Справочник Пользователя для Microsoft BizTalk Server 2006 R2 Standard, IT Disk Kit, MVL DVD 5 MLF D75-01324
Модели
D75-01324
25
Figure 13: Enterprise Single Sign-On allows mapping between
a user’s Windows credentials and
those required for other systems.
In this example, a message sent to a BizTalk application is processed by an orchestration, then sent to
an affiliate application running on an IBM mainframe. The job of Enterprise Single Sign-On is to make
sure that the correct credentials (e.g., the right username and password) are sent with the message
when it is passed to the affiliate application.
an affiliate application running on an IBM mainframe. The job of Enterprise Single Sign-On is to make
sure that the correct credentials (e.g., the right username and password) are sent with the message
when it is passed to the affiliate application.
As the diagram shows, when a receive adapter gets a message, the adapter can request an SSO ticket
from SSO server A (step 1). This encrypted ticket contains the Windows identity of the user that made
the request and a timeout period. (Don’t confuse this with a Kerberos ticket—it’s not the same thing.)
Once it’s acquired, the SSO ticket is added as a property to the incoming message. The message then
takes its normal path through BizTalk Server 2006 R2, which in this example means being handled by
an orchestration. When this orchestration generates an outgoing message, that message also contains
the SSO ticket acquired earlier.
from SSO server A (step 1). This encrypted ticket contains the Windows identity of the user that made
the request and a timeout period. (Don’t confuse this with a Kerberos ticket—it’s not the same thing.)
Once it’s acquired, the SSO ticket is added as a property to the incoming message. The message then
takes its normal path through BizTalk Server 2006 R2, which in this example means being handled by
an orchestration. When this orchestration generates an outgoing message, that message also contains
the SSO ticket acquired earlier.
This new message is destined for the application running on an IBM mainframe, and so it must contain
the appropriate credentials for this user to access that application. To get these credentials, the send
adapter contacts SSO server B (step 2), supplying the message (which contains the SSO ticket) it just
received and the name of the affiliate application it wishes to retrieve the credentials for. This operation,
called redemption
the appropriate credentials for this user to access that application. To get these credentials, the send
adapter contacts SSO server B (step 2), supplying the message (which contains the SSO ticket) it just
received and the name of the affiliate application it wishes to retrieve the credentials for. This operation,
called redemption
, causes SSO server B to verify the SSO ticket, and then look up this user’s
credentials for that application (step 3). SSO Server B returns those credentials to the send adapter
(step 4), which uses them to send an appropriately-authenticated message to the affiliate application
(step 5).
(step 4), which uses them to send an appropriately-authenticated message to the affiliate application
(step 5).