MOSS SSO Stuff...

Lately I’ve been spending time configuring and demonstrating MOSS SSO functionality, as well as clarifying some misperceptions. Numerous questions have popped up but one that I get all the time…

Q: Does MOSS 2007 Single Sign-On work with non-windows types of authentication (FBA, LDAP, SQL...)?

A: The OOTB SSO Service that comes with MOSS requires Windows authentication (for info go here), and therefore will not work with other forms of authentication. Writing a custom SSO provider is the correct way to solve this problem. Let’s discuss this in more detail.

MOSS SSO has 2 parts: 1) an OOTB SSO implementation, and 2) a pluggable architecture that provides a mechanism for utilizing custom providers. The OOTB SSO implementation maps credentials to an already authenticated user so that the user can access other resources. For this mapping to occur, the logged on user’s Windows Identity is utilized by the SSO object model as part of the credential retrieval process. So if you are using a non-Windows form of authentication then you will have to write your own custom provider and register it. Look here for some details on creating your own provider. I have been playing with custom providers lately and I’ll tell you that building a production-ready provider is not for the faint at heart. I'll stick to playing...

Oh, one other thing to keep in mind, MOSS SSO and Web SSO are NOT the same thing, regardless of how many times you tell yourself this. Web SSO is one of the OOTB options provided by WSS for user authentication, the others being Windows authentication and forms authentication. Web SSO is most commonly associated with federated identity management systems such as ADFS.

</steve>