Setting up Web Services at Partner Center
The following article is for Managed Partners only, not for the Creators Program, due to restrictions placed on web service configuration. Web Services configuration is only available to developers with the Relying Parties account level permission granted. If you do not have control of your account level permissions, contact your Development Account Manager (DAM) for assistance.
Publishers can create web services if they want to customize the way their apps/titles interact with Xbox Live services. Web services are publisher-level configurations and can be called by any title within a sandbox owned by the publisher by configuring single sign-on.
Reasons to define web services:
Providing single sign-on to Xbox Live users - In order for your web service to provide single-sign-on to Xbox Live users, it needs to be configured as a relying party of Xbox Live. When configured that way, users who are authenticated to Xbox Live will automatically be authenticated to your service without having to re-enter a different set of credentials.
Making service to service calls from your service to Xbox Live services - If your product will use one of your web services to make calls to an Xbox Live service, either directly or on behalf of individual users, you'll need a business partner certificate.
Create a Web Service
- Go to the Partner Center Dashboard.
- Click the gear-shaped icon at the top right corner of the page to access the Settings dropdown.
- Within the dropdown, select Developer Settings.
- On the left-side navigation bar, expand the option Xbox Live and select Web Services.
- In the Web Services page, click on New Web Service.
- Enter the Web Service Name and choose the access type as required.
- Telemetry access enables your service to retrieve game telemetry data for any of your games.
- App Channel access gives the media provider owning the service the authority to programmatically publish app channels for consumption on console through the OneGuide twist.
- Click Save.
At this point, you have defined the service and Xbox Live is aware of the existence of the service. Depending on the reasons for creating the web service, you will be required to configure Relying Parties (Single Sign-On) or Business Partner Certificates (Service-to-service calls).
Configure Relying Party
A web service needs to be configured as a relying party of Xbox live in order to provide the Single Sign-On experience to Xbox Live users. Users who are authenticated to Xbox Live will be automatically authenticated to the web service without having to re-enter a different set of credentials.
To facilitate this, trust must be established between Xbox services and the web service. A set of claims (such as gamertag, device type, title ID) are used as part of relying party configurations to enforce this trust. This is the information exchanged between Xbox Live and the web service to help automatically authenticate users.
Create a Relying Party
- Go to the Partner Center Dashboard
- Click on the gear shaped icon at the top right corner of the page to access the Settings dropdown.
- Within the dropdown, select Developer Settings.
- On the left-side navigation bar, expand the option Xbox Live and select Relying Parties.
- On the Relying Parties page, click on New Relying Party.
- Enter a URI for the relying party in this format: example.com.
- Select the encryption type to be used to ensure security of the relying party service.
- If you selected Symmetric Encryption with shared keys in the previous step, click on Generate new key to get a new shared key. Follow the instructions on the screen to securely save the key.
- Enter the Token Life Time in hours.
- Under Claims, the dropdown offers a list of claims that your relying party service can use for the purpose of authentication. Select all the claims that you want to use. The selected claims will appear below the dropdown. Some standard claims will be populated in that space by default.
- Click Save when you're done.
Configure a Business Partner Certificate
If your product will use one of your web services to make calls to an Xbox Live service, either directly or on behalf of individual users, you'll need a business partner certificate.
Generate a Business Partner Certificate
Proceed with the steps below after successfully creating a Web Service.
- On the Web Services page, find the web service that you want to associate a Business Partner Certificate with.
- Select the Generate Certificate link against the chosen web service.
- Click on Show Options next to Generating a New Certificate. This will display commands that should be run from PowerShell with Administrator privileges.
- Running all the commands one after the other should successfully give a Base64 encoded blob. This is the public key. Copy the public key from PowerShell and paste it in the placeholder for the CSP Blob.
- Click Download and follow the instructions on the page for Binding the certificates.
- Use the same computer you used to generate the public key.
- Run this command in PowerShell: mmc.exe
- Select File and select Add/Remove Snap In.
- Select Certificates and select Add. Make sure to select Computer Account for the certificate snap-in and then click Finish and click OK.
- Open the Personal\Certificate store.
- Right click on Certificates and select All Tasks and select Import.
- Select the certificate you downloaded from UDC.
- Right click on the certificate in the UI after it was imported and select All Tasks and select Export.
- Follow the Export wizard and be sure to select to export the private key with the certificate.
- Finish the Export wizard.