ENTSSO Examples
Let's look at a couple of examples of Windows-initiated SSO and host-initiated SSO in an ENTSSO environment. The first example uses BizTalk ENTSSO; the second example uses HIS ENTSSO.
In the Windows-initiated SSO sequence that Figure 4 shows, a user who's logged on to a Windows environment uses a front-end Web server that interacts with a BizTalk server. The BizTalk server ac-cesses the SAP data that an SAP ERP application hosts. In this example, the user, the front-end Web server, the BizTalk server and the SAP server exchange the following messages:
1.The user accesses the Web application, which includes code that uses a BizTalk HTTP adapter to drop a data request into the BizTalk MessageBox. The MessageBox is a key part of BizTalk Orchestration Services, an advanced application messaging and workflow solution.
2.The BizTalk HTTP adapter impersonates the user and requests an ENTSSO ticket from the ENTSSO server. Tickets are an ENTSSO concept (not to be confused with Kerberos or other tickets) that lets BizTalk components exchange user identities and request user credentials from the ENTSSO server.
3.The BizTalk HTTP adapter on the Web server drops the data request and the ENTSSO ticket into the BizTalk MessageBox.
4.While the request is in the MessageBox, the BizTalk Orchestration Services transform the request into a mainframe data request.
5.The BizTalk SAP adapter, a specialized BizTalk adapter that understands SAP messaging protocols, retrieves the SAP data request and the ENTSSO ticket from the BizTalk MessageBox.
6.The BizTalk SAP adapter uses the ENTSSO ticket to request the user's SAP credentials from ENTSSO. These credentials are encrypted; to decrypt them, the ENTSSO service must first communicate with the ENTSSO master secret server.
7.The BizTalk SAP adapter uses the user's SAP credentials to access the SAP ERP application.
In the host-initiated SSO sequence that Figure 5 shows, a user who's logged on to a mainframe uses a mainframe application that interacts with a Windows-rooted SQL Server database. In this example, the user, mainframe, mainframe application, SQL Server database, and HIS server exchange the following messages:
1.The user logs on to the mainframe to use the mainframe application.
2.To access the SQL Server database, the mainframe application calls on the HIS Transaction Integrator.
3.The HIS Transaction Integrator calls on ENTSSO to obtain the user's Windows account name.
4.ENTSSO calls on a Windows domain controller (DC) to obtain a Windows access token for the user via the Kerberos delegation and protocol transition feature (which Microsoft introduced in Windows Server 2003). The ENTSSO service forwards the access token to the HIS Transaction Integrator.
5.The HIS Transaction Integrator uses Integrated Windows authentication and the user's access token to access the SQL Server database on the user's behalf.
Additional Features and Weaknesses
In an ENTSSO environment, password synchronization is a valuable feature. It ensures that user passwords on different platforms are in sync and automates the distribution of user- or administrator-initiated password updates. To find out more about this feature, see the Web-exclusive sidebar, "HIS ENTSSO Password Synchronization," http://www.win
dowsitpro.com, InstantDoc ID 44408.
ENTSSO is a valuable service for extending the Windows platform's integrated SSO capabilities to non-Windows applications and platforms. The service is relatively new, however. Microsoft needs to do some work on the documentation side. ENTSSO use cases and deployment scenarios would be a nice addition to the service. ENTSSO would also benefit from a comprehensive administration GUI.
End of Article
Prev. page
1
[2]
next page -->
