COMPLIANCE CRITERIA

COMPLIANCE CRITERIA

and

VERIFICATION CASES

Windows Live™ ID

Revision: 2006-08-16

This document presents the compliance criteria to which all sites participating in the Windows Live ID service must adhere. No Windows Live ID implementation may go into production without having passed compliance review by Microsoft.

All sites should walk each of these compliance criteria prior to submitting a site for compliance review. If your site fails the compliance review, a delay will occur while you correct the failure points and Microsoft repeats its review of your site. Multiple failures of the compliance review may result in additional charges to your company for repeated reviews.

To help you determine whether your site meets the Windows Live ID compliance criteria before you submit it for review, this document also includes compliance verification cases. These cases suggest steps to follow and expected results for each of the compliance criteria. If you perform the steps and adjust your site until you obtain the expected results, you will increase the likelihood that your site will pass Microsoft’s review. If you have questions about any compliance criteria, contact the Windows Live ID developer support team by calling 1-800-936-5800.

Important: Compliance test cases are not intended to describe a comprehensive test pass for your site or verify the general functionality or robustness of your site. Partners should fully test sites prior to submission.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

Microsoft is a registered trademark of Microsoft Corporation in theUnited Statesand/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

GENERAL PREREQUISITES

Following are the general prerequisites for compliance verification by you, and for compliance review by Microsoft. If you believe that your implementation of the Windows Live ID service will use software platforms other then those listed here to interact with your site, it is your responsibility to test your site for compatibility with those platforms.

 

Relying Party Suite (RPS)
Partners are no longer allowed to implement using the legacy Passport Manager Object.  Partners must use the Relying Party Suite (RPS).

Operating systems

The RPS libraries require Windows Server 2003.

Web browsers
Review is performed using Microsoftâ Internet Explorer version 6.0 or later.

Smart Clients
When integrating Windows Live ID authentication into a compiled smart client (non-browser), the IDCRL library must be used.

Site availability
A site submitted for compliance review must be accessible to the compliance tester.  Include all special requirements, accounts or other instructions necessary for accessing the site and exercising its Windows Live ID functionality.  If the compliance tester is unable to access the site for any reason, your submission will be denied which will cause a delay.

User authentication
To perform verification or review, the user must have Windows Live ID credentials in the appropriate test environment, Integration (INT) or Preproduction (PPE). The user must also have been granted any additional permission needed to access the site for purposes of verification or review.

Storyboard

If your site uses a nonstandard implementation of the Windows Live ID service, or if its content is presented in a language other than English, you must provide a storyboard. A storyboard consists of screen shots and a detailed description of the functionality of key pages on your site. It describes the experience of a user coming to your site, creating a new Windows Live ID account, completing any registration process specific to your site, and then signing out.

FREQUENTLY ASKED QUESTIONS

Q.         Can I submit a site running against INT for compliance?

A.         Yes, but you must understand the implications.  INT is the official “Dev / Test” environment.  PPE is the official “Staging” environment.  Only a PPE application has the options to request compliance and roll into production.  Upon approval, the PPE application settings will be copied into Production, not the INT settings.  If you only tested your INT application, and if INT and PPE differ in any way, then your production application could suffer.

In addition, INT and PPE play an additional role.  INT is the primary “V-Next” environment for the service, whereas PPE is the “V-Current”.  If you are testing your application against INT, which could be running a version of the service not coming out for 6 months, and you jump to Production, which is running the current version, you missed your opportunity to test against the same version of the service you deployed to.

In summary, all partners should be able to fully test against both INT and PPE, and should always smoke test their application in PPE prior to launch.

Q.         We’re launching in a few days.  Can we expedite the compliance check?

A.        No partner should be submitting for compliance less than a week prior to a launch.  The turnaround time for a compliance pass is advertised at 3-5 days.  When you submit for compliance, you should be in an early enough phase of your product cycle to be able to fix issues the compliance pass calls out.  Fully 30% of all submissions require some changes and resubmission.  You should be in a state where you are able to make these changes.  Code complete and 4 days from shipping does not meet this bar.  If you still need to discuss your compliance pass, email nscomp@microsoft.com

Q.         We have a Passport Manager based site we are upgrading to RPS.  Do we need to go through compliance again?

A.         Only new PPE site IDs being rolled into Production need to go through a compliance pass.  If the update to your site will use your existing Production Site ID, you will not need to go through the compliance process.  If you create a new PPE Site ID to simplify the development of the updated site (recommended) then you will need to request compliance to roll that new Site ID into Production.

