Business Analytics Administration : Business Analytics Add-On for SharePoint (P4S) : P4S Configuration and Administration, SharePoint 2010 : Planning Authentication for P4S 2010 : Authentication Designs for P4S 2010 : SSO + Token Authentication
SSO + Token Authentication
This authentication design can be used when both criteria are true:
*You have MSS 2010 in your environment
*You have chosen to use the Secure Store service
This solution uses the Token Service that is installed with P4S. The Token Service generates a token ID for a user’s SharePoint session when they access mashups or apps. The requests sent to the Business Analytics Servers that host these mashups or apps include:
*A ticket with the user’s token ID
*An SSO Token Server Name.
Business Analytics Servers use this name to find connection information to the Token Service. This name ensures that connection information to the Token Service is not passed directly in requests.
Both SharePoint and Business Analytics Servers must be configured with the SSO Token Server Name and the connection information to communicate with the Token Service. Business Analytics Servers use this SSO Token Server Name to connect to the Token Service and redeem the user ticket and credentials.
The actual user experience with an SSO + Token solution depends on whether the Business Analytics Servers and SharePoint servers share an Active Directory as their user repository.
With a Shared User Repository
If SharePoint and the Business Analytics Servers for your mashup sites also share the same user repository, such as an Active Directory or LDAP Directory, this results in a full single sign-on experience for users. Users login to SharePoint and no further login challenges are issued when they access mashups or apps in Business Analytics Servers in this domain. Business Analytics Servers retrieve user credentials via tokens and then authenticate these credentials and retrieve user authorization information against the shared user repository.
Note:  
Business Analytics Servers use only basic user credentials (username and password). They do not accept NTLM credentials which include Windows domains as part of the user name.
With Distinct User Repositories
If SharePoint and the Business Analytics Servers in this domain do not share a user repository, users receive one login challenge the first time they access mashups or apps hosted in a Business Analytics Server for a given SSO Application Name (a target application) in SharePoint configuration.
The credentials they enter for this initial login challenge are then stored by the Secure Store service under the SSO Application configured for that connection. For all subsequent requests to Business Analytics Servers with that same SSO Application name, Business Analytics Servers retrieve user credentials via tokens and the Token Service and then authenticate them and retrieve user authorization information from the Business Analytics User Repository.
You can have each SSO Application store user credentials for one or several Business Analytics Server connections in SharePoint.
Copyright © 2013-2016 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback