SSO + Token Authentication
This authentication design can be used when you have chosen to use the Single Sign-On service in SharePoint to store user credentials for external applications, such as Business Analytics Servers. This can be used when Business Analytics Servers are hosted in different domains or in the same domain as SharePoint.
This solution uses the Token Service that is installed with P4S. The Token Service generates a token ID for a user’s SharePoint session when they access mashups or apps. The requests sent to the Business Analytics Servers that host these mashups or apps include:
A ticket with the user’s token ID
An SSO Token Server Name.
Both SharePoint and Business Analytics Servers must be configured with the SSO Token Server Name and the connection information to communicate with the Token Service. Business Analytics Servers use this SSO Token Server Name to connect to the Token Service and redeem the user ticket and credentials.
Users receive a login challenge the first time they access mashups or apps hosted in a Business Analytics Server for a given SSO Application Name (a target application) in SharePoint configuration. The credentials they enter for this initial login challenge are then stored by the SharePoint SSO service under the SSO Application configured for that connection.
Note: | Business Analytics Servers use only basic user credentials (username and password). They do not accept NTLM credentials which include Windows domains as part of the user name. |
For all subsequent requests to Business Analytics Servers with that same SSO Application name, Business Analytics Servers retrieve user credentials via tokens and the Token Service and then authenticate them and retrieve user authorization information from the Business Analytics User Repository.
You can have each SSO Application store user credentials for one or several Business Analytics Server connections in SharePoint.