Implementing Single Sign-On
The Single Sign-On (SSO) capabilities provided with MOSS allow you to configure stored application passwords for individuals and groups. This allows smooth, integrated access between applications without continual password prompts to irritate users. Additionally, SSO gives you the capability to provide application access to groups of users that you would not normally give individual access to without having to distribute the username and password information. You can embed application integration within SharePoint and provide seamless information access.
The following components of MOSS can leverage SSO capabilities:
Excel Services
InfoPath Services
Business Data Catalog
Key Performance Indicators
SharePoint Designer DataForm Web Part
Custom Web Parts
To implement SSO to support your BDC application, follow these steps:
1. | On all Web front end servers and application servers in your SharePoint farm, start the Microsoft Single Sign-on Service. |
2. | Log on to the server that will be configured as the master secret server for SSO and configure SSO. |
3. | Create a new SSO encryption key. |
4. | Create an enterprise application definition for your BDC application. |
5. | Set the password for your application definition. |
6. | Modify your BDC application definition file to use single sign-on. |
Starting the Single Sign-On Service
The single sign-on service must be started on each web front end and application server in your farm. To start the service, follow these steps:
1. | For each front end server and application server, go to Start
Administrative Tools
Services and select the Microsoft Single Sign-on Service. |
2. | On the General tab of the SSO Properties dialog box, configure the Startup type selection as Automatic, as shown in Figure 17.2. Figure 17.2. Setting the Microsoft Single Sign-On Service to start automatically
|
3. | Click the Log On tab, select the This account radio button, enter your farm admin service account and password, and confirm the password again. |
4. | Click Apply. |
5. | Click the General tab and select the Start button. |
6. | Click OK. |
Configuring SSO
Once started, you will need to configure single sign-on on the server that you want to be the master SSO server. This configuration tells SharePoint where to store SSO data and who is authorized to manage SSO. To configure SSO, follow these steps:
1. | Use terminal services or directly log on to the physical machine that will be the SSO master secret server. |
2. | Open SharePoint Central Administration from Start
Administrative Tools
SharePoint 3.0 Central Administration. |
3. | Click the Operations tab. |
4. | Select Manage settings for single sign-on in the Security Configuration section. |
5. | Select Manage server settings and enter the farm admin account in the Single Sign-On Administrator Account field and the Enterprise Application Definition Administrator Account field. |
6. | Enter the timeout value in the Ticket time out (in minutes) field for how long you would like the ticket to stay valid between the time it is issued and time the enterprise application validates it. The recommended value is two minutes. |
7. | Click OK. |
Creating a new SSO encryption key
The SSO encryption key is used to encrypt and decrypt the credentials stored in SSO. The key needs to be created on the master SSO server. This key can be re-generated using these steps as well if you suspect that the account credentials have been compromised or as part of your regular password and security changes. To create the encryption key, follow these steps:
1. | Use terminal services or directly log on to the physical machine that will be the SSO master secret server. |
2. | Open SharePoint Central Administration from Start
Administrative Tools
SharePoint 3.0 Central Administration. |
3. | Click the Operations tab. |
4. | Select Manage settings for single sign-on in the Security Configuration section. |
5. | Select Manage encryption key. |
6. | Click Create Encryption Key and click OK on the Create Encryption Key page to re-encrypt stored credentials with the new key. This allows user credentials to be stored with the new key without the users having to re-enter their passwords. |
Note
It is a good idea to back up the encryption key every time a new one is created. You can back up the key to a local drive and then store it so that it is available if you need to restore or move the security credentials.
Creating an enterprise application definition
An enterprise application definition is created for each application that you will be using SSO to connect to. The enterprise application definition provides a name that will be used in your BDC connection information as well as defines the fields that are necessary for application authenticating. Create an enterprise application definition for each application that you will be storing credentials using these steps:
1. | Open SharePoint Central Administration. |
2. | Click the Operations tab. |
3. | Select Manage settings for single sign-on in the Security Configuration section. |
4. | Select Manage settings for enterprise application definitions. |
5. | Click New Item in the top navigation bar. |
6. | Enter a name for your enterprise application definition in the Display name field. |
7. | Enter the application name that is used in your BDC application in the Application name field. |
8. | Enter a contact e-mail address for the application definition. |
9. | Select Group if you would like to allow all users to connect with the credentials stored in SSO. If you would like users to enter credentials the first time they connect to the application, select Individual. |
10. | If your application supports window authentication, select the Windows authentication check box. |
11. | Use the fields in the Logon Account Information area to define what authentication fields are required for the application, as shown in Figure 17.3. For each, decide whether you would like the fields to be masked (hidden as if you were entering a password) when the user types in the value. |
Setting the password for the application definition
The final step in configuring SSO is to store the authentication credentials for each enterprise application definition. SSO will prompt for each authentication field that you provided in the enterprise application definition and you will set the groups that are authorized to use this enterprise application definition if it is a group definition.
To set the password for the application definition, follow these steps:
1. | Open SharePoint Central Administration. |
2. | Click the Operations tab. |
3. | Select Manage settings for single sign-on in the Security Configuration section. |
4. | Select Manage account information for enterprise application definitions. |
5. | Select the application for which you want to enter credentials. |
6. | Enter the group that will be allowed to use this application definition in the Group account name field. |
7. | Select Update account information. |
8. | Click Set. |
9. | Enter the value for the fields that you defined on the Provide Account Information page. |
10. | Click OK. |
11. | Click Done. |
Modifying your BDC application definition to use SSO
After SSO has been configured, you will need to modify the LOBSystemInstance parameters to use SSO authentication.
<LobSystemInstances>
<LobSystemInstance Name="AdventureWorksSampleInstance">
<Properties>
<Property Name="AuthenticationMode"
Type="System.String">WindowsCredentials</Property>
<Property Name="DatabaseAccessProvider"
Type="System.String">SqlServer</Property>
<Property Name="RdbConnection Data Source" Type=
"System.String">ServerName</Property>
<!-- If you are connecting to an instance use format
servernameinstance -->
<Property Name="RdbConnection Initial Catalog"
Type="System.String">DatabaseName</Property>
<Property Name="RdbConnection Integrated Security"
Type="System.String">SSPI</Property>
<Property Name="RdbConnection Pooling"
Type="System.String">false</Property>
<Property Name="SsoApplicationID"
Type="System.String">ApplicationDefinitionName</Property>
<! —This name should match the Application Definition name as
defined in SSO. -->
<Property Name="SsoProviderImplementation"
Type="System.String">Microsoft.SharePoint.Portal.SingleSignOn.Sps
SsoProvider, Microsoft.SharePoint.Portal.SingleSignOn,
Version=12.0.0.0, Culture=neutral, PublicKeyToken=
71e9bce111e9429c</Property>
</Properties>
</LobSystemInstance>
</LobSystemInstances>