Help need regarding SSO  
Author Message
Bilal Lodhi

PostPosted: SharePoint - Business Data Catalog, Help need regarding SSO Top

I have got a main page called "staff portal" (main page for login) built in using Microsoft Office Share Point 2007 on a dedicated server , and we have got many other applications (done by developer) .

Each application on a dedicated server .

The application that we have for the college are based on the following technologies:
1. All are web based applications
2. Build either on .NET framework 1.1 or .NET Framework 2.0
3. SQL server as a database at the backend
4. None of them are active directory enabled .,,,,they need a lot of change to be active directory

But we have got one application in Java and DB2 at the backend, Iti is an active directory enabled and we need to have SSO for this application as well.

What will be the advise to use Single Sign On that comes with Microsoft Shared Point 2007 Is there any implication security



SharePoint Products and Technologies4  
Frank Chiang

PostPosted: SharePoint - Business Data Catalog, Help need regarding SSO Top

I think this post is not really BDC related but I will provide some input here anyway.

What you are trying to do is a cross platform single sign-on infrastructure so that when a user logs in once, it has a 'token' that is trusted by other applications so that he doesn't have to login anymore.

This is one way that I can think of:

Use Membership and Role Database that comes with .NET Framework 2.0. The whole scenario is a bit complicated and depends on your particular situration. In general, you can create a 'master application name' in the 'application' table and you create all your users/password from all applications into the 'membership' table, referencing the 'applicationid' of the 'master application'. Then you create 'application name' for each application in the 'application' table. You can then assign users and their roles for each application in the 'roles' table. So when a user logs in, he is authenticated once in the 'master application'. You can then use the role table to pull out his roles. If he doesn't have a role, he has no access to that application.

In order to get a token that every application trusts, you need to implement SAML + STS (Secure Access Markup Language + Secure Token Service). A user actually is authenticated against this service to get a Token. When the user tries to access an application, he sends along this token. Since the application trusts the token, authentication is not needed. But the application can use the token information to pull out role information from the roles table to determine access level.

If your java application also supports SAML, then the application can get the token and use it to get information from AD, so single sign-on is achieved.

I suppose all this can be done using .NET Framework 3.0 (WCF) but I have not done anything yet.