A long time ago, I commented that I was surprised that the Enterprise Single Sign-on
(ENTSSO) service that came with BizTalk Server 2004 (and Sharepoint Portal Server
2003) was so manual based: Users needed to keep their credentials and mappings updated
by hand, and even so using very awkward console applications.
Apparently, however, this was an scenario in mind but, I think, not implemented in
the V1 version of ENTSSO that shipped with BizTalk 2004. However, Password Synchronization
was added to ENTSSO for version 2.0, which came out with Host
Integration Server 2004!
As I understand it, the model around password synchronization is having adapters hooked
into ENTSSO that can notify it when either a password change has been made in the
Active Directory (or another system for which an adapter exists) so that the ENTSSO
can update the password stored in the Credentials Database (SSODB), and even forward
that notification to other systems so that full synchonization can be done. This feature
is included in the ENTSSO version of BizTalk Server 2006, by the way, though the stuff
necessary to support has to be installed explicitly.
The way I ran into this information was while researching the ISSOPSAdmin interface
of the ENTSSO API in the BizTalk documentation, which is the programmatic interface
you can use to configure and manage password synchronization adapters:
namespace Microsoft.EnterpriseSingleSignOn.Interop
{
[InterfaceType(0)]
[Guid(“C35718F9-C35C-4cd4-8978-2B4CE1792F1B”)]
[CoClass(typeof(SSOPSAdmin))]
public interface ISSOPSAdmin
{
void AssignAdapterToAdapterGroup(string adapterName, string adapterGroupName);
void AssignApplicationToAdapter(string applicationName, string adapterName);
void ClearDampingTable();
void ClearNotificationQueues(string adapterName);
void GetAdaptersForAdapterGroup(string adapterGroupName, out string[]
adapters);
void GetApplicationsForAdapter(string adapterName, out string[]
applications);
void RemoveAdapterFromAdapterGroup(string adapterName);
void RemoveApplicationFromAdapter(string applicationName);
void SetAdapterProperties(string adapterName, IPropertyBag properties);
}
}
You can find out more about ENTSSO and about the password synchronization mechanism
in this MSDN WebCast: Enteprise
Single Sign-on integrated with Microsoft BizTalk Server 2004 and Microsoft Host Integration
Server 2004. It has some good scenarios that show where ENTSSO can be used, as
well as some good demos.