Q.         We have a specific question regarding compliance.  Who can we speak to?

A.         Questions intended to clarify a compliance criteria should be directed to nscomp@microsoft.com.  Questions regarding technical implementation, configuration or other support should be directed to the Windows Live ID Developer Support team. 

AFFIRMATIONS (Criteria 1–8)

The following criteria describe measures your site must take to ensure proper functionality of the Windows Live ID service, and to protect personal information and the service from unauthorized access and use. Although these criteria are associated with no specific verification steps, you must affirm that your site has adopted and follows the practices they describe.

1. Your implementation is based on the RPS (Relying Party Suite) Libraries, and not the older Passport Manager Object.
2. You implement the Windows Live ID service in accordance with the most recent SDK, and use appropriate APIs
   Ensure your site does not hard code URLs and follows appropriate implementation guidelines as presented in the SDK.
3. You ensure that your RPSNetwork.xml file is downloading every 24 hours.
   To validate, simply delete the RPSNetwork.xml file, and refresh a Passport enabled page on your site.  RPS should automatically download and save an RPSNetwork.xml.
4. Non-browser implementations (compiled clients) using the Windows Live ID service must use the Identity Client Runtime Library (IDCRL).
5. Your site stores all Windows Live ID-derived personal information in an access-restricted environment.
   This information includes any user information retrieved using the Profile method, such as:

• First and last name
• NetID (formerly PUID)
• E-mail address
• Location (street address, zip code, country)

6. Your site never directly collects, stores, or transmits the Windows Live ID password of any user.
   In all cases, you use only Windows Live ID functionality to collect Windows Live ID credentials (for example, by redirecting to the Windows Live ID Login servers).
7. Certificates used in connection with Windows Live ID Authentication (CEK, DEK) MUST be handled in a secure manner.
   The Security Administrator for the site is assigned with the overall responsibility of protecting and managing these certificates, which should be stored in a restricted-access environment.
8. You have distinct certificates for test (INT / PPE) and Production environments
   Production certificates must never be used in an insecure test environment.

GENERAL REQUIREMENTS (Criteria 9 – 15)

The following criteria describe general measures your site must take to support the consistency of the Windows Live ID user experience.

9. All partner-hosted user-interface text conforms to brand usage guidelines.

Prerequisite:     None

Verification Steps	Expected Results
Go to the test site.
In the course of compliance verification, identify all user-interface text on the site that refers to the Windows Live ID service.	The user-interface text follows these guidelines: At first mention, the full service name and trademark (™) symbol after the phrase “Windows Live” appears as follows: Windows Live™ ID. After first mention, the trademark symbol may be omitted. The name of the service is never abbreviated. The words “Windows” and “Live”, as well as the term “ID”, must always use uppercase letters. Always include a single space between the words "Windows" and "Live", and “Live” and “ID”. Acknowledgement that your site or service is a Windows Live ID partner by displaying the Windows Live ID acceptance mark in the Sign In module. Messaging that the user will “Sign in to <your site’s name>.” The user is never asked to sign to “Windows Live ID” from your site. Windows Live ID is a Microsoft offering. Do not indicate or imply that Windows Live ID is a third-party or participant offering. Never refer to Windows Live ID as “<your site’s name> Windows Live ID” (e.g., "Adventure Works Windows Live ID"). In the trademark footnote, proper attribution appears, including attribution for the Windows Live ID logo as well as any other Microsoft trademarks used. For example, “Microsoft and the Windows Live ID logo are registered trademarks of Microsoft Corporation in theUnited Statesand/or other countries."

 

10. All partner-hosted user-interface text conforms to approved messaging guidelines.

Prerequisite:     None

 

Verification Steps	Expected Results
Go to the test site.
In the course of compliance verification, identify all user-interface text on the site that refers to the Windows Live ID service.	The user-interface text follows these messaging guidelines: Don’t have a Windows Live ID?  Sign up now! Use your Hotmail or MSNe-mail address to sign in to all Windows Live ID sites and services. <Site Name> accepts Windows Live ID!  Sign in now, or click here to learn more.

11. Your site’s cobranding images are hosted on a secure server and render correctly when signing in over HTTPS://.

Prerequisite:     None 

Verification Steps	Expected Results
Click the Sign In button.	All cobranding images are rendered correctly on the Windows Live ID Sign In page.
Click the Sign in using enhanced security link in the Windows Live ID Sign In module.	The Sign In page URL now has prefix of https://. There is no mixed-content warning indicating that the user is moving between secure and non-secure connections. All cobranding images render correctly on the Windows Live ID Sign In page.

