&lc=1033&id=%7b3%7d






Scenario C: Third-party Web-Portal Platform (without IIS server

presence)

In this scenario, a non-Microsoft web-server is used as the only web portal server in the

infrastructure. The third-party web portal server identifies a user and makes SOAP calls to

Microsoft Live Services independently.

Provided code (C#.NET) cannot be used in this scenario but can serve as a guideline for internal

developers to write custom code native to their web portal server to make all calls to Microsoft

Windows Live Services. Please refer to Figure 5 below for a conceptual overview of this type of

implementation.

Figure 5


HTTP with link

to email

SOAP call (SSL)

1

2SLT

4

5

Custom code must bewritten by university to

make all interactions with

client and make SOAP

calls to Windows LiveInfrastructure

NOTE: Microsoft only supports IIS-based scenarios.



Diagram walkthrough

1. The User is authenticated to the third-party web portal.

2. The web portal provides the student with an HTML page containing a link or a button totheir mailbox.

3. An authenticated user clicks on the provided link or button and a request is sent to the

third party web server.

4. The web portal executes custom code to read the certificate and makes SOAP call to

Windows Live Service to receive a Short Lived Token (SLT).

5. An SLT is received by the web portal.

6. A link with the SLT is returned to the user's web browser.7. The user is redirected to the Windows Live ID Login Service.

8. A token is issued and redirection is returned to the user's browser.

9. The user is redirected to the appropriate service (mail server in this example) with a

valid token attached.






Installation Procedures

The following steps need to be performed on the internal web portal for proper integration of

Windows Live ID email login portal

Assumptions

A properly issued security certificate has been issued by Microsoft to your institution

Administrator has sufficient rights to install new software packages and modify

configuration of the server

An administrator understands the concept of Windows Live ID web SSO The appropriate scenario is selected and understood



Scenario A Installation

In this scenario, a student’s Active Directory ID (AD's sAMAccountName attribute value) equals

their Windows Live ID. The web portal needs to be configured using the following steps.

1. Import provided security certificate into

LocalComputer\Personal store. Follow the procedure in

Appendix A - Security Certificate Installation.

2. Copy demo-site files to created web-site root directory (for

example, "C:\inetpub\wwwroot\SSOPortal")

3. Create and configure a web site for your SSO Portal in IIS.Follow the procedures in Appendix B - Portal Web Site

Configuration (IIS).

4. Modify the access control list (ACL) for the previously installed

certificate. Grant read access to the account running

"Application Pool" (Network Service by default) of your SSO

Site with winhttpcertcfg.exe utility. Follow the procedures in

Appendix C - ACL assignments to a security certificate. 5. Adjust the configuration file variables as indicated below. For

more information see Appendix E - WEB.CONFIG parameters:

a. Thumbprint . See Appendix F - Identifying Certificate's

Thumbprint for more details about retrieving the

certificate thumbprint.

b. Scenario. Set the value of "A" to reflect this scenario.

c. loginSeconds, to the desired time, measured inseconds

d. domain, to match your school’s public domain name

i ID h h i ID i d h l

ATTENTION: The Network

Service Account (or an

account that is running IIS

application pool for your

web application) should

have access to read the

certificate installed in the

Certificate Store. Please

refer to " Appendix C -

ACL assignments to a

security certificate"

LoginSeconds is the number

of seconds since the user

typed the username and

password. A value of "0"

means that the issued

certificate never expires. It

is recommended that you

only use a zero value for

testing purposes. Adjustthe value dependent upon

your network connectivity

speed and the performance

http://msdn2.microsoft.com/en-us/library/aa384088.aspx






Scenario B installation

In this scenario, Windows Live ID is different from the internal network ID. The web portal

needs to be configured using the following steps.

1. Import the provided security certificate to LocalComputer\Personal store. Perform the

procedure in Appendix A - Security Certificate Installation.

