Single Sign-On Support for the WCF Adapters

You can configure Enterprise Single Sign-On (SSO) for use with a WCF receive location or send port by using the BizTalk Administration console. This topic describes how SSO works with the WCF adapters.

In an enterprise environment, where a user interacts with various systems and applications, it is likely that the environment does not maintain the user context through multiple processes, products, and computers. This user context is crucial to providing single sign-on capabilities, because it is necessary to verify who initiated the original request. To overcome this problem Enterprise Single Sign-On (SSO) provides an SSO ticket (not a Kerberos ticket) that applications can use to get the credentials that correspond to the user who made the original request.

When a receive adapter gets a message, the adapter can request an SSO ticket from an SSO server. This encrypted ticket contains the Windows identity of the user that made the request and a time-out period. After the ticket is acquired, it is added as a property to the incoming message. When a send adapter transmits a message, the adapter contacts an SSO server with the issued SSO ticket and an affiliate application name for which the adapter is trying to retrieve a credential. The SSO server looks up the user credential for the target affiliate application, and then returns the credential to the send adapter, which uses it to send an appropriately authenticated message to the affiliate application.

Single Sign-On Support for the WCF Receive Locations

The applied security settings combined with the type of a WCF adapter used for a receive location decide whether the WCF receive adapter can issue SSO tickets. For the WCF receive adapter to issue an SSO token, WCF clients have to send a credential that the adapter can impersonate. Impersonation is the ability of a server application to take on the identity of the client. The credential must map to a valid Windows user account for proper impersonation.

Note

For the security settings and the WCF adapters that do not demand the clients to send credentials for impersonation, you can issue SSO tickets with any type of credentials that the clients send in a custom receive pipeline component. For more information about how to handle SSO tickets in receive pipeline components, see the sample pipeline component, InPipelineComp, included in File Inventory for the Service Oriented Solution.

Single Sign-On Support for the WCF-BasicHttp Receive Location

The WCF-BasicHttp receive adapter can issue an SSO ticket from the SSO server only in the security configurations shown in the following table.

Note

For more information about mapping a certificate to a Windows user account, see "Mapping certificates to user accounts" at https://go.microsoft.com/fwlink/?LinkId=87478.

Security mode Transport client credential type Message client credential type
Transport Basic N/A
Transport Digest N/A
Transport Ntlm N/A
Transport Windows N/A
Transport Certificate N/A
Message N/A UserName
Message N/A Certificate
TransportWithMessageCredential N/A Certificate
TransportWithMessageCredential N/A UserName
TransportCredentialOnly Basic N/A
TransportCredentialOnly Digest N/A
TransportCredentialOnly Ntlm N/A
TransportCredentialOnly Windows N/A
TransportCredentialOnly Certificate N/A

Single Sign-On Support for the WCF-WSHttp Receive Location

The WCF-WSHttp receive adapter can issue an SSO ticket from the SSO server only in the security configurations shown in the following table.

Security mode Transport client credential type Message client credential type
Transport Basic N/A
Transport Digest N/A
Transport Ntlm N/A
Transport Windows N/A
Transport Certificate N/A
Message N/A UserName
Message N/A Windows
Message N/A Certificate
TransportWithMessageCredential N/A Windows
TransportWithMessageCredential N/A Certificate
TransportWithMessageCredential N/A UserName

Single Sign-On Support for the WCF-NetTcp Receive Location

The WCF-NetTcp receive adapter can issue an SSO ticket from the SSO server only in the security configurations shown in the following table.

Security mode Transport client credential type Message client credential type
Transport Windows N/A
Transport Certificate N/A
Message N/A Certificate
Message N/A Windows
Message N/A UserName
TransportWithMessageCredential N/A Certificate
TransportWithMessageCredential N/A Windows
TransportWithMessageCredential N/A UserName

Single Sign-On Support for the WCF-NetNamedPipe Receive Location

The WCF-NetNamedPipe receive adapter can issue an SSO ticket from the SSO server only in the security configurations shown in the following table.

Security mode Transport client credential type Message client credential type
Transport N/A N/A

Single Sign-On Support for the WCF-Custom and the WCF-CustomIsolated Receive Location

For the WCF-Custom and WCF-CustomIsolated receive locations to issue SSO tickets, the security settings used in the receive locations require the WCF clients to send credentials that can be impersonated by Windows Communication Foundation. WCF supports impersonation for various types of client credentials. For more information about the credential types that WCF supports for impersonation, see "Delegation and Impersonation with WCF" at https://go.microsoft.com/fwlink/?LinkId=87476.

Single Sign-On Support for the WCF Send Ports

For the WCF send ports, you can specify an affiliate application name to use for SSO only in the security configurations shown in the following table.

Security mode Transport client credential type Message client credential type
Transport Digest N/A
Transport Basic N/A
Message N/A UserName

Note

For a WCF send port to validate and redeem an SSO ticket properly, the SSOTicket and OriginatorSID context properties must be available in a message to be sent. A receive location with Single Sign-On enabled can promote these properties from a sender's Windows account.

See Also

Enterprise Single Sign-On