Authentication and Security in BCS

Wow, can't believe this is my last session, seems like just yesterday I was doing the first post. It's been an awesome week.

Presented by: Nazeeruddin Mohammed, Lead Program Manager, Microsoft


  • Quick recap of BCS
  • Talk about the context
  • BCS Supported authentication
    • Users Identity vs Impersonation
    • Identity Federation through SAML
    • Identity Delegation

His goal is to explain and demonstrate the different types of authentication supported by BCS to connect to external systems.

4 major pieces in relation to this subject:

  • SharePoint
  • LOB/External services
  • Design Tools
  • Office Applications (BCS Client using the COM)

Cool graph of authentication versions in the slide deck at this point.

User Identity versus Impersonation

  • PassThrough – Uses the logged in users identity and passes it to the external data source
    • Problems with double hops
  • RevertToSelf – Uses the identity of the process that's running the BCS service to access the external data source
  • SSS (Single Signon Service) – Credentials are retrieved from a secure Identity store. It's been improved quite a bit in this release. SSS returns a token back to the BCS process.

Let the demo's begin J

Users Identity and Impersonation

Demonstrating how a double hop doesn't work creating a regular External List. To fixe it he goes back to the External Content Type. He will use a set of credential from SSS to authenticate with SQL.

Adding a credential to the Secure Service Store.

Once a credential is created, then it must have the password set. Set the authentication mode to Impersonate Custom Identity, and then enter the SSS secure ID. When writing things into the BCS store, it is cached. A timer refreshes periodically.

SSS can be used to impersonate an Identity.

Identity Federation Through SAML

Uses a Secure Token Service to get a users SAML token. You can configure it to use another STS, not just the one that is deployed in SharePoint.

There is another piece, the external data source has an STS as well, and they must communicate and share Tokens and verify them, then It gets another token.

Authorization in BCS

  • Rights
    • Edit – create, delete, update metadata objects
    • Execute – call external systems
    • Set Permissions – Give permissions to other users
    • Selectable in Clients – Accesible clients

Identity Delegation

Extending BCS

User is in a browser, and is trying to access data from SharePoint that goes to back end data. User requests data, BDC sends the user to the login page for the security provider (Live Login). Then the provider sends a token back to the application which will allow the user to access the external data.

Cool demo, he's showing how to connect to Netflix through SharePoint.

This is fairly complex, not going to try and take notes.

Another good slide near the very end showing a summary matrix of BCS authentication matrix.