BCS Secure Store Services

This is our third look at Business Connectivity Authentication, you can check out our two earlier articles here:

Business Connectivity Services Authentication

Business Connectivity Services PassThrough and RevertToSelf

Secure Store Service

The Secure Store Service provides you with the ability to store many credentials in the form of User Name and Password, Tokens, Pins, or Strings. Within a Secure Service Application you will design the schema providing the required information to authenticate. Usually the minimum is username and password which might be two string fields or a Windows Username and Windows Password.

Within the Secure Store Application you map at user or group level the credentials that will be passed to the database. Using the Secure Store Service you can connect to the data source using Federated, Delegated or Impersonated Authentication. When connecting to the Line of Business System, the BCS runtime passes the mapped credentials from the Secure Store Service to the data source.

If you don’t already have a Secure Store Application, you will need to create one. This is done by going to Application Management in Central Administration and then Manage Service Applications. Within that screen you can create a new Secure Store Application as shown below.

Create new Secure Store Service

The Secure Store is storing highly sensitive data and therefore needs to be encrypted. Before you configure the application, it is a good idea to generate the key used to encrypt the contents of the store. The Encryption key should also be backed up.

Create encryption key

The Target application can then be created, allowing you to design the schema of the information passed to the data source.

details to pass to data source

more details to pass

Once you have created the application, you can Set Credentials using the drop down menu on the Application.

Set credentials to use for Secure Store Service

The final thing to do is configure you External Content Type to point to the Secure Store Target Application ID.

The Office Client applications can also make use of single sign on. They do this using an application called Credman and this has to be configured on the client machine itself. This allows users to store credentials themselves which will often require the assistance of Administrators to key in any service account passwords etc. However this does mean that Single Sign on can be used via SharePoint Workspace and Outlook etc.

Once you have Secure Store Service configured, within SharePoint Designer you will need to select ‘Connect with Impersonated Windows Identity’ and enter the Secure Store Application ID that you created earlier.

Set the Secure Store Service Application ID in SPD

If you are authenticated you will be able to connect to the data source using Secure Store Service.

One other type of Authentication supported is Claims based Federated Authentication. This allows WCF web services to pass credentials to a Secure Token Service which can be a SharePoint Secure Token Service or third party. You can then be authenticated based upon a claim against an identity. An example would be that you are authorised because you are older than 18 years of age, or that you have any other property value against a profile somewhere. A generated SAML token is then passed to the backend datasource. Federated Authentication will be covered in more detail in a future post.


Leave a comment