External App Credentials Mapping with Enterprise SSO

Sanket Bakshi — Tue, 11 Jul 2006 17:03:00 GMT

Biztalk 2004 installs with itself the Enterprise SSO (Single Sign-on) utility. However, in order to harness it for your apps, you need to use the ssomanage utility that comes with it.

Using the utility is again not simple either. The first parameter of the ssomanage utility actually tells the utility about the action that has to be performed.

To create an Application & map its credential to a windows login involves a series of steps -
1. Creating the application with SSO that maps to the external application
2. Mapping the username of the external application to that of the windows user
3. Setting the password for the external username created in the above step

The -createapps parameter of the ssomanage allows you to create the external application in SSO. However, to do this, you need an XML file that specifies the details of the application to be created. The format for this XML file is -

<sso>
<application name="AppNameGoesHere">
<description>App Description Goes Here</description>
<contact>someone@example.com</contact>
<appuserAccount>domain\AppUserAccount</appuserAccount>
<appAdminAccount>domain\AppAdminAccount</appAdminAccount>
<field ordinal="0" label="User Id" masked="no" />
<field ordinal="1" label="Password" masked="yes" />
<flags groupApp="no" 
       configStoreApp="no" 
       allowTickets="no"
       validateTickets="yes" 
       allowLocalAccounts="no" 
       timeoutTickets="yes"
       adminAccountSame="no" 
       enableApp="no" />
</application>
</sso>

Some important parameters that require attention include -

The appuserAccount parameter determines user account that can modify the credentials. This is usually the SSO Affiliate Administrators Group. The appAdminAccount determines the admin account for SSO and is generally the SSO Administrators Group.

The field tags define the username, password and any other fields that can be required by the external system to take care of the authentication. The masked attribute of the field determines if the field is masked or not when it is being set.
The flags contain any settings that you might want to set for the app. The enableApp attribute determines if the application is enabled or not when it is created. If this is set to "no" you will have to explicitly enable the app by using the -enableApp switch with ssomanage.

Multiple applications can be added in a single go by using multiple "application" tags.

Once the application is created, the second step, comprises of specifying the username for the external application that corresponds to the Windows user. To take care of this, you need to use the -createmappings switch with ssomanage. The CreateMappings parameter needs you to specify a mapping xml which should be as below -

<sso>
<mapping>
<windowsDomain>domain</windowsDomain>
<windowsUserId>WindowsUserName</windowsUserId>
<externalApplication>Application name1</externalApplication>
<externalUserId>App1UserName</externalUserId>
</mapping>
</sso>

The mapping xml as such is quite simple to understand. The externalApplication tag links the application created in the step 1 to this user.

Once this is done, simply use the -setcredentials parameter with the ssomanage. This will help set the password for the external username that you created in step 2.

The entire process would create the external app in the SSO, add its username and password and map it to an existing windows user.
Biztalk 2006 goes a step ahead and actually provides you a MMC based console for handling these tasks. Definitely a smart enhancement than having to go through all the trouble.

--Sanket Bakshi

The dot before the Net : SSO

External App Credentials Mapping with Enterprise SSO