Mohammed Atef’s Technical blog

BizTalk Enterprise Single Sign-On


A business process that relies on several different applications may have to cross several different security domains. Accessing an application on a Microsoft Windows system may require one set of security credentials, while accessing an application on an IBM mainframe may require different credentials, such as an RACF username and password. Dealing with this profusion of credentials is difficult for users, and it can be even harder for automated processes. To address this problem, BizTalk Server includes Enterprise Single Sign-On.
To use Enterprise Single Sign-On, an administrator defines affiliate applications, each of which represents a non-Windows system or application. For example, an affiliate application might be a CICS application running on an IBM mainframe, an SAP ERP system running on Unix, or any other kind of software. Each of these applications has its own mechanism for authentication, and so each requires its own unique credentials.
How it Works?

Enterprise Single Sign-On stores an encrypted mapping between a user’s Windows user ID and his credentials for one or more affiliate applications in an SSO database. When this user needs to access an affiliate application, the credentials for that application can be looked up in the SSO database by a Single Sign-On (SSO) Server. The diagram below shows how this works.


Enterprise Single Sign-On

Enterprise Single Sign-On

In this example, a message sent by some application to BizTalk Server is processed by an orchestration, and then sent to an affiliate application running on an IBM mainframe. The job of Enterprise Single Sign-On is to make sure that the correct credentials (that is., the right username and password) are sent with the message when it is passed to the affiliate application.

SSO Components

The sub services of the Enterprise Single Sign-On (SSO) service are as follows:

Mapping: – Maps the user account in the Windows system to the user accounts in the back-end systems (affiliate applications).
Lookup: – Looks up the user credentials in the Credential database in the back-end system. This is the SSO runtime component.
Administration: – Manages the affiliate applications and the mappings for each affiliate application.
Secret: – Generates the master secret and distributes it to the other SSO servers in the system. It is only active on the Single Sign-On server that is acting as the master secret server.

Password Synchronization: – Simplifies administration of the SSO credential database, and keeps passwords in sync across user directories.

The right Enterprise Single Sign-On solution can provide numerous benefits for your organization, including:

·         Increased employee satisfaction and productivity through login automation

·         Reduced password-related help desk costs by eliminating the user’s requirement to track multiple passwords and login processes

·         Elevated protection for sensitive application data through deployment of complementary strong authentication

·         Application access auditing to help meet regulatory compliance

Top Single Sign-On Considerations

·         Application Coverage

Do not assume a solution will support define sign-on to every application.
This seems to be an obvious consideration, but the complex of unique login processes from application to application is commonly overlooked. It is critical to ensure that an ESSO solution can accommodate the entire range of applications that your employees currently use or foresee using in the future.
As an example, mainframe applications often require users to login first to the mainframe security package (e.g. CA ACF2T, CA Top Secret), then into the application itself. Selecting a solution that can define the standard, single screen login but not multistage logins to mainframe or many other remote applications is a short-sighted approach that can limit the effectiveness of your overall deployment.

I Hope this help.


May 3, 2009 - Posted by | Biztalk | , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: