Live ID not working for users who weren't invited

Mar 22, 2011 at 12:18 AM

 

I've been working with the portal for a few months now and just recently found a problem with the Live ID authentication. 

To reproduce:

1.   A user has a live ID but has never associated that Live ID with a contact record in CRM via an invitation code.

2.  That user visits the site and clicks on the log in control.

3.  They log in with their live ID.

4.  When they are returned to the site the LiveID status control says Sign In.

5.  Clicking on Sign in the control in the upper right brings them to the Login Page.

6.  Clicking the Live ID Sign In Icon on the Log in page re-directs them to the homepage.

 

The user is stuck in a loop where they can't log out, but the user they are logged in with can't access any protected content.

 

Would appreciate help figuring out how the system should be handling these users with LiveID accounts that aren't associated with the portal.

Here are some properties I've checked.

Page.User.Identity.IsAuthenticated = false

 

Page.ViewStateUserKey = null

Mar 26, 2011 at 5:52 PM

If a brand new user (one that has an existing Live Id but does not have a contact record on your site) visits your site and logs in, they will be redirected to Live ID and then end up back on your home page unauthenticated (at least to your site).  Live ID will consider them authenticated, but not the website.  Clicking logon again will take them back to Live ID, and Live ID will immediately send them back to the site because they are already authenticated to Live ID.  The site will then put them back to the home page because they have no valid contact.  This isn't a defect, but it is probably not the best experience either.  A better experience would be to take them to a page that mentions that they are authenticated with a Live ID that does not have a profile on the site and need to have an invitation to use the site.  This experience is 'by design' from a security standpoint.  That said, your assessment of them being in a logged out status and unable to access any protected content sort of leaves me with the feeling that you want to implement an open signup mechanism instead of the secure invitation-based system we have implemented.  The good news is that you can certainly do that - just take a look at the xrm virtual user group - it uses Live ID and an open signup system.

Shan McArthur