[MS-PASS]:
Passport Server Side Include (SSI) Version 1.4 Protocol
Intellectual Property Rights Notice for Open Specifications Documentation
§ Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.
§ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.
§ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
§ Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
§ Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.
§ Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.
Revision Summary
Date / Revision History / Revision Class / Comments /3/2/2007 / 1.0 / Version 1.0 release
4/3/2007 / 1.1 / Minor / Clarified the meaning of the technical content.
5/11/2007 / 1.2 / Version 1.2 release
6/1/2007 / 1.2.1 / Editorial / Changed language and formatting in the technical content.
7/3/2007 / 1.3 / Minor / Clarified the meaning of the technical content.
8/10/2007 / 1.3.1 / Editorial / Changed language and formatting in the technical content.
9/28/2007 / 1.3.2 / Editorial / Changed language and formatting in the technical content.
10/23/2007 / 2.0 / Major / Converted document to unified format and updated technical content.
1/25/2008 / 2.0.1 / Editorial / Changed language and formatting in the technical content.
3/14/2008 / 2.0.2 / Editorial / Changed language and formatting in the technical content.
6/20/2008 / 2.0.3 / Editorial / Changed language and formatting in the technical content.
7/25/2008 / 2.0.4 / Editorial / Changed language and formatting in the technical content.
8/29/2008 / 2.1 / Minor / Clarified technical content.
10/24/2008 / 3.0 / Major / Updated and revised the technical content.
12/5/2008 / 4.0 / Major / Updated and revised the technical content.
1/16/2009 / 5.0 / Major / Updated and revised the technical content.
2/27/2009 / 5.0.1 / Editorial / Changed language and formatting in the technical content.
4/10/2009 / 5.0.2 / Editorial / Changed language and formatting in the technical content.
5/22/2009 / 5.0.3 / Editorial / Changed language and formatting in the technical content.
7/2/2009 / 5.0.4 / Editorial / Changed language and formatting in the technical content.
8/14/2009 / 5.0.5 / Editorial / Changed language and formatting in the technical content.
9/25/2009 / 5.1 / Minor / Clarified the meaning of the technical content.
11/6/2009 / 5.1.1 / Editorial / Changed language and formatting in the technical content.
12/18/2009 / 5.1.2 / Editorial / Changed language and formatting in the technical content.
1/29/2010 / 5.1.3 / Editorial / Changed language and formatting in the technical content.
3/12/2010 / 5.1.4 / Editorial / Changed language and formatting in the technical content.
4/23/2010 / 6.0 / Major / Updated and revised the technical content.
6/4/2010 / 6.1 / Minor / Clarified the meaning of the technical content.
7/16/2010 / 6.2 / Minor / Clarified the meaning of the technical content.
8/27/2010 / 7.0 / Major / Updated and revised the technical content.
10/8/2010 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
11/19/2010 / 8.0 / Major / Updated and revised the technical content.
1/7/2011 / 9.0 / Major / Updated and revised the technical content.
2/11/2011 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
3/25/2011 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/6/2011 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/17/2011 / 9.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 10.0 / Major / Updated and revised the technical content.
12/16/2011 / 11.0 / Major / Updated and revised the technical content.
3/30/2012 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/25/2012 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
1/31/2013 / 11.0 / None / No changes to the meaning, language, or formatting of the technical content.
8/8/2013 / 12.0 / Major / Updated and revised the technical content.
11/14/2013 / 12.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 12.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 12.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 13.0 / Major / Significantly changed the technical content.
10/16/2015 / 13.0 / No Change / No changes to the meaning, language, or formatting of the technical content.
