Share via


How to: Use Secure Store Service to Connect to an External System

Applies to: SharePoint Server 2010

In this article
Target Application Types
Logon Account Information for Users
Account Information for a Target Application

It is very common for Microsoft Business Connectivity Services (BCS) solutions to try to authenticate to an external system in which the current user is known differently or has a different account for authentication. In such cases, the Secure Store Service can be used to store and map user credentials that are required by the external system. You can also configure the Secure Store Service so that multiple users can access an external system by using a single set of credentials on that external system.

For example, if a user named Fred has one account on the server running SharePoint Server and another in a CRM application, the Secure Store Service mechanism allows his CRM credentials to be stored in the Secure Store Service database on SharePoint Server. As a result, if he uses a Business Connectivity Services solution to get data from the CRM application, Business Connectivity Services looks up the Secure Store Service database on the server and provides his credentials to CRM. In this way, Fred automatically logs on to the CRM application without having to log onto the CRM application separately.

Secure Store Service is also useful if there is a double-hop issue when connecting to the external system, that is, if SharePoint Server and the external system you are connecting to are on different computers. In such a case, you can either use RevertToSelf as the authentication mechanism, where a network account that hosts the Business Connectivity Services service is given permission on the external system, or you can use Secure Store Service and map the users' account with his or her own credentials.

To provide similar functionality on Microsoft Office clients, Business Connectivity Services provides a Secure Store Service provider that uses the Windows Credential Store.

In the Secure Store Service environment, the external systems are referred to as target applications. For each external system that a Business Connectivity Services solution connects to, you must configure a corresponding target application in the Secure Store Service by using SharePoint Server Central Administration.

Warning

You can also create a custom Secure Store provider to store and map user credentials that are required by the external system by implementing the ISecureStoreProvider interface that is available in Microsoft SharePoint 2010. However, be aware that Microsoft SharePoint Designer 2010 does not support creation of external content types that use a custom Secure Store provider implementation.

Target Application Types

There are several types of target applications. They fall into two broad categories: individual target applications and group target applications. The type of target applications corresponds to the type of account that is used to map user credentials. If each user has an account in the target application, choose the individual type. If the target application uses one account for all users, choose the group type. The remaining target application types are based on these two main types. The following table provides descriptions of all the Secure Store Service target applications types that are available. Table 1 describes the target application types.

Table 1. Target application types

Target Application Type

Description

Individual target applications

Individual

Used for mapping each individual to a unique set of credentials on the external system.

IndividualWithTicketing

Used for mapping each individual to a unique set of credentials on the external system and can issue tickets that can be redeemed later to get credentials by another account, which typically is a service account. The account that redeems the ticket should be a member of the ticket redeemers of the target application. For more information about how to retrieve and redeem tickets, see the IssueTicket() method and GetCredentialsUsingTicket(String, String) method of the SecureStoreProvider class.

RestrictedIndividual

Used for mapping each individual to a unique set of credentials on the external system that has restricted access to the calling context. To retrieve these credentials, the GetRestrictedCredentials(String) method must be called. The Secure Store Service provider allows only fully-trusted code to make calls to the GetRestrictedCredentials method.

Group target applications

Group

Used for mapping all the members of one or more groups to a single set of credentials on the external system.

GroupWithTicketing

Used for mapping all the members of one or more groups to a single set of credentials on the external system, and can issue tickets that can be later redeemed to get credentials by another account, which typically is a service account. The account that tries to redeem the ticket should be a member of the ticket redeemers of the target application. For more information about how to retrieve and redeem tickets, see the IssueTicket() method and GetCredentialsUsingTicket(String, String) method of the SecureStoreProvider class.

RestrictedGroup

Used for mapping all the members of one or more groups to a single set of credentials on the external system that have restricted access to the calling context. To retrieve these credentials, the GetRestrictedCredentials(String) method must be called. The Secure Store Service provider allows only fully-trusted code to make calls to the GetRestrictedCredentials method.

Logon Account Information for Users

Typically, only a user name and password are required. Some highly secure environments might require additional pieces of user identification. Some systems might also require additional information from users to identify the application. For example, for access to Oracle, users might enter the information shown in Table 2.

Table 2. Information users might enter for access to Oracle

In this field

Enter this information

Field 1

Oracle user name

Field 2

Oracle user password (select Yes for the Mask option)

Field 3

Oracle database name

To access a CRM application, users might enter the information shown in Table 3.

Table 3. Information users might enter for access to a CRM application

In this field

Enter this information

Field 1

CRM user name

Field 2

CRM password (select Yes for the Mask option)

Field 3

CRM system number

Field 4

CRM client number

Field 5

Language

Account Information for a Target Application

If you are using a group account to connect to the enterprise application, you have to provide the account credentials. After adding a target application, a Secure Store Service administrator or a member of the target application administrator account specifies the account name and password used to connect to the external system by using the Secure Store Service administration user interface in SharePoint Central Administration.

The administrator who enters the account information for an external system in the Secure Store Service by using the SharePoint Central Administration site must also know the password for the group account.

To learn how to create target applications and configure account credentials in the Secure Store Service, see Configure the Secure Store Service (SharePoint Server 2010).

See Also

Tasks

How to: Use Credentials from the Secure Store Service to Connect to the External System