12. Your site does not authenticate a Windows Live ID user or access profile information without receiving consent at least once.

Prerequisite:     None

Verification Steps	Expected Results
In the course of compliance verification, confirm that the user is required to: Click a Sign In button or text link. Enter their Windows Live ID. Acknowledge a statement saying the user will be signed in.	The user is required to complete at least one of the tasks described on the left before being authenticated.

13. Your site maintains a Platform for Privacy Preferences (P3P) XML document and compact policy.

Prerequisite:    The user is using Microsoft Internet Explorer version 6.0 or later, and is signed in using Windows Live ID

Verification Steps	Expected Results
In the browser (Internet Explorer 6.0 or later), select the Tools menu, choose Internet Options, and click the Privacy tab.
Move the Settings slider to Medium High and click OK.
Click the Windows Live ID Sign In button or text link on the site.	Windows Live ID sign-in is successful, and the button or text link changes state to Sign Out.
In Internet Explorer, from the View menu, click Web Page Privacy Policy.
Double-click the URL for the specific page you have signed into.	A summary of the site’s privacy policy appears.

14. A valid link to your privacy statement appears on the home page of your site.

Prerequisite:     None

Verification Steps	Expected Results
Locate and click the link to the site’s privacy statement.	Your site’s privacy statement is located, is in human readable format and conforms to current industry standards.

15. Your site, or your site’s privacy statement, has a link to the Microsoft Online Privacy Statement or the Windows Live ID Privacy Statement

Prerequisite:     None

Verification Steps	Expected Results
Locate and click the link to the Microsoft Online Privacy Statement or the Windows Live ID privacy statement on the site’s homepage.	The correct privacy statement appears.
If there is no link for either of the above Privacy Statements, open and review the site’s Privacy Statement.	The site’s privacy statement contains a link to the Windows Live ID Privacy Statement.

CRITERIA FOR WEB-BASED IMPLEMENTATION (Criteria 16–29)

16. Your site displays the Microsoft Windows Live ID Sign In button or text link to access the login servers.

Prerequisite:     The user must be signed out

Verification Steps	Expected Results
Go to all first-level or major navigation pages on the test site.	A Windows Live ID Sign In button or text link is present on each of the pages
Click the Windows Live ID Sign In or text link.	The user is redirected to a cobranded Windows Live ID Sign In page.

17. If your site uses an alternate link (“Logon” or “Sign In”) because it supports multiple authentication mechanisms, the link leads directly to a Windows Live ID Sign In button.

Prerequisite:     The test site supports other authentication methods in addition to Windows Live ID

Verification Steps	Expected Results
Go to all first-level or major navigation pages on the test site.	A Windows Live ID Sign In button or text link, or link to a page displaying a Windows Live ID Sign In button or text link, is present on each of the pages. If a link is displayed instead of the Sign In button, continue to Step 2.
Click the “logon” (or similarly named) link.	The user is redirected to a page that hosts the Windows Live ID Sign In button or text link

18. Your site retrieves the Windows Live ID Sign In button or text link from the Windows Live ID servers.

Prerequisite:     None

Verification Steps	Expected Results
Locate the Sign In button or text link on the test site.
Right-click the Sign In button.
Click Properties.	The Address URL contains either: passportimages-int.com (if the test site is in the Integration environment) passportimages-ppe.com (if the test site is in the Preproduction environment) passportimages.com (if the site is in Production)

 

19. Your site redirects to the Windows Live ID Login servers for sign-in.

Prerequisite:     None

Verification Steps	Expected Results
Move the mouse over the Windows Live ID Sign In button or text link on the test site.
Look at the URL displayed in the Status bar at the bottom of the browser.	The address string displayed on the Status bar contains either: login.live-int.com (if the test site is in the INT environment) login.ppe-live.com (if the test site is in the Preproduction environment) login.live.com (if the site is in Production)

20. Your site clears the Windows Live ID ticket and profile data from the query string in all instances in which this information is returned to your site.

Prerequisite:     None

Verification Steps	Expected Results
Click the Sign In button and look at the Address bar.	The query string in the Address bar following sign-in does not contain the t= or p= parameters.

21. Your company <displayname> correctly appears in the Sign In module header.

Prerequisite:  None

Verification Steps	Expected Results
On the test site, click the link to Sign In button.
View the Sign In module.	The <displayname> that is rendered in the header of the Sign In module is your company’s content.