2. Copy the demo-site files into a created web-site root directory (for example,

"C:\inetpub\wwwroot\SSOPortal")

3. Create and configure a web-site for your SSO Portal on the IIS server. See Appendix B -

Portal Web Site Configuration (IIS). 4. Modify the access control list (ACL) for the previously installed certificate. Grant read

access to the account running "Application Pool" (Network Service by default) of your

SSO Site. See Appendix C – ACL assignments to a security certificate.

5. Modify "..\App_Data\StudentLogins.XML" file to include at least one user ID on the local

network and the corresponding Windows Live ID for the same user. For more

information refer to Appendix D - Understanding the structure of the StudentLogins.xml

file. 6. Adjust the configuration file variables. See Appendix E - WEB.CONFIG parametersf or

more information:

a. Thumbprint . See Appendix F - Identifying Certificate's Thumbprint for more

details about retrieving the certificate's thumbprint

b. Scenario. Set value of "B" to reflect this scenario

c. loginSeconds, to the desired time, measured in seconds

d. domain, to match your school’s public domain name e. siteID, to match the siteID issued to your school

7. Review the configuration file variables:

" bP " if h f l l (if )



Developer Reference

Methods Details

GetSLT Method

You can use the GetSLT method to retrieve a short lived token (SLT) (see definition in the key

terminology section) credential package for an authenticated namespace user that can be sent

to the Windows Live ID login server in order to obtain a Windows Live service ticket. The service

ticket can then be used to access a Windows Live service, like Windows Live Mail or Outlook

Live, on behalf of the authenticated user without the user having to reenter his or her password.

The GetSLT method call must go through mutual Secure Sockets Layer (SSL) authentication.

Syntax:

public void GetSLT( tagPASSID PassIDIn,uint loginSeconds,out string

pbstrSLT);

Parameters

PassIDIn

The tagPASSID element type is used to uniquely identify a credential. You can use the

PASSIDTYPE element type to specify a type of tagPASSID element and determine the

information that must be included in the tagPASSID element within which it is contained.

<PASSIDTYPE>...</PASSIDTYPE>

Note: This token gives the client

access to that member's/student's

Live ID service . Avoid implementing

any custom code that might provide

this token to another user.



PASSID_PPSACREDENTIALID

The bstrID element of the tagPASSID should contain the

CredentialID element that identifies a credential. For more details,

see CredentialID XML Block.

PASSID_PUID_SIGNINNAME

The bstrID element of the tagPASSID should contain a PID XML

block, as displayed in the following example, which contains the 16-

digit hexadecimal NetID and the sign-in name of the credential that

is being identified.

<PID>

<PUID>00037FFE80642602</PUID>

<SIGNINNAME>[email protected]</SIGNINNAME>

</PID>

Remarks

The format of this element is defined in the Credential Server WSDL file as the typePASSIDTYPE. The name of the element of this type in Credential Server SOAP requests,

however, is pit. The following code example shows the tagPASSID that contains a PASSIDTYPE

element.

<tagPASSID>

<pit>PASSID_SIGNINNAME</pit>

<bstrID>[email protected]</bstrID>

</tagPASSID>



<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Header><PPSoapHeaderxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1" /><WSSecurityHeaderxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1"><version>eshHeader25</version><ppSoapHeader25><s:ppSoapHeader

xmlns:s="http://schemas.microsoft.com/Passport/SoapServices/SoapHeader"version="1.0"><s:lcid>1033</s:lcid><s:authorizationLicence></s:authorizationLicence><s:sitetoken><t:siteheaderxmlns:t="http://schemas.microsoft.com/Passport/SiteToken"id="33333" /></s:sitetoken></s:ppSoapHeader>

</ppSoapHeader25></WSSecurityHeader></soap:Header><soap:Body><GetSLTxmlns="http://schemas.microsoft.com/Passport/SoapServices/CredentialServiceAPI/V1">

