SSO + Token Authentication
This authentication design can be used when both criteria are true:
You have MSS 2010 in your environment
You have chosen to use the Secure Store service
This solution uses the Token Service that is installed with P4S. The Token Service generates a token ID for a user’s SharePoint session when they access mashups or apps. The requests sent to the MashZone NextGen Servers that host these mashups or apps include:
A ticket with the user’s token ID
An SSO Token Server Name.
MashZone NextGen Servers use this name to find connection information to the Token Service. This name ensures that connection information to the Token Service is not passed directly in requests.
Both SharePoint and MashZone NextGen Servers must be configured with the SSO Token Server Name and the connection information to communicate with the Token Service. MashZone NextGen Servers use this SSO Token Server Name to connect to the Token Service and redeem the user ticket and credentials.
The actual user experience with an SSO + Token solution depends on whether the MashZone NextGen Servers and SharePoint servers share an Active Directory as their user repository.
With a Shared User Repository
If SharePoint and the MashZone NextGen Servers for your mashup sites also share the same user repository, such as an Active Directory or LDAP Directory, this results in a full single sign-on experience for users. Users login to SharePoint and no further login challenges are issued when they access mashups or apps in MashZone NextGen Servers in this domain. MashZone NextGen Servers retrieve user credentials via tokens and then authenticate these credentials and retrieve user authorization information against the shared user repository.
Note: | MashZone NextGen Servers use only basic user credentials (username and password). They do not accept NTLM credentials which include Windows domains as part of the user name. |
With Distinct User Repositories
If SharePoint and the MashZone NextGen Servers in this domain do not share a user repository, users receive one login challenge the first time they access mashups or apps hosted in a MashZone NextGen Server for a given SSO Application Name (a target application) in SharePoint configuration.
The credentials they enter for this initial login challenge are then stored by the Secure Store service under the SSO Application configured for that connection. For all subsequent requests to MashZone NextGen Servers with that same SSO Application name, MashZone NextGen Servers retrieve user credentials via tokens and the Token Service and then authenticate them and retrieve user authorization information from the MashZone NextGen User Repository.
You can have each SSO Application store user credentials for one or several MashZone NextGen Server connections in SharePoint.