Project Description
Windows Live SSO from PHP


- Windows Live uses a set of SOAP based Passport Web Services to obtain a short lived token (SLT) using a method known as GetSLT. GetSLT is secured using Client Certificate's and requires the TLS connection undergoes mutual authentication
- In order to make a TLS connection, PHP must have access to a private key, the user certificate and a set of certificates from trusted Root and Intermediate CAs. PHP requires the private key is located in the PEM format.
- The code uses the Client URL (cURL) extension for PHP

- Private Key - build
- User Certificate - build
- Certificate Authority Bundle - use supplied all.cer

Windows Live SSO PHP
- Your code!

- WindowsLive SSO PHP. Secure the PHP and pass through the username in the HTTP header and get a URL which can be used for SSO


Create a Private Key file
- Import the certificate into the Windows certificate store. Export, ensure you including the Private key and all Certificates in the hierarchy
- Convert your pfx file to a pem using openssl via "openssl pkcs12 -in all.cer.pfx -out all.cer.pem -nodes"
- Copy the resulting file to seperate files, cer.pem and private.pem
- Edit private.cer to look like this (contains only the private key)
$ cat private.pem
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {CA7DB1AD-1EAD-47DD-A141-696CDAA7586A}
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10

- Edit cer.pem to look like this (contains only the user certificate)
$ cat cer.pem
Bag Attributes
localKeyID: 01 00 00 00
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server A


- Ensure you've validated against the official SSO Toolkit first!
- Confirm you're using a PFX file with a Certificate
- Ensure you've imported, then exported the PFX file ensuring you've exported with all Certificates in the Certificate chain

Last edited Jul 8, 2010 at 3:34 AM by adam_j_bradley, version 10