Tuesday, January 13, 2009

Implementing custom SSO Provider

Single Sign-On (SSO*) is a feature in MOSS that provides storage and mapping of credentials. BDC and SSO are two different components in MOSS, however, SSO discussions in this article is tied with BDC and how SSO is used in BDC.

Following article (http://technet.microsoft.com/en-us/library/cc262932.aspx) shows how SSO can be configured in MOSS.

Limitations of SSO:

a) SSO works when MOSS is installed in domain ( SSO does not work when SharePoint is installed in Workgroup ).
b) SSO does not work when MOSS is configured in Forms Based Authentication mode ( FBA ).
c) Master key backup is allowed only on a floppy disk (A:)
d) No localization
e) No tools for bulk upload (credentials)

Fortunately, MOSS allows us to write our own "SSO" by implementing ISsoProvider interface. ISsoProvider interface is defined in Microsoft.SharePoint.SingleSignOn namespace and Microsoft.SharePoint.Portal.SingleSignOn.dll assembly ( url: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.portal.singlesignon.issoprovider.aspx )

Implementing ISsoProvider:

Rather than iterating the implementation of the ISsoProvider, here is a walkthrough (http://msdn.microsoft.com/en-us/library/ms566925.aspx) of implementing ISsoProvider.

Registering SSO with BDC

MOSS allows only one default SSO provider ( default is SpsSsoProvider ), however BDC can work with multiple SSO providers. SSO provider for BDC is defined in BDC metadata model.

In the metadata model, register your SSO provider with the following code

<Property Name="SsoApplicationId" Type="System.String">AppId</Property>
<Property Name="SsoProviderImplementation" Type="System.String">MySsoProvider, My.SingleSignon, Version=1.0.0.0, Culture=neutral, PublicKeyToken=71e9def111e9429c</Property>

The above code assumes that your SSO provider is "MySsoProvider" and is present in "My.SingleSignOn" assembly.

Notes:
* SSO in MOSS is a misnomer. From the name, Single Sign-On, it appears that SSO will automatically log user into other systems. However, in reality, it only provides storage, retrieval and mapping of credentials. Other components ( such as BDC, Excel Services, Access Services etc. ) logs the user to other systems by retrieving user credentials from SSO.