Single Sign-On Support for the SOAP Adapter

You can use the BizTalk Server Administration console to configure Enterprise Single Sign-On (SSO) for use with the SOAP receive location or send port. This topic describes how SSO works with the SOAP adapter.

Single Sign-On Support for SOAP Receive Locations

SOAP receive locations support two versions of SSO—BizTalk Server Enterprise SSO and Microsoft SharePoint Portal Server SSO. Run the BizTalk Web Services Publishing Wizard to enable support for SharePoint Portal Server SSO. For more information about enabling SharePoint Portal Server SSO, see Publishing Web Services. Enable BizTalk Enterprise Single Sign-On by using the property pages for the SOAP receive location. For more information about enabling Enterprise SSO for the SOAP receive location, see How to Configure a SOAP Receive Location.

Enterprise SSO Support for SOAP Receive Locations

Internet Information Services (IIS) receives a SOAP request from a Web client, and then IIS authenticates the user and passes the security identifier to the SOAP adapter. If the IIS authentication method is Digest authentication, Basic authentication, or Integrated Windows Authentication, the SOAP adapter calls the SSO credential store to obtain an encrypted ticket based on the authenticated user. This ticket is stored as the SSOTicket property in the context property of the message.

In the pass-through scenario, the BizTalk Messaging Engine directs the message to the MessageBox database. When a send adapter receives the message from the MessageBox database, it calls the RedeemTicket method with the encrypted ticket along with the application name to retrieve the security credentials for the application from the SSO store. The send adapter then uses the external credentials to connect to the application and process the request. For more information about the affiliate applications, see SSO Affiliate Applications.

In scenarios where an orchestration invokes the send adapter, the BizTalk Messaging Engine sends the message to the MessageBox database. The orchestration should ensure that both the SSOTicket context property and the Microsoft.BizTalk.XLANGs.BTXEngine.OriginatorSID context property of the message that contains the ticket are maintained. When the adapter receives this message from the MessageBox database, the adapter calls the RedeemTicket method with the encrypted ticket to retrieve the back-end credentials from the SSO store. The user designing the orchestration should specifically copy this property to the message.

SharePoint Portal Server SSO Support for SOAP Receive Locations

When integrating with SharePoint Portal Server, BizTalk Server supports the use of Microsoft SharePoint Portal Server SSO only through the SOAP adapter. SharePoint Portal Server creates SSO tickets and sends them to BizTalk Server in a SOAP header of the SOAP request. When the SOAP adapter receives a request containing an SSO ticket, the ticket is stored as the SSOTicket property in the context property of the message. This same property would contain an Enterprise SSO ticket. Only one SSO ticket can be associated with a BizTalk message.

In both pass-through and orchestration scenarios, the handling of an SSO ticket received from SharePoint Portal Server is the same as if the ticket were created by the SOAP adapter using Enterprise SSO. When a send adapter receives a message, it calls the RedeemTicket method with the encrypted ticket that SharePoint Portal Server generated. The send adapter does not need to be aware that different SSO tickets exist. The RedeemTicket method will determine which SSO system generated the ticket and redeem it from the appropriate place.

Combined Use of Enterprise SSO and SharePoint Portal Server SSO

BizTalk Server supports the simultaneous use of both SSO systems. The API can differentiate between the tickets generated by each SSO and will redeem them from the appropriate SSO database. If you use both SSO systems at the same time, the following rules determine which SSO ticket the SOAP receive location promotes to the SSOTicket context property:

• If neither SSO is enabled, do not promote a ticket.

• If the Enterprise SSO is enabled, but the SharePoint Portal Server SSO is not enabled, retrieve and promote the Enterprise SSO ticket.

• If the SharePoint Portal Server SSO is enabled, but the Enterprise SSO is not enabled, promote the existing SharePoint Portal Server SSO ticket.

• If both the Enterprise and SharePoint Portal Server SSO are enabled:

  • If the SharePoint Portal Server SSO ticket is received, promote that ticket.

  • If the SharePoint Portal Server SSO ticket is not received, retrieve and promote the Enterprise SSO ticket.

  Single Sign-On Support for the SOAP Send Adapter

  If SSO is enabled, when a SOAP send port receives a message with the Secure property (SSOTicket), it calls the SSO server to validate and redeem the ticket for an affiliate application. The administration application, affiliate administrators, or SSO administrators for the affiliate application can call SSO to redeem a ticket. SSO then decrypts the ticket and obtains the back-end credentials. The pass-through and orchestration scenarios are the same for the SOAP send port, as described in the "Enterprise SSO Support for SOAP Receive Locations" section of the topic Single Sign-On Support for the SOAP Adapter.

  By default, the SOAP send port does not enable SSO. For more information about enabling SSO for the SOAP send port, see How to Configure a SOAP Send Port.