SSO Tips
Posted by sharepoinTony on August 24, 2010
There are lots of blogs out there talking about the problems people have setting up SSO (Single Sign On) in SharePoint 2007 implementations. There are also quite a few that run down the steps to do it and state that it is easy. What is the disconnect between these two “camps” talking about SSO setup?
Well, one thing (IMHO) is that the ease of the process depends on YOUR environment and YOUR knowledge of what SSO is, how it works, and what you plan to do with it. So my first (and most important) tip is take the time to learn about SSO and what you want to accomplish by using it before you attempt to configure it.
My other tips are:
Enterprise Application Definitions –
- If you are planning to use Groups, create an Enterprise Application Definition for each group
- Configuration steps often talk about creating a group for SSO Administrators and SSO Managers, these groups are NOT the groups you want to use here
- The Account Type selection of Group is used when you want to connect to the data source using the same account for all users in the designated AD group.
- For example, if you are going against an HR database and you have an AD group for HR managers who are allowed to see data from that source – SSO Enterprise Application Definitions let you map the group to an account with permissions to access that data, and that account will be used for everyone in the HR AD group
- Things you cannot change it for the Enterprise Application Definition after initial definition:
- Account Type
- Authentication
- Authentication is not clearly described in many places, here are the basics:
- Select the Windows authentication check box if your clients use Windows authentication when connecting to the external data source (if it is required)
- Leave the Windows authentication check box unchecked if your data source allows mixed authentication, such as SQL Server does by allowing either SQL or Windows authentication
- Make sure you login to Central Admin with the “Enterprise Application Definition Administrator” account when you create your definitions, otherwise you will have problems
- After you create a definition using the Account Type of Group, don’t forget to update the ‘account information for enterprise application definitions’ – this is where you enter the AD group that you want to map to a specific account for accessing the data source
Configuration –
- Make your life easier and just create an SSO Administrator account, don’t try to use an existing account. It can be done, but it also can get confusing
- If you are in a small environment you should still create the SSO Administrators and Managers AD groups as suggested by Robert Bogue (http://thorprojects.com/blog/archive/2008/08/02/moss-single-sign-on-setup-step-by-step.aspx) – It allows flexibility for you in the future without reconfiguring SSO
- Follow Roberts steps (link above) for the basic setup
- Reference links:
http://technet.microsoft.com/en-us/library/cc262932(office.12).aspx
Tony Rockwell - Info 
Wahid said
Thanks for posting these tips. For me, a lot of confusion came over the name. In SharePoint 2010, its now called Secure Store and I think that name is more appropriate. To me, SSO never meant signing on once to SharePoint and having “it” access my other applications; it meant, sign on once to my environment/domain and having SharePoint recognize that I’m logged in already.
sharepoinTony said
Hi Wahid,
I am in complete agreement with you, the Single Sign-On name was a poor choice that still causes a lot of confusion.
Thanks for commenting.
tony