In addition to providing single sign-on capabilities, you can use the Enterprise Single Sign-On (SSO) system as a secure configuration store in a distributed environment. For example, the BizTalk Server components use the SSO system to store custom configuration information for the BizTalk adapters. In these scenarios, the SSO administrator configures and manages the configuration information. End-users do not manage or access this configuration information directly.
An SSO administrator or SSO affiliate administrator creates an affiliate application to represent a configuration container. This affiliate application holds unique configuration properties. In the case of BizTalk Server, every BizTalk adapter has four affiliate applications associated with it - one for the receive handler, one for the send handler, one for the send port and one for the receive locations. The set of properties associated with each of these affiliate applications could be different. When the administrator configures an end point (send port or receive location), the SSO system creates a mapping for a unique identifier and the configuration properties or values for that end point. The SSO system stores these properties and values in encrypted form in the Credential database, similar to how the SSO system stores user credentials.
To create an affiliate application, the user must be an SSO affiliate administrator. In the case of BizTalk Server, the BizTalk administrator that creates and deletes adapters must be a member of the SSO affiliate administrator group. Every affiliate application has an administrator group account and a user group account associated with it. By default, the SSO system assigns the BizTalk Server Administrators group as the application administrator for the affiliate application when you create an affiliate application to hold configuration information for BizTalk adapters. Only the BizTalk administrators responsible for managing send ports and receive locations need to be members of the SSO application administrators group for the affiliate application. These administrators have read, write, and delete user rights for managing the configuration information for end points.
The SSO system also defines an SSO application users group for each of the affiliate applications. Members of this group only have read user rights for the configuration information. For BizTalk Server, the host instance service accounts must be members of the SSO application users group. Therefore, the SSO system specifies the BizTalk Isolated Host Users or BizTalk Host Users (depending on the adapter you are creating an affiliate application for) as the SSO application users group account for the configuration store affiliate application.
Other applications can leverage this configuration store object model of SSO to securely store configuration information. This is useful when multiple administrators want to manage the same configuration information securely and multiple service accounts want to access the same configuration information at runtime securely. This is typical in a distributed environment where different processes and computers are accessing centrally managed data.
See Also
SSO Groups and Deployment Scenarios
SSO Affiliate Applications
Enterprise Single Sign-On Scenarios
To download updated BizTalk Server 2004 Help from www.microsoft.com, go to
http://go.microsoft.com/fwlink/?linkid=20616.
Copyright © 2004 Microsoft Corporation.
All rights reserved.