Collecting User Data (C#)

Collecting User Data

When customers sign in to your site using Microsoft® .NET Passport single sign-in (SSI), you can access information about them by using the GetProfileObject method of the PassportIdentity object. For more information, see .NET Passport Profile.

The only user data in the profile to which you are guaranteed to have access is the .NET Passport Unique ID (PUID). Additional fields from the core profile contain basic user information, such as name and ZIP Code and may be accessible if the user has both entered it into his or her profile and chosen to share it with participating sites.

Microsoft .NET Passport users modify their profile information and indicate which data they want to share with participating sites by using the Edit Profile page hosted by .NET Passport. If a user's profile does not contain data that your site needs, or if the user is currently not sharing that data, you can display a link to the Edit Profile page on your site. For information about linking to this and other .NET Passport services, see Linking to .NET Passport Services.

The following image shows the Edit Profile page.

Edit Profile Page

The following table lists the core profile fields collected and stored by .NET Passport (if the customer chooses to supply this information). In addition, the table identifies the fields that can be shared by .NET Passport users.

*This field is optional for users. If this information is entered and the user has consented to share it with participating sites by selecting the specific field (such as first or last name, or e-mail address) or the group it is part of (such as other registration information), you will be able to access it.

Note  The users language preference is typically inferred from the language version of the page on which the user registered for a .NET Passport.

Collecting and Storing User Data Not Contained in the Core Profile

The .NET Passport core profile contains the information typically captured by sites to provide a more personalized experience for their customers. However, most sites also collect and store other site-specific data beyond that contained in the .NET Passport core profile. You must create your own mechanism for collecting this data, such as using HTML forms and storing the user information in a database. This additional data is private between you and users of your site. It is not shared with or stored by .NET Passport.

If you already have an authentication system on your site and an existing store of user data and need more information about linking new and existing account information to the PUID, see .NET Passport Unique ID.

For the fields that are common to both your database and .NET Passport, the following recommendations will help you to keep the data in your database synchronized with the latest version from the user's profile:

• Use the information returned in the .NET Passport profile rather than asking your customer to enter it again.

• A read-only field of the .NET Passport core profile, the ProfileVersion attribute, increments every time the .NET Passport profile is updated. Keep this version number so that you can detect when the core .NET Passport profile information has changed and update your database accordingly.

• In the customer-service area of your site, provide a link to the cobranded .NET Passport Member Services page so users can edit their .NET Passport profile information. If the user changes any of the .NET Passport profile data, it will be updated in the .NET Passport cookies during that same authentication session so that you can update your database accordingly.

Consent for Saving End-User Profile Information

Getting end users' consent to access and use their .NET Passport profile information the first time they come to a site does not necessarily imply that the end user has granted the site permission to save that information. The end user may believe that the site is retaining the information only for the duration of the current session, and this may be the behavior they both expect and prefer. To ensure that the end user understands that you intend to store the information at your site, you must explicitly ask the end user for permission to save the .NET Passport profile information.

In some cases, this request may be part of a larger information request, such as using the .NET Passport profile information to prefill information on a registration form. When end users choose Submit, they are also consenting to save the .NET Passport profile information. In the case in which the site does not have a registration page, it is free to use another form of request. For example, the end user may be presented with an "opt-in" check box requesting that the information be saved at the time of sign-in, or the site may present a separate page for this purpose after sign-in.

If the end user has consented to the use of the profile information, but not to having it saved by your site, you must not retain the information beyond the current session. You can, however, continue to ask the end user for consent to save on subsequent visits.

For more information, see Collecting User Data Example.