The Secure Store Service provides a more flexible solution to the problems partially addressed Single Sign-On (SSO) in MOSS 2007. It allows for the secure storage of usernames and passwords for shared resources and the mapping of users to specific access identities. It is commonly used for access to data for Business Connectivity Services, Excel Service Applications and Visio Service Applications.
Microsoft have some really good documentation on this topic. Their planning guide is http://technet.microsoft.com/en-us/library/ee806889.aspx and their own more detailed configuration guide is http://technet.microsoft.com/en-us/library/ee806889.aspx.
However, for many (especially for dev and piloting) this provides a quick guide to getting it up and running.
You should check that you are a Service Application Administrator for the instance of the Secure Store Service you will be configuring.
The first step is to initialize the Secure Store Service:
- From Central Administration, choose Manage service applications from the Application Management group:
- Click on the Secure Store Service link (either is OK – they both link to the same place):
- If this is the first time the Secure Store Service has been accessed, you will need to Generate New Key (from the ribbon):
- To generate a new key you must provide a passphrase. This is used for encrypting information stored in the secure store so it is wise to choose a strong passphrase. There is no way (at least that I know) of recovering the passphrase, so do not forget it!
At this point the Secure Store Service is ready for you to start adding the target applications that you want to store credentials for. For each application you want to access, do the following:
- Click on the New target application ribbon button:
- Complete the Target Application Settings using the notes below:
- The target application id is the unique name of the application (and cannot be changed), although the display name can.
- Contact e-mail is pretty self explanatory.
- Then we get to the Target Application Type. The first choice to make is either:
- Individual – meaning that each user connecting to SharePoint will be mapped to a unique set of credentials to connect to this target applications; or
- Group – meaning that all users connecting to SharePoint in a specific group will be mapped to a shared set of credentials to connect to this target application.
- Now we need to decide whether the type should be normal, Ticket, or Restricted. Maybe its just me, but I found the on-screen help not very useful and online help took a few seconds longer than usual to find. Essentially, these options have the following meaning:
- Ticket – this applies to target applications who support ticket (or “claim”) based authentication. Claims based identity management is a big theme in Microsoft.NET 3.0 and if you want a primer in this topic please see http://msdn.microsoft.com/en-us/magazine/cc163366.aspx;
- Restricted – allows you to provide implementation specific additional authentication in the target application;
- Normal – this is the more traditional method of providing authentication credentials (username, password and maybe other information) with each connection.
- I am interested at this point in a connection to SQL Server, and a single set of Windows logon credentials for all users is what I’m after, so I choose Group, and click Next.
- Next I’m prompted to specify the authentication field names and type. The default of Windows User Name and Windows Password is exactly what I need, but if you are connecting to a target application that needs more information you can add fields of various types to this target application:
- I’ve chosen to have a single set of credentials for a group of SharePoint users, so next I need to specify who can administer this target application and who are the members of the group of users that will use these credentials:
Note that in Administrators and Members I can use the new People and Groups picker dialog, which is a big improvement on the 2007 version:
- Finally, click OK and you’re done: target application created.
That’s it – you’re done. Using this target application is for another post, but to give you an idea, the screen shot below shows specifying this target application from Excel (with the really cool PowerPivot in the background – see http://calvisblog.wordpress.com/2010/06/10/powerpivot-and-real-estate):