Share via


Service Requirements

Service Requirements

Before your site goes live, it must be reviewed by the Microsoft .NET Services compliance team to ensure it meets all functionality requirements and user interface (UI) and branding guidelines. A compliance fee may be assessed for this review. Information about the compliance fee will be specified in your .NET Services Agreement. If you have any questions, please contact the .NET Services team.

The following are the service requirements. You must be able to answer "Yes" to each item. After you have verified your site's functionality and adherence to these guidelines, go to .NET Services Manager to request a review of your site. The .NET Services compliance team will notify you with its determination. If your site fails to meet any service requirements, you will be notified in detail about those requirements your site fails to meet.

.NET Passport Compliance

  • Your site has cobranded the Microsoft .NET Passport-hosted user interface (UI) pages (for example, Sign-in and Registration) to make the user experience consistent between your site's UI and .NET Passport-hosted UI pages. Your cobranding meets the following browser support requirements:

    • Your cobranding renders correctly in Microsoft Internet Explorer version 5.5 with Service Pack 2 or later.
    • In Internet Explorer version 4.0 or later and on Netscape Navigator version 4.7 or later, your cobranding does not break the functionality of any of the .NET Passport UI pages, such as Sign-in, Registration, and Member Services.

    For more information, see .NET Passport Cobranding Overview.

  • Your cobrand logo images are present in the file locations you specified when you registered your site and are correctly sized:

    • CobrandImageURL: 468 pixels wide by 60 pixels high
    • CobrandImage2URL: 102 pixels wide by 80 pixels high

    For more information, see .NET Passport Cobranding Overview and .NET Passport UI Elements.

  • If your site displays locally-hosted UI text that refers to .NET Passport, that text conforms to the brand usage guidelines described in the .NET Passport SGK. For more information, see .NET Passport UI Elements.

  • Your site uses only the following methods to collect .NET Passport credentials:

    • Redirecting to the .NET Passport Login servers.
    • Invoking the .NET Passport authentication integrated into Microsoft Windows XP.

    For more information, see Single Sign-In Overview (VBScript) and Collecting User Data (VBScript), or see Single Sign-In Overview (C#) and Collecting User Data (C#).

  • If your site keeps any information provided by the user's .NET Passport profile, your site explicitly asks the user for permission to keep that information the first time you authenticate the user. "Keep" is defined as retaining the information on a permanent basis in a local store, or otherwise causing the information to persist locally beyond the user's current session at your site. For more information, see Adding a Personal Consent Page (VBScript) and Collecting User Data  (VBScript), or see Adding a Personal Consent Page (C#) and Collecting User Data (C#). 
  • Your site displays a privacy statement or a link to a posted privacy statement, which conforms to current industry standards and is in human-readable format, on your home page and any other UI pages on which a user's personal information is collected. In addition, for the site attribute, PrivacyPolicyURL, your site provides a valid URL that points to your privacy policy. For more information, see Privacy Policies and Cobranding. For information about creating a privacy statement, see License and Service Agreement.

  • If your site uses flexible-layout cobranding on the .NET Passport-hosted pages, your cobranding includes only one link to a privacy statement. Clicking this link displays one of the following:

    • The .NET Passport Privacy Statement, OR
    • Your own privacy statement, which contains a link to the .NET Passport Privacy Statement, OR
    • Your own privacy statement, which contains a summary of the .NET Passport Privacy Statement provided as the JavaScript variable, strPrivacyStatement.

    For more information, see Privacy Policies and Cobranding.

  • Your site stores all .NET Passport-derived personal information on servers with limited access, located in controlled facilities. This information includes any user information retrieved using the Profile method, such as the .NET Passport Unique ID (PUID), e-mail address, credit card data, address, first and last name, and phone number.

    For more information, see Collecting User Data (VBScript) or Collecting User Data (C#).

  • After a user signs in, the cookies should be checked by entering the following command into the address bar:

    javascript:document.cookie

    No personally identifiable information (PII) should be visible. This check should also be performed before logging out to ensure that other activities you may have done during the compliance review did not expose other PII data.