22. Your cobranding image is rendered correctly on the Sign In page.

Prerequisite:      None

Verification Steps	Expected Results
Locate and click the Sign In button on the test site.
View the cobranding logo image.	The image is your company’s logo; the Sign In page is cobranded to offer customers a look and feel that is consistent with your site. The image is rendered correctly without distortion and fits entirely within the size constraint of 468 pixels wide by 60 pixels high. It appears directly above the Windows Live ID Sign In dialog box.
Right-click the cobranding logo image and then click Properties.	The image dimensions in the Properties dialog box are 468 pixels wide by 60 pixels high, as shown in the following example:

 

23. Your cobranding iFrames and content are rendered correctly and do not interfere with the functionality of the Windows Live ID Sign in module.

Prerequisite:     None

Verification Steps	Expected Results
Locate and click the Sign In button on the test site.
View the cobranding iFrames.	The content rendered is your company’s content; the Sign In page is cobranded to offer customers a look and feel that is consistent with your site. The iFrames   rendered correctly without distortion and the content fits entirely within the given size of the iFrame value uploaded in the cobranding XML file unless scroll bars were activated.

24. Users can successfully register an existing e-mail address by following links from your site.

Prerequisite:     Your site is not in the live.com domain, and not using the Windows Live Sign In page

Verification Steps	Expected Results
Click the link to register an existing e-mail account on the test site.	The Windows Live ID registration page appears.
Complete the registration form	Registration of the existing e-mail address for an account on the Windows Live ID succeeds. The User is returned to the page specified by your default return URL, and that page displays a Sign Out button.

25. Your cobranding iFrame and content is rendered correctly and does not interfere with the functionality of the Windows Live ID Registration page

Prerequisite:     None

Verification Steps

Expected Results

On the test site, click the link to register an email address.

The Windows Live ID Registration page appears. The header and footer iFrames are rendered with your company’s content; the Registration page is cobranded to offer customers a look and feel that is consistent with your site. The iFrame is rendered correctly without distortion and the content fits entirely within the given size of the iFrame value uploaded in the cobranding XML file unless scroll bars were activated.

26. Your site retrieves the Windows Live ID Sign Out button or text link from the Windows Live ID servers.

Prerequisite:     The user is signed in to the site or service on the Microsoft Windows Live ID

Verification Steps	Expected Results
Locate and right-click the Sign Out button on the test site.
Click Properties.	The URL in the Address box contains either: passportimages-int.com (if the test site is in the Integration environment) passportimages-ppe.com (if the test site is in the Preproduction environment) passportimages.com (if the site is in Production).

27. Your site redirects to the Windows Live ID Login servers for sign-out.

Prerequisite:     The user is signed in to the site or service on the Microsoft Windows Live ID

Verification Steps	Expected Results
Move the mouse over the Sign Out button or text link on the test site.
Look at the URL displayed in the Status bar at the bottom of the browser.	The address string displayed on the Status bar contains either: login.live-int.com (if the test site is in the INT environment) login.ppe-live.com (if the test site is in the Preproduction environment) login.live.com (if the site is in Production).

28. Your site displays a Windows Live ID Sign Out button or text link on top-level user-interface pages after the user signs in to Windows Live ID

Prerequisite:     Windows Live ID is the only authentication service on the test site, and the user is signed in using Windows Live ID

Verification Steps	Expected Results
Examine all first-level and major navigation pages on the test site.	A Windows Live ID Sign Out button or text link is present on each of the specified pages.

29. If your site uses an alternate link (“Logon” or “Sign In”) because it supports multiple authentication mechanisms, the link leads directly to a Windows Live ID Sign In button.

Prerequisite:     The test site supports other authentication methods besides Windows Live ID, and the user is signed in to the Windows Live ID

Verification Steps	Expected Results
Go to all first-level or major navigation pages on the test site.	A Windows Live ID Sign In button or text link, or link to a page displaying a Windows Live ID Sign Out button or text link, is present on each of the pages. If a link is displayed instead of the Sign Out button, continue to Step 2.
Click the “logoff” (or similarly named) link.	The user is redirected to a page that hosts the Windows Live ID Sign In button or text link

30. Your site confirms Windows Live ID sign-out and correctly executes the Expire Cookie URL.

Prerequisite:     The user is signed in using Windows Live ID

Verification Steps	Expected Results
Click the Sign Out button or text link.	The user is returned to the page specified by your Default Return URL, and the Windows Live ID button or text link changes state to Sign In. NOTE:  Your site’s P3P compact headers must be present on the page specified by your Expire Cookie URL.