Authentication without Live ID? RRS feed

  • Question

  • I would like to better understand HealthVault support for authentication scenarios where SSO with Live ID is not possible, as our application has it's own authorization mechanism (built on RSA ClearTrust).

    The Developer's Guide (pages 7-9) seems to indicate that custom authentication mechanisms (non-Live ID) are possible, perhaps by choosing the appropriate AuthenticatedConnection constructor with valid credentials?  What type of credentials would be supported?

    Also, after reading another forum post and reading the .CHM file on the OfflineWebApplicationConnectionClass, it seems like this might be an alternate approach to non-Live ID authentication.  Of course, I realize that a person would need a Live ID for initial account setup and management (questions on that in another post).

    So - has anyone attempted non-Live ID authentication?  What is supported/possible?  Thanks!!

    - Mark O
    Monday, October 22, 2007 7:49 PM


All replies

  • Currently, there is no option outside of LiveID for authentication.


    The current system ties together the user's authentication through Live ID and their approval for disclosing specific information to a specific application.


    I don't know what our specific plans are in this area, but because of the importance for customers to understand exactly what is happening with their data, I think that accepting external authentication methods is problematic.


    Monday, October 22, 2007 8:39 PM
  • Okay, I'll take your word for it, but an earlier forum post/reply on the topic of offline access caused me to think otherwise...

    My apparently incorrect interpretation of this previous post was that I could register my app for offline access.  The user would then have the option of giving my app it's requested permissions.  My app could store the person ID and record ID which it would later use from the OfflineWebApplicationConnection and HealthRecordAccessor classes.  Of course my application would still need to be authenticated to HealthVault via it's registered public key.  Perhaps, I might even need to be authenticated via Live ID at the time I give consent on those requested permissions - the previous post and documentation aren't clear.

    I think restricting authentication to Live ID is unfortunate.  I don't know the statistics, but I would guess that a fair percentage of trusted consumer health applications aren't currently Live ID sites.  Mine isn't.  I realize that LiveID provides a better SSO experience, but that's not always a requirement.  Rewriting our Authentication/Authorization framework is problematic.

    It would be great to allow a user to give permission to a site that THEY trust and use on a regular basis.  I'm talking about HealthVault registered and authenticated sites, not random sites.  Also, I'm sure that there are industry standards that could provide a solution here.


    - Mark O

    Monday, October 22, 2007 9:40 PM
  • Sorry that I wasn't clearer.


    You are correct that there is an offline access scenario, but (in general) it is intended to be used to enable additional scenarios rather than serve as a substitute for online authentication.


    Or, to put it another way, there's a higher bar before apps are going to be granted offline access (and also likely a higher bar before *users* will allow their data to be accessed offline).


    Having said that, there's definitely a case to be made to permit offline application access for some applications. If you'd like to have a discussion about your particular application, drop me a line and I'll hook you up with somebody who can talk particulars.


    Hope that helps.

    Monday, October 22, 2007 10:38 PM
  • Eric,

    Is it possible to synchronize partnered application with HealthVault via Live ID automatically, or it is necessary for user to enter Live ID credentials manually each time?

    Wednesday, November 14, 2007 7:53 PM
  • You can do that with Offline access, with a few qualifications. There's more info here:




    Wednesday, November 14, 2007 11:55 PM

    Thank you, Eric, now it is clear

    Thursday, November 15, 2007 3:45 PM