  • Your site does not send any .NET Passport data in the clear, because you have either encrypted it or you send it only over an HTTPS session.

Single Sign-In Compliance

  • Your site does not authenticate a .NET Passport user and access the user's .NET Passport profile information without receiving consent from the user at least once. Your site can receive consent from the user in the following ways:

    • Your site explicitly asks for and receives user consent to access the .NET Passport profile information. This can be done as part of a registration process or through the use of a Personal Consent page.
    • Your site displays the .NET Passport Sign In button and users click this button to authenticate for access to your site.
    • Your site automatically sends the user to .NET Passport to be authenticated, but with the ForceLogin option set to True and the TimeWindow set to less than two (2) minutes. This will force the .NET Passport Login page to be displayed to the user.

    For more information, see Adding a Personal Consent Page (VBScript) and Collecting User Data (VBScript), or see Adding a Personal Consent Page (C#) and Collecting User Data (C#). 

  • Your site explicitly asks the customer for permission to access the .NET Passport profile information before keeping a copy of the information. For more information, see Collecting User Data (VBScript) or Collecting User Data (C#).

  • Your site never directly collects, stores, or transmits the .NET Passport password for any user. In all cases, Microsoft .NET Passport functionality is used to collect .NET Passport credentials, such as redirecting to the .NET Passport Login servers or invoking Windows XP integrated authentication. For more information, see Collecting User Data (VBScript) or Collecting User Data (C#).
  • Your site maintains a Platform for Privacy Preferences (P3P) XML document and a Compact Policy when the site or service handles cookies. For more information, see .NET Passport and P3P (VBScript) or .NET Passport and P3P (C#).
  • Pages on your site that display users' personal information either disable caching or use Secure Sockets Layer (SSL/TLS). For more information, see SSL Certificates.
  • Your site must clear the .NET Passport Ticket and Profile data from the query string in all instances in which this information is returned to your site. The FromNetworkServer interface on the Passport Manager object is provided to simplify this operation. For more information, see Single Sign-In Overview (VBScript) or Single Sign-In Overview (C#).
  • Any encryption keys provided by Microsoft are protected from unauthorized access at all times. A single key user is assigned the overall responsibility to protect and manage these keys. Installation procedures provided by Microsoft with the encryption keys must be followed strictly. The key installation file provided by Microsoft must be stored in a restricted environment. For more information, see Installing .NET Passport Encryption Keys.
  • Your site deletes all .NET Passport cookies and other cookies that contain .NET Passport-provided, personally identifiable information when a customer signs out. For more information, see Implementing Sign-Out and Deleting Cookies (VBScript) or Implementing Sign-Out and Deleting Cookies (C#).
  • If your site implements SSL sign-in, all cobranding, error conditions, and return URL entries are also served through an equivalent HTTPS URL on a server to which access is restricted. For more information, see SSL Sign-In or Kids Passport Cobranding.

Kids Passport Compliance

In addition to the .NET Passport and single sign-in (SSI) requirements previously outlined, Microsoft Kids Passport sites must meet the following service requirements.

  • Your site's privacy statement contains a section describing how you deal with Kids Passport profile data. This section describes the level(s) of consent your site supports and the meaning of each level in terms of access: full, limited, and denied. For more information, see Kids Passport Implementation Process.
  • Your site correctly calls HaveConsent to determine the level of functionality to provide to children. For more information, see Checking for Consent.
  • Your site allows parents to view, edit, or remove personal information that you have collected about their child. The Account Data and Account Removal URLs were supplied when you registered your site and contain code that allows for the real-time viewing, editing, and removal of the child's data or instructions for how the data can be updated or removed. For more information, see Kids Passport Implementation Process.
  • All cobranding for Kids Passport is also served through an equivalent HTTPS URL on a server to which access is restricted. For more information, see Kids Passport Cobranding.

See Also

Registering Your .NET Passport Site