http://technet.microsoft.com/en-us/library/ee806889.aspx
In Microsoft SharePoint Server 2010, the Secure Store Service replaces the single sign-on (SSO) feature. The Secure Store Service is a claims-aware authorization service that includes a secure database for storing credentials that are associated with application IDs. These application IDs can be used to authorize access to external data sources.
In this article:
- About the Secure Store Service
- Secure store service preparation
- Application IDs
- Secure store service mappings
- Secure store service and claims authentication
About the Secure Store Service
The Secure Store Service is an authorization service that runs on an application server. The Secure Store Service provides a database that is used to store credentials (consisting of a user identity and password) for application IDs that can be used by applications to authorize access to shared resources. For example, SharePoint Server 2010 can use the secure store database to store and retrieve credentials for access to external data sources. The Secure Store Service provides support for storing the credentials of multiple back-end systems using multiple application IDs.
Secure store service preparation
When you prepare to deploy the Secure Store Service, be aware of the following important guidelines:
- Run the Secure Store Service in a separate application pool that is not used for any other service.
- Run the Secure Store Service on a separate application server that is not used for any other service.
- Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases.
- Before you generate a new encryption key, back up the secure store database. You should also back up the secure store database after it is initially created, and again each time credentials are reencrypted. When a new key is generated, the credentials can be re-encrypted with the new key. If the key refresh fails, or the passphrase is forgotten, the credentials will not be useable.
- Back up the encryption key after initially setting up the Secure Store Service, and back up the key again each time it is regenerated.
- Do not store the backup media for the encryption key in the same location as the backup media for the secure store database. If a user obtains a copy of both the database and the key, the credentials stored in the database could be compromised.
Application IDs
Each Secure Store Service entry contains an application ID that is used to retrieve a set of credentials from the secure store database. Each application ID can have permissions applied so that only specific users or groups can access the credentials that are stored for the application ID. Applications use application IDs to retrieve credentials from the secure store database on behalf of a user. The application can then use the retrieved credentials to access a data source.
Application IDs are used to map users to credential sets. Mappings are available for groups or individuals. In a group mapping, every user who is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials.
Application IDs are used to map users to credential sets. Mappings are available for groups or individuals. In a group mapping, every user who is a member of a specific domain group is mapped to the same set of credentials. In an individual mapping, each individual user is mapped to a unique set of credentials.
Secure store service mappings
The Secure Store Service supports individual mappings and group mappings. The Secure Store Service maintains a set of credentials for the application IDs of resources that are stored in the secure store database. Individual credentials for an application are retrieved based on the application ID. Individual mappings are useful if you need logging information about individual user access to shared resources. For group mappings, a security layer checks group credentials for multiple domain users against a single set of credentials for a resource identified by an application ID that is stored in the secure store database. Group mappings are easier to maintain than individual mappings, and can provide improved performance.
Secure store service and claims authentication
The Secure Store Service is a claims-aware service. It can accept security tokens and decrypt them to get the application ID, and then perform a lookup.. When a SharePoint Server 2010 Security Token Service (STS) issues a security token in response to an authentication request, the Secure Store Service decrypts the token and reads the application ID value. The Secure Store Service uses the application ID to retrieve credentials from the secure store database. The credentials are then used to authorize access to resources.
No comments:
Post a Comment