This is my first post (in a total of four) about using SSO on BizTalk Server.
In this post i will show how to config an 1 on 1 credential mapping in SSO, in the next 3 posts i will show how to access mapped credentials by code, use SSO directly in BizTalk adapters, and the most commonly used to store key pair values.
It’s very easy to configure SSO to store credential mapping data.
First access mmc console and choose Enterprise Single-Sign-On application.
Then choose Affiliate Applications and select “Create Application”.
The application creation wizard starts. Choose “next”.
For 1 on 1 credential mapping, select “Individual” application Type. To read about all mapping types, check http://msdn.microsoft.com/en-us/library/aa578204.aspx.
Select the application name, description and leave the other options unchecked (if you are using dev or single server, check the option “Allow local accounts for access accounts”).
Set the Windows group that will manage this Affiliate Application in the “Application Administrators” picker.
Set the windows group for which mappings can be created in “Application Users” picker.
You can check more about this configurations in http://msdn.microsoft.com/en-us/library/aa561561.aspx.
In the Options menu check the following options:
- Allow Windows initiated SSO.
- Tickets Allowed (with all ticket options selected).
- Application Users cannot create mappings (only a security measure).
A ticket is a kind of SSO encrypted context, that contains the request user domain and username and the ticket expiration time.
You can check more info about SSO tickets in http://msdn.microsoft.com/en-us/library/aa578039.aspx.
In the fields menu, you must choose the destiny application attributes to map in this SSO affiliate application.
I have created 3 attributes (Mapped User, Password and Domain).
The User ID mapping is created by default and is a mapped credential unique key.
The masked attribute is used for the password fields, and the synchronized attribute determines that the field is used for password synchronization.
The affiliate application is created successfully.
After creating the affiliate application it’s very easy to create a mapped credential.
Just go to the Affiliate Applications menu, select the previously created “TestApp” application and “New Mapping” option.
In the “Create New Mapping” menu select the windows account to map and the unique destiny account name to map.
Check the “Set credentails for this mapping” option.
In the Set Credentials menu, set the mapped data.
The user id can be used to store the mapped user data, but beware because user id must be unique. So I have created the MappedUser field, because I can have multiple source accounts to map to the same destiny account data.
The new mapped credential appears in the “TestApp” affiliate application mapped credentials.
In the next post I will show how to get the mapped credentials data by code, to use for example in a BizTalk Orchestration or Pipeline.