Adding a Personal Consent Page (C#)
.jpg)
Adding a Personal Consent Page
Users must have the opportunity to indicate whether they want to share their Microsoft® .NET Passport information with your site. If a new user visits your site, and that user is signed in with .NET Passport, he or she should not be immediately directed to the Login server for purposes of obtaining a silent refresh of credentials. Instead, your site must display its own consent page (or some other .NET Passport network sign-in user interface) to the user. Immediately redirecting first-time visitors to the Login server may silently return them to your site without ever indicating to them that .NET Passport single sign-in (SSI) is being used by your site. Users will thus have had no opportunity to approve explicitly your site's access to their .NET Passport core profile information.
This requirement applies only to the very first time a .NET Passport user visits your site. The user having seen a .NET Passport sign-in dialog box or consent page once serves as adequate consent-gathering, so your site is thereafter allowed to access the user's profile. The way in which a participating site determines whether a .NET Passport user is a first-time visitor is not prescribed by .NET Passport or enabled specifically in the .NET Passport application programming interfaces (APIs). It is recommended that sites create a database that stores .NET Passport Unique IDs (PUIDs) for users who have granted consent. Consent can then be checked before each attempt to silently refresh a user's credentials.
To satisfy this requirement, you must obtain consent in one of three ways:
- Present a consent page before silently redirecting to the .NET Passport Login server using the LoginUser method of the PassportIdentity object.
- Do not use the LoginUser method. Require the customer to click the .NET Passport sign-in link. Customers who click this link are implicitly consenting to share their .NET Passport core profile information with your site.
- Redirect to the Login server with fForceLogin set to True and iTimeWindow set to less than five minutes. This will force the .NET Passport Sign-in page to be displayed.
If your site has pages that do not require customers who are already authenticated by .NET Passport to reenter their credentials, you must either display a consent page or have customers click the sign-in link at least once.
Users who have a previous or stale Ticket cookie written into your site's domain may always be automatically redirected to a Login server, because the presence of the old Ticket definitely indicates that this user has visited your site before.
See Also