This is my first post (in a total of four) about using SSO on BizTalk Server.
In this post i will show how to config an 1 on 1 credential mapping in SSO, in the next 3 posts i will show how to access mapped credentials by code, use SSO directly in BizTalk adapters, and the most commonly used to store key pair values.

It’s very easy to configure SSO to store credential mapping data.
First access mmc console and choose Enterprise Single-Sign-On application.

SSO1_1

Then choose Affiliate Applications and select “Create Application”.

SSO1_2

The application creation wizard starts. Choose “next”.

SSO1_3

For 1 on 1 credential mapping, select “Individual” application Type. To read about all mapping types, check http://msdn.microsoft.com/en-us/library/aa578204.aspx.
Select the application name, description and leave the other options unchecked (if you are using dev or single server, check the option “Allow local accounts for access accounts”).

SSO1_4

Set the Windows group that will manage this Affiliate Application in the “Application Administrators” picker.
Set the windows group for which mappings can be created in “Application Users” picker.
You can check more about this configurations in http://msdn.microsoft.com/en-us/library/aa561561.aspx.

SSO1_5

In the Options menu check the following options:

    • Enabled.
    • Allow Windows initiated SSO.
    • Tickets Allowed (with all ticket options selected).
    • Application Users cannot create mappings (only a security measure).

A ticket is a kind of SSO encrypted context, that contains the request user domain and username and the ticket expiration time.
You can check more info about SSO tickets in  http://msdn.microsoft.com/en-us/library/aa578039.aspx.

SSO1_6

In the fields menu, you must choose the destiny application attributes to map in this SSO affiliate application.
I have created 3 attributes (Mapped User, Password and Domain).
The User ID mapping is created by default and is a mapped credential unique key.
The masked attribute is used for the password fields, and the synchronized attribute determines that the field is used for password synchronization.

SSO1_7

The affiliate application is created successfully.

SSO1_8

After creating the affiliate application it’s very easy to create a mapped credential.
Just go to the Affiliate Applications menu, select the previously created “TestApp” application and “New Mapping” option.

SSO1_9

In the “Create New Mapping” menu select the windows account to map and the unique destiny account name to map.
Check the “Set credentails for this mapping” option.

SSO1_10

In the Set Credentials menu, set the mapped data.
The user id can be used to store the mapped user data, but beware because user id must be unique. So I have created the MappedUser field, because I can have multiple source accounts to map to the same destiny account data.

SSO1_11

The new mapped credential appears in the “TestApp” affiliate application mapped credentials.

SSO1_12

In the next post I will show how to get the mapped credentials data by code, to use for example in a BizTalk Orchestration or Pipeline.

2 COMMENTS

  1. Hello Tiago,
    Though I have worked on BizTalk for some time but never used SSO affiliate applications. So I was going through this article but finding it hard to understand, I guess because I don’t know why to use SSO affiliate applications so other things are not making sense to me. Would you please let me know why to create SSO affiliate applications? What are it’s benefits?

    • Hello Ram

      Sorry for the late response.

      SSO affiliate applications are used for credential mapping.
      The use case for example is when you want to perform automatic mapping between a windows credential and a oracle credential.
      The Oracle adapter can be configured to obtain the Oracle previously mapped credential and used it in the Oracle connection.
      All the credentials are all encrypted in the SSO database, so they are not exposed to possible security risks.

      The main benefits are: Security and development agility.

LEAVE A REPLY

Please enter your comment!
Please enter your name here