Configure BCS to use secure Store service

ArticleDirectory

• Secure Store service)

This article is a continuation of the BCS Authentication Mode in SharePoint 2010.

Secure Store service)

The Secure Storage Service provides the ability to store various logon creden。 (including usernames and passwords, keys, PIN codes, and general identity strings. In a Security Service ApplicationProgram(Secure service application), you can design its architecture to meet the information required for various verification. This architecture usually includes at least two string fields: user name and password, or Windows user name and Windows Password.

In a specific security service application, you can map creden at the user or group level. This credential is used to connect the user or all users in the group to the database. You can use federated, delegated, or impersonated to connect to the backend data source. When connecting to the enterprise's core business system, the BCS Runtime Engine extracts the mapped creden。 from the secure storage service and passes them to the data source.

If you do not have a secure storage service application, create one first. You can use the application management in the management center to manage service applications ". On this page, click secure Store service under the new button in the functional area to create the service. As shown in:

[Click an image to view the large image]

The secure storage service stores highly sensitive data and therefore must be encrypted. Before configuring an application, you must register a key to encrypt the credential database. Click Generate new key in key management in the functional area. This key is generated based on a pass phrase. Make sure that you keep this phrase safe.

[Click an image to view the large image]

Then you can create a security storage target application. In a series of steps for setting the target application, we can design an architecture that passes the verification information that needs to be sent to the data source.

[Click an image to view the large image]

Specify the credential field for the security storage target application

[Click an image to view the large image]

Specify the target English Language Program Administrator

[Click an image to view the large image]

After creating the target application, you can use the drop-down menu of the application to set creden. You can also click set in the credential Group of the functional area. Here is the interface for the Administrator to enter creden。 for the user. Creden can also be input by the corresponding user, which will be mentioned later.

[Click an image to view the large image]

Go to the creden data page and enter creden.

[Click an image to view the large image]

The last thing to do is to configure our external content type to use the ID of the security storage target application.

The office client application uses the Single Sign-On function through an application named credman. However, you need to configure it on the client machine. This program allows users to store creden。 such as common service account passwords. SharePoint Workspace and outlook are most likely to use the Single Sign-On function.

 

After you have configured the secure storage service, in SharePoint designer, you need to select "connect with a simulated Windows logo" and enter the ID of your secure storage application.

SharePoint designer may need to enter user creden。 for verification when using secure storage service to connect to the data source for the first time.

If the Administrator does not specify creden。 for the user, a new creden。 is displayed on the SharePoint page. As shown in:

After you enter the correct creden。, you can obtain the data. When the user enters this page again next time, because the credential database already has the corresponding creden。, BCS will directly pass the creden to the data source, and the user can directly obtain the data.

[Click an image to view the large image]

 

 

Other types of authentication are supported, as well as declaration-Based Federated authentication ). This method allows the WCF web service to transmit creden。 to a secure key service (secure token service), which can be either a Sharepoint security key service or a third party. Then, you can perform verification based on the declaration of the corresponding identifier. For example, you may be verified because you are over 18 years old (or because of an attribute value somewhere in your user configuration file. A saml key is automatically generated and transmitted to the backend database. More information about Alliance verification will be discussed in a later article.

 

References

BCS secure store services