<PassIDIn><pit>PASSID_SIGNINNAME</pit><bstrID>[email protected]</bstrID>

</PassIDIn><LoginSeconds>0</LoginSeconds></GetSLT>

</soap:Body>



SOAP Fault Response

The following XML code example shows a fault response that is returned from the request.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>SOAP:Server</faultcode><faultstring>SOAP Server Application Faulted</faultstring><detail><psf:error

xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault"><psf:value>0x80048101</psf:value><psf:description>

<psf:lcid>1033</psf:lcid><psf:text>The header in the soap request is invalid </psf:text>

</psf:description><psf:internalerror><psf:code>0x80044024</psf:code><psf:text>The client certificate is invalid.</psf:text>

</psf:internalerror><psf:serverInfo>SQ2 2006.10.23.22.29.58</psf:serverInfo>

</psf:error>

</detail></soap:Fault>

</soap:Body></soap:Envelope>

Common Error Codes

The following table lists possible errors for the GetSLT method.

Error code Description

0x80045024 The specified user is not authorized to perform the requested operation.This occurs when SSL is not used when calling the API or if the calling site

is not authorized. Please contact the Windows Live Commercial Partner

Center to verify that your SSO permissions have been granted by using



Remarks

The GetSLT method call must go through mutual SSL authentication.

GetSLT Method Example

The following C# code example shows how to call the GetSLT method using a proxy class. Two

C# code files accompany this document, index.aspx.cs, part of which is shown as the following

code example and CredentialServiceAPISoapServer.cs, which contains the auto-generated proxy

class.

The serverURL value to call the GetSLT Method is the destination url of this fwd link:http://go.microsoft.com/fwlink/?LinkId=168259

If you copy and reuse this code, you will need to make changes to match your environment.

private static string GetSLT(string userName, string certString, intloginSeconds, string serverURL, string siteID)

{

string slt = string.Empty;bool certAvailable = certificateString.Length > 0;if (userName.Equals(string.Empty) == true ||

certString.Equals(string.Empty) == true ||serverURL.Equals(string.Empty) == true ||

siteID.Equals(string.Empty) == true){

string message =string.Format("User Name:{0}; certificate successfully read:

{1}; Login Seconds: {2}; Server URL {3}; Site ID: {4};", userName,certAvailable.ToString(), loginSeconds.ToString(), serverURL, siteID);

throw new Exception(message);}try

http://go.microsoft.com/fwlink/?LinkId=168259





passID.bstrID = userName;//call GetSLT

slt = credServer.GetSLT(passID, loginSeconds);Console.WriteLine("SLT: " + slt);}catch (Exception ex){

throw new Exception(ex.Message);}

return slt;}



Troubleshooting

This section provides common troubleshooting tips for any problems you might encounter.

Multiple Versions of .NET Framework Installed on Server

The Microsoft Live@Edu program requires the use of the .NET Framework 2.0. If you have

more than one version of the .NET Framework installed on your server, make sure your Web

Site is using the 2.0 version of the framework by viewing the Web Site properties in the Internet

Information Services Manager and selecting the ASP.NET tab.

You can optionally use the command line tool aspnet_regiis.exe to perform this action. For

information on using the aspnet_regiis.exe tool, see http://msdn2.microsoft.com/en-

us/library/k6h9cz8h(VS.80).aspx

Mutex could not be created

If you are customizing your solution using Microsoft’s Visual Studio 2005, during the debugging

process, you may encounter an error that reads “Mutex could not be created”. If this occurs,

follow these steps to solve the issue:

If you have Visual Studio 2005 open, close it.

Go to the ASP.NET temporary folder for v2.0 of the framework <Windows

dir>\Microsoft.Net\Framework\v2.0<release numbers>\Temporary ASPNET pages.

Remove the folder for your web application (or all of them).

Reset IIS (on a command line window, iisreset ).

Browse your page from Internet Explorer (http://localhost/your app)

http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx








*where 0.0.0.0 is your internal proxy server IP address

If you need a proxy server, you should add the following code to the GetSLT file:

WebProxy webproxyobject = new WebProxy("http:// yourproxyserver:80", true);credServer.Proxy = webproxyobject;

Verification of URLs

Configuration file web.config as well as some portions of the provided code contains reference

to certain Windows Live services.