Table of Contents
1 Introduction 6
1.1 Glossary 6
1.2 References 7
1.2.1 Normative References 7
1.2.2 Informative References 8
1.3 Overview 8
1.4 Relationship to Other Protocols 9
1.5 Prerequisites/Preconditions 9
1.6 Applicability Statement 9
1.7 Versioning and Capability Negotiation 10
1.8 Vendor-Extensible Fields 10
1.9 Standards Assignments 10
2 Messages 11
2.1 Transport 11
2.2 Message Syntax 11
2.2.1 Common Definitions 11
2.2.2 Authentication Server Challenge Message 12
2.2.3 Authentication Server-Instructed Update Message 12
2.2.4 Authentication Server Logout Message 13
2.2.5 Authentication Server Redirect Message 13
2.2.6 First Authenticated Request Message 13
2.2.7 Sign-in Request Message 14
2.2.8 Partner Server Challenge Message 14
2.2.9 Set Token Message 15
2.2.10 Token Request Message 15
2.2.11 Token Response Message 15
2.2.12 Update Configuration Message 16
3 Protocol Details 18
3.1 Client Details 18
3.1.1 Abstract Data Model 18
3.1.2 Timers 18
3.1.3 Initialization 18
3.1.4 Higher-Layer Triggered Events 19
3.1.4.1 Opening a Passport Session 19
3.1.4.2 Closing a Passport Session 19
3.1.5 Processing Events and Sequencing Rules 19
3.1.5.1 Processing Partner Server Challenge Messages 21
3.1.5.2 Processing Authentication Server Challenge Messages 22
3.1.5.3 Processing Authentication Server-Instructed Update Messages 22
3.1.5.4 Updating Configuration Messages 22
3.1.5.5 Processing Authentication Server Logout Messages 22
3.1.5.6 Processing Authentication Server Redirect Messages 22
3.1.5.7 Processing Token Response Messages 23
3.1.5.8 Processing Set Token Messages 23
3.1.6 Timer Events 23
3.1.7 Other Local Events 23
3.2 Partner Server Details 23
3.2.1 Abstract Data Model 23
3.2.2 Timers 23
3.2.3 Initialization 23
3.2.4 Higher-Layer Triggered Events 23
3.2.5 Processing Events and Sequencing Rules 23
3.2.5.1 Processing First Authenticated Request Messages 24
3.2.5.2 Attempting to Access a Restricted Resource 24
3.2.6 Timer Events 25
3.2.7 Other Local Events 25
3.3 Authentication Server Details 25
3.3.1 Abstract Data Model 25
3.3.2 Timers 25
3.3.3 Initialization 25
3.3.4 Higher-Layer Triggered Events 25
3.3.5 Processing Events and Sequencing Rules 25
3.3.5.1 Processing Sign-in Request Messages 26
3.3.5.2 Processing Token Request Messages 27
3.3.6 Timer Events 28
3.3.7 Other Local Events 28
3.4 Configuration Server Details 28
3.4.1 Abstract Data Model 28
3.4.2 Timers 28
3.4.3 Initialization 28
3.4.4 Higher-Layer Triggered Events 28
3.4.4.1 Processing HTTP GET 28
3.4.5 Processing Events and Sequencing Rules 28
3.4.6 Timer Events 28
3.4.7 Other Local Events 28
4 Protocol Examples 29
5 Security 32
5.1 Security Considerations for Implementers 32
5.2 Index of Security Parameters 32
6 Appendix A: Product Behavior 33
7 Change Tracking 35
8 Index 36
1 Introduction
This document specifies the Passport Server Side Include (SSI) Version 1.4 Protocol (or the Passport SSI Version 1.4 Protocol), also known as the "Passport Tweener" protocol. The Passport SSI Version 1.4 Protocol is based on HTTP (as specified in [RFC2616]) for authenticating a client to a server with the assistance of an authentication server.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.
1.1 Glossary
The following terms are specific to this document:
authentication: The act of proving an identity to a server while providing key material that binds the identity to subsequent communications.
authentication server: The entity that verifies that a person or thing is who or what it claims to be (typically using a cryptographic protocol) and issues a ticket or token attesting to the validity of the claim. The total set of authentication protocol security support providers (SSPs) that are typically available on a Windows server release.
Authentication Service (AS): A service that issues ticket granting tickets (TGTs), which are used for authenticating principals within the realm or domain served by the Authentication Service.
client: The software that is used by a user to access the service. It represents the user in [MS-PASS]. A synonym is client application.
co-branding: The inclusion of a party's logo, text, or other branding content in a second party's software or site.
configuration server: The service or server that serves configuration data (packaged in HTTP headers) describing the topography of the network. It includes information on the distribution of member accounts among the Authentication Services (AS) and the URLs of particular resources in each AS.
configuration version: Integer value indicating the version of the configuration data given out by the configuration server.
cookie: An HTTP header that carries state information between participating origin servers and user agents. For more information, see [RFC2109].
credential: Previously established, authentication data that is used by a security principal to establish its own identity. When used in reference to the Netlogon Protocol, it is the data that is stored in the NETLOGON_CREDENTIAL structure.
partner: In the context of [MS-PASS], an organization in a business relationship with the Authentication Service (AS). A partner needs to be able to access the token issued by the AS. Typically, a partner site is the actual service or site a consumer visits and, in the process, is authenticated by the AS. Examples of partners are the MSN Money and MSN Messenger sites.
partner server: The server or service used by a partner to represent it in the Passport SSI Version 1.4 Protocol.
realm: A collection of users, partners, and authentication servers bound by a common authentication policy.
resource: An object that a client is requesting access to, typically referenced by a Uniform Resource Locator (URL) or Uniform Resource Identifier (URI), as specified in [RFC3986].
token: A block of data that is issued to a user on successful authentication by the authentication server. Such a token is presented to a service to prove one's identity and attributes to a service. The token is used in the process of determining the user's authorization and access privileges.
Uniform Resource Locator (URL): A string of characters in a standardized format that identifies a document or resource on the World Wide Web. The format is as specified in [RFC1738].
user: The real person who has a member account. The user is authenticated by being asked to prove knowledge of the secret password associated with the user name.
UTF-8: A byte-oriented standard for encoding Unicode characters, defined in the Unicode standard. Unless specified otherwise, this term refers to the UTF-8 encoding form specified in [UNICODE5.0.0/2007] section 3.9.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2 References
Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.
1.2.1 Normative References
We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.