Security Considerations When Using the Adapter with BizTalk Server
When you configure a send port or a receive port (location) by using the BizTalk Server Administration console or use the Consume Adapter Service BizTalk Project Add-in to retrieve message schemas for a BizTalk solution, you must provide credentials for the SAP system. It is important to supply these credentials in a secure way to help prevent them from being revealed to potentially malicious actors. This topic discusses how to most securely supply credentials for the Microsoft BizTalk Adapter for mySAP Business Suite for BizTalk Server solutions.
A more general discussion of security in the context of BizTalk solutions is an expansive topic and is beyond the scope of this documentation. For information about how you can make your BizTalk solutions more secure, see the "Security and Protection" topic in the BizTalk Server documentation at http://go.microsoft.com/fwlink/?LinkId=101135.
When you use the Consume Adapter Service Add-in to retrieve message schemas for a BizTalk solution, you must supply a user name and password for the SAP system. You should only do this from the Security tab on the Configure Adapter dialog box. This ensures that your credentials will not be displayed in the Uri field of the Consume Adapter Service Add-in dialog box, where anyone with access to your computer screen can read them. For more information about how to retrieve message schemas by using the Consume Adapter Service Add-in, including how to enter a user name and password for the SAP system, see Retrieving Metadata for SAP Operations in Visual Studio.
BizTalk solutions use the Microsoft BizTalk WCF-Custom adapter to consume WCF services. The SAP adapter is a WCF custom binding that enables clients to consume the SAP system as if it were a WCF service. BizTalk solutions consume the SAP adapter through send ports and receive locations that are configured to use the WCF-Custom adapter, which is, in turn, configured to use the SAP adapter as its transport. For more information about how to configure send ports and receive ports (receive locations), including how to configure the WCF-Custom adapter, see Manually Configuring a Physical Port Binding to the SAP Adapter.
You configure the SAP system credentials from the Credentials tab of the WCF-Custom Transport Properties dialog box for send ports or from the Other tab of the WCF-Custom Transport Properties dialog box for receive locations. Because the WCF-Custom adapter supports Enterprise Single Sign-On (SSO), you can choose to provide either a user name and password or an SSO affiliate application on either of these tabs. The following topics discuss both options.
User Name Password Credentials
You should only supply a user name and password from the Credentials tab (for send ports) or the Other tab (for receive locations) in the WCF-Custom Transport Properties dialog box. This ensures the following:
Your credentials will not be displayed in the Uri field of the dialog box. This prevents those who have access to your screen (or who have permissions that enable them to view the send port or receive location properties) from seeing your credentials.
Your password will not be written to the binding file if you export the send port or receive port binding. This prevents anyone from with access to the file from viewing your password.
Enterprise Single Sign-On and SSO Affiliate Applications
You can configure the WCF-Custom adapter to use SSO to get the credentials for the SAP system. SSO uses a database and a master secret to encrypt and store user credentials. It also provides services to map Microsoft Windows accounts to secondary credentials that are used to access a backend system. By using SSO, you can map a Windows account to a user name and password on the SAP system.
SSO uses affiliate applications and SSO mappings to map credentials to the backend system. An affiliate application is a logical entity in SSO that refers to a system or an application that requires secondary credentials. An SSO mapping is associated with an affiliate application. It maps a Windows account to the secondary credentials used by that account to access the affiliate system or application. An SSO mapping can be associated with a Windows user account or with a group.
To use SSO with the SAP adapter, you must do the following.
Create an affiliate application in SSO to hold the user name password credentials for the SAP system. This step is often performed by someone with special types of SSO administrative privileges.
Create a user or group mapping for the affiliate application that maps your Windows account to the user name and password that are used to establish a connection with the SAP system. Depending on your installation, a user might be able to perform this step or it might require someone with special types of SSO administrative privileges.
|When configured for SSO, the WCF-Custom adapter uses services provided by SSO to get the SAP user name and password from the SSO database. It provides these (unencrypted) to the SAP adapter, so that the adapter can open a connection to the SAP system. SSO provides no encryption or protection across the connection between the SAP adapter and the SAP system.|
For information about how to use SSO, including information about how to create affiliate applications and SSO mappings, see the "Using SSO" topic in the BizTalk Server documentation at http://go.microsoft.com/fwlink/?LinkId=101133. For more general information about SSO, see the "Implementing Enterprise Single Sign-On" topic in the BizTalk Server documentation at http://go.microsoft.com/fwlink/?LinkId=101132.
The SAP adapter surfaces the AcceptCredentialsInUri binding property. This property determines whether SAP system credentials are permitted in the connection URI. By default, AcceptCredentialsInUri is false and the SAP adapter throws an exception if credentials are included in the URI.
This property is surfaced because there are certain programming scenarios that require the credentials to be present in the connection URI. This should never be the case when you are configuring a send port or a receive location, or when you are using the Consume Adapter Service Add-in to retrieve message schemas from the SAP adapter. In such cases, it is recommended that you do not set AcceptCredentialsInUri to true. For more information about the SAP adapter binding properties, see Working with BizTalk Adapter for mySAP Business Suite Binding Properties.
The AcceptCredentialsInUri binding property is not available in BizTalk Server in the Binding tab while configuring a WCF-Custom or WCF-SAP receive or send port. To set the value of the AcceptCredentialsInUri binding property, you must open the adapter bindings file (XML file) that is created after you have generated metadata using the Consume Adapter Service Add-in, and then locate this binding property in the file. Specify an appropriate value for this binding property, save the binding file, and then import the binding file in BizTalk Server. See Importing Bindings for instructions.