You can determine the settings that apply to your environment by referencing web.config andthe sample code with the online document:

https://nexus.passport.com/public/partner/partner4.xml

Windows Live Credential Server

Element <ServiceAPICredentialServer> contains Windows Live credential Service URL.

Windows Live "Login Server"

Element <Post> contains URL for posting your SLT request.






28

Appendix A – Installing and setting ACL assignments to a security certificate

Adjusting access control lists on security certificate

All "code behind" of ASP.NET application/site will be executed under the user credentials of the Application Pool assigned to run your site on IIS.

To ensure that code can access certificate storage you need to assign read permission to the account running your web application. This will let the

account read the installed security certificate from storage at runtime.

Windows HTTP Services Certificate Configuration Tool

To assign read rights to the correct account you will need to download Windows Server SDK tool WinHttpCertCfg.exe

It is available on Microsoft Download Center. Click here to access it. The default installation paths are as follows:

X86 : %programfiles%\”windows Resource Kits”\tools

X64 : : %programfiles(x86)%\”windows Resource Kits”\tools

Installing the security certificate

You can use the WinHttpCertCfg.exe program to install your certificate and assign the appropriate permissions in one step. To do this, use the

following command:

WinHttpCertCfg.exe -I “PFXFilePathHere” –c LOCAL_MACHINE\My -p “PasswordHere” -a “NetworkService”

Replace the PFXFilePathHere with the path to location of your certificate. If your certificate is not password protected, omit the –p switch and the

password that follows the switch.

Adding ACL Assignments to an existing certificate

The full syntax of the tool can be displayed by running this tool from the command line without any switches.

This example shows the syntax that you use to assign read permission to a user account:

winhttpcertcfg.exe -g -a domain\user -c LOCAL_MACHINE\My -s sapipartner.com

Where:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en






29

-g: Grant read permission

-a: Account name

-c: Certificate Location

-s: Certificate "name"

Certificate Name

The name of the certificate is displayed in the "Issued To" column of the Certificates MMC snap-in. The figure below shows where the certificate

name is displayed. Please note that for most EDU partners, the certificate is issued to sapipartner.com. This is correct and should not be replaced

by your domain name.



30

Appendix B - Portal Web Site Configuration (IIS)This section describes how to create and configure a Microsoft Internet Information Services (IIS) web site to be suitable for the provided kit/demo

code.

Task How to Illustration

Start IIS snap-in Click "Start"

Select "Control Panel"

Select "Administrative Tools"

Select "Internet Information Services (IIS)

Manager"

Create Virtual

Directory

Step 1 of 7

Expand "Web Sites"

Select a web-site to create a virtual directory in

(such as "Default Web Site")



31


Create Virtual

Directory

Step 2 of 7

Click "Action"

Click "New"

Click "Virtual Directory"

Create Virtual

Directory

Step 3 of 7

Click "Next >"



32


Create Virtual

Directory

Step 4 of 7

In "Alias" textbox type Site's name

Click "Next >"

Create Virtual

Directory

Step 5 of 7

In "Path:" textbox type the path to the physical

folder where you will copy kit/demo files for the

SSO web-site

Click "Next >"



33


Create Virtual

Directory

Step 6 of 7

Confirm that "Read" checkbox is selected

Click "Next >"

Create Virtual

Directory

Step 7 of 7

Click "Finish"



34


Application Creation

Step 1 of 2

Select your "Virtual Directory" by navigating to

"Web Sites"

Select "Default Web Site"

Right-click "SSOPortal"

Click "Properties"

