To configure and set configuration data, Microsoft has an MMC Snap-In called “SSO Configuration Application”, that allow us to create and manipulate applications and their properties (http://www.microsoft.com/en-us/download/details.aspx?id=14524).

From the community there are several tools to set SSO configuration. The most well know was created by Richard Seroter in 2007 that allow us to manipulate previously created properties in an easy way (http://seroter.wordpress.com/2007/09/21/biztalk-sso-configuration-data-storage-tool/).  There are also some Richard Seroter tool improvements, like a version from Mark Burch in http://biztorque.net/archive/2010/06/07/74.aspx, that allow us to create new SSO properties.

BizTalk Deployment Framework also include an SSO module, that use a different approach of using the Excel to set SSO config data in each environment (http://biztalkdeployment.codeplex.com/).

To get configuration from SSO by code, you can use “SSOConfigHelper.cs” included in Microsoft BizTalk Server 2006 SDK, but still working with the latest Biztalk server versions (http://www.getcodesamples.com/src/2B2085E1/C4A921B1).
Just get the code and include “Microsoft.BizTalk.Interop.SSOClient.dll” in SSO install folder (for example C:\Program Files\Common Files\Enterprise Single Sign-On\Interop1.1\Microsoft.BizTalk.Interop.SSOClient.dll) and call the read method, setting the previous create application and property name.

Hope that 4 posts about SSO will help you to use SSO more frequently in BizTalk programming.

The post BizTalk Server Single Sign On – Save config data in SSO appeared first on Blog IT.

The SSO configuration to support this feature is very easy.
First enter SSO Administration tool, and create a new affiliate application with the above settings (you can put any name in the application name):

In BizTalk Server Administration, when setting the receive location configuration, set the use SSO option, and use an isolated host with a running account that belongs to the SSO application administrators group (images above).

In the send port adapter configuration set the affiliate application created earlier.

To finalize the configuration, you must set SSO to allow ticket usage (by default is not allowed).
Execute the following instruction in the command prompt “ssomanage -tickets yes” (http://msdn.microsoft.com/en-us/library/aa559512.aspx)

The credential mapping is working without any “hand made” code creation.

The post BizTalk Server Single Sign On – Using SSO with adapters appeared first on Blog IT.

First create a new affiliate application and a credential mapping as i show in the last post.

1. Create a new class library project called “Test.SSO”
2. Add a reference to the assembly “Microsoft.BizTalk.Interop.SSOClient.dll”, located in “C:\Program Files\Common Files\Enterprise Single Sign-On”
3. Add the following code in a new class called SSOManager

   using System;
   using System.Collections;
   using System.Collections.Specialized;
   using Microsoft.BizTalk.SSOClient.Interop;
   namespace Test.SSO
   {
        public static class SSOManager
        {
             /// <summary>
             /// Get external application credentials.
             /// </summary>
             /// <param name="ticket">Credential ticket generated by biztalk receive port.</param>
             /// <param name="appName">Application name to get external credentials.</param>
             /// <param name="userAccount">User account to get external credentials.</param>
             /// <returns>ArrayList with mapped credentials.</returns>
             public static ArrayList GetExternalApplicationCredentials(string ticket, string appName, string userAccount)
             {
                  ISSOTicket ssoTicket = new ISSOTicket();
                  string externalUsername;
                  string[] credentials = ssoTicket.RedeemTicket(appName, userAccount, ticket, SSOFlag.SSO_WINDOWS_TO_EXTERNAL, out externalUsername);
   
                  if (credentials == null || credentials.Length == 0 || String.IsNullOrWhiteSpace(externalUsername))
                  {
                       return null;
                  }
   
                  ArrayList credentialsList = new ArrayList();
                  credentialsList.Add(externalUsername);
                  credentialsList.AddRange(credentials);
                  return credentialsList;
             }
        }
   }
   

4. Create a new Orchestration called SSOOrch
5. Include a reference to the previous created class library
6. Publish a new wcf service  using “WCF Service Publishing Wizard” and publish it at basic auth (http://msdn.microsoft.com/en-us/library/bb226564.aspx)
7. Set the Orchestration receive location to receive messages from the service created
8. Configure the receive location security área like the following image, but checking “Use Single-On” option.
   
9. Create na Orchestration variable called ssoMapping as ArrayList
10. Add a new expression shape in the orchestration
11. Add the following code in the previous expression Shape (TestApp is the name of the affiliate application previously created)
    ssoMapping = Test.SSO.SSOManager.GetExternalApplicationMapping(SSOOrch(BTS.SSOTicket), “TestApp”, SSOOrch(BTS.WindowsUser));
12. Complete the orchestration by setting a send shape to file system.
13. Deploy the orchestration and set the regular configurations, but very important – set an host instance with an account that belongs to a SSO application administration group
    
14. Invoke the previously created wcf service with an account that you have set in the SSO mapping.
15. If you debug the orchestration, you will get in the ssoMapping ArrayList 4 parameters with the data you have set in “User Id”, “MappedUser”, “”MappedPassword” and “MappedDomain” as you see in the next image.
    

Hope this example will help you to easily use SSO in BizTalk Server.
Happy coding.

The post BizTalk Server Single Sign On – Get mapped credential by code appeared first on Blog IT.

It’s very easy to configure SSO to store credential mapping data.
First access mmc console and choose Enterprise Single-Sign-On application.

Then choose Affiliate Applications and select “Create Application”.

The application creation wizard starts. Choose “next”.

For 1 on 1 credential mapping, select “Individual” application Type. To read about all mapping types, check http://msdn.microsoft.com/en-us/library/aa578204.aspx.
Select the application name, description and leave the other options unchecked (if you are using dev or single server, check the option “Allow local accounts for access accounts”).

Set the Windows group that will manage this Affiliate Application in the “Application Administrators” picker.
Set the windows group for which mappings can be created in “Application Users” picker.
You can check more about this configurations in http://msdn.microsoft.com/en-us/library/aa561561.aspx.

In the Options menu check the following options:

• • Enabled.
  • Allow Windows initiated SSO.
  • Tickets Allowed (with all ticket options selected).
  • Application Users cannot create mappings (only a security measure).

A ticket is a kind of SSO encrypted context, that contains the request user domain and username and the ticket expiration time.
You can check more info about SSO tickets in  http://msdn.microsoft.com/en-us/library/aa578039.aspx.

In the fields menu, you must choose the destiny application attributes to map in this SSO affiliate application.
I have created 3 attributes (Mapped User, Password and Domain).
The User ID mapping is created by default and is a mapped credential unique key.
The masked attribute is used for the password fields, and the synchronized attribute determines that the field is used for password synchronization.

The affiliate application is created successfully.

After creating the affiliate application it’s very easy to create a mapped credential.
Just go to the Affiliate Applications menu, select the previously created “TestApp” application and “New Mapping” option.

In the “Create New Mapping” menu select the windows account to map and the unique destiny account name to map.
Check the “Set credentails for this mapping” option.

In the Set Credentials menu, set the mapped data.
The user id can be used to store the mapped user data, but beware because user id must be unique. So I have created the MappedUser field, because I can have multiple source accounts to map to the same destiny account data.

The new mapped credential appears in the “TestApp” affiliate application mapped credentials.

In the next post I will show how to get the mapped credentials data by code, to use for example in a BizTalk Orchestration or Pipeline.

The post BizTalk Server Single Sign On Configuration appeared first on Blog IT.