Configuring the Secure Store Service

  • Article

The Secure Store Service (SSS) maintains an encrypted database that maps the identities of SharePoint users, groups, or process accounts to the external credentials required to access external systems. When the Business Data Catalog (BDC) needs to impersonate external credentials to access a data source, it passes the identity of the caller to the SSS. The SSS then returns the external credentials that are mapped to the identity of the caller.

Within the SSS, credentials mappings are organized by target applications. A target application represents an external system or data source, and includes a unique target application ID. When the BDC requests a set of credentials from the SSS, it specifies the target application ID so that the SSS knows which credential mapping to retrieve.

In the external list reference implementation, we created a target application to represent the Vendor Management system. Within this target application, we mapped the identity of the user code proxy service to the external credentials required to access the Vendor Management system. To enable users to access the external lists from outside a sandboxed application, we also mapped individual user identities to the external credentials required to access the Vendor Management system. This is illustrated by the following diagram.

Configuring a target application in the Secure Store Service

Ff798456.5fee9541-0c5c-44c0-9f8b-29a5145b228a(en-us,PandP.10).png

In the external list reference implementation, the install script configures the SSS and creates a target application that you can use. If you want to create your own target application, you can use the following procedure.

To create a target application in the Secure Store Service

  1. In the Central Administration Web site, click Application Management, and then click Manage Service Applications.

  2. On the Manage Service Applications page, click Secure Store Service.

  3. On the ribbon, in the Manage Target Applications section, click New.

  4. On the Create New Secure Store Target Application page:

    1. Set the Target Application ID to SPGVM.
    2. Set the Display Name to SPG Vendor Management Application.
    3. Provide a contact e-mail address.
    4. Under Target Application Type, select Group as shown in the following illustration. Click Next.

    Ff798456.1ff9e6ac-4906-4d21-a1c3-6c1f49f07ff6(en-us,PandP.10).png

    Note

    Note: A target application type of Group indicates that you want to map multiple identities to a single set of credentials.

  5. On the next page, leave the credential fields set to Windows User Name and Windows Password, and then click Next.

  6. On the next page, in the Target Application Administrators text box, add your administrative account.

  7. In the Members text box, add the user code proxy service account and any user accounts or groups that require access to the external system, and then click OK. See the following illustration.

    Ff798456.b1a5e9e7-c92e-449b-9a4d-1414bdca67ed(en-us,PandP.10).png

  8. On the Secure Store Service page, on the SPGVM drop-down list, click Set Credentials, as shown in the following illustration.

    Ff798456.98d29662-b91c-4734-830b-7a2a38db3f32(en-us,PandP.10).png

  9. On the Set Credentials for Secure Store Target Application page, provide the credentials that are required to access the external system, and then click OK. Ff798456.cb27eeb3-1104-4d76-be3f-7d012b490f7f(en-us,PandP.10).png