Application Creation

Step 2 of 2

On "Virtual Directory" tab

Click "Create" button

Select "Scripts only" in "Execute permissions"

drop-down menu



35


Windows

Authentication

Step 1 of 1

Click on "Directory Security" tab

Click "Edit" button in "Authentication and Control

Access" group

Make sure that "Enable Anonymous Access"

check-box is NOT checked

Make sure that "Integrated Windows

authentication" check-box is checked

Click OK

Framework

Verification

Step 1 of 1

Click on ASP.NET tab

Ensure that .NET 2.0 is selected

Click OK



36

Step How to Illustration

Restarting IIS

Step 1 of 1

Click Start

Click Run

Type "IISRESET" in "Open" text-box

Click "OK"



37

Appendix C - Understanding the structure of the StudentLogins.xml file

Every "entry" node of the XML document represents a single user and references two accounts; one account in a local directory or on a local portal

and another account in the Windows Live "cloud".

Each "entry" node contains the following attributes:

windowsLiveID

Attribute containing the value of the Windows Live ID of a particular user

sAMAccountName

Attribute containing the value of the user's local network or local web portal account



38

Appendix D - WEB.CONFIG parameters

The Web.config XML fileThe Windows Live e-mail integration portal requires the presence of a properly configured web.config XML file. The web.config file is used for the

configuration of ASP.NET web applications. In this case it is used specifically for the web portal application.

The web.config file should be placed where the IIS application is installed; in this case it should be located in the web portal directory (for example,

C:\Inetpub\wwwroot\SSOportal). The format of the file may change in the future but all of the attributes/keys listed should remain the same.

The keys or attributes are used to alter the behavior and configuration of the web portal application. Most of these values are self explanatory and

once set should rarely change.

Syntax<?xml version="1.0" encoding="utf-8" ?> <configuration><appSettings>

Scenario value

Change the value to match your scenario here.

Scenario value 1 refers to SSO Scenario A, where the Active Directory ID (AD) equals the user’s Windows Live ID. See Scenario A Installation in this

document for more information.

Scenario value 2 refers to SSO Scenario B, where the user’s Windows Live ID is different from the user’s internal network ID. See

To implement Scenario A, please see Scenario A Installation in this document.



39

Scenario B: "Windows Live ID is different from internal network ID" in this document for more information.

Syntax

<add key = "scenario" value = "1"/>

serverURL

This attribute determines the URL/location of the Windows Live ID credential server. The URL should be obtained from your Microsoft

representative.

Syntax

<add key = "serverURL" value = "https://ppsacredential.service.passport.net/PPSACredential.srf"* />

* Please refer to document partner4.xml (follow this link) which contains current URL information for the Windows Live Credential Server. Locate the

value of <ServiceAPICredentialServer/> tag.

siteID

Each enrolled domain receives a unique site ID that should be configured here.

Syntax

<add key = "siteID" value = "33333" />

loginSeconds

The number of seconds since the user typed the username and password. Use zero value only for testing purposes. A zero value will not expire

certificate.

Syntax

<add key = "loginSeconds” value = “0” />

certThumb








40

The Certificate Thumbprint value.

Syntax

<add key = "certThumb” value = “cf 60 95 68 3d 30 dd f8 f4 76 92 43 2a 72 bf 4a 3f d7 74 ab ” />

domain

This is your public domain name used for Windows Live ID e-mail addresses, for example, [email protected], where msnuniversity.edu is

the public domain name for MSN University.

Syntax

<add key = "domain” value = “msnuniversity.edu” />



41

Appendix E - Identifying Certificate's Thumbprint

This section describes how to locate the security certificate thumbprint. Certificate thumbprint is used by ASP.NET code to read the certificate

during runtime execution.

Refer to Error! Reference source not found. for information on

how to open an MMC snap-in

To identify the certificate thumbprint, locate the installed

certificate in the appropriate certificate store (generally Local

Machine\Personal)

Open the certificate by double-clicking on it

Click the Details tab

Locate the "Thumbprint" entry (see illustration)

Copy the thumbprint from the details pane

Windows LiveID SSO Kit_v4 2(Documentação Oficial)

Documents

Transcript of Windows LiveID SSO Kit_v4 2(Documentação Oficial)