SharePoint 2010 Business Connectivity Services Security Best Practices – Introduction

The security architecture of Microsoft Business Connectivity Services server & client supports a secure environment. They allow for the connection of external content types to the system. There are various options for authorization that are stored. The techniques allow for the security of Microsoft Business Connectivity Services to be cultivated. Part of the security for Microsoft Business Connectivity Services includes the process for authentication of users before they can access external systems. This also requires configurations of permission for the data from an external system. You will find that Microsoft Business Connectivity Service is very flexible. As a result it is able to offer a full range of security methods from the Microsoft Office 2010 as well as the web browser.

It is recommended that you use Secure Sockets Layer (SSL) on all of the channels between computers and end servers. You should be using SSL between servers and external systems anyways.

It is possible to use a web browser to successfully access external data. There are three systems involved in this process:

  • The computer a client is logged into
  • The web server farm
  • The external system

The web browser is going to interact with the external data through the use of a series web parts. The server runtime for front end servers use that data to connect and execute the various operations with external systems. The secure store service stores the credential sets for external systems. Those credentials are used to identify certain individuals or groups. The security token service responds when a request for authentication occurs. They are issued by the security tokens that are part of identity claims based on account information. With Microsoft Business Connectivity Services, there are credentials that have to be passed to claims based authentication aware sub-systems.

External data may be accessed from an office client application. This requires both an external system being used and the client being logged into a client computer. The external data can be retrieved through, for example, the use of either Microsoft Word 2010 or Microsoft SharePoint Workspace. With Outlook 2010, users will be able to access external data including tasks or contacts. With SharePoint Workspace 2010 they can use external lists and use them offline. Microsoft Word 2010 users have the ability to insert the external data into Word documents. With office integration, the runtime is the connection between Microsoft Business Connectivity Services that operate on the client and the supported office applications. When the external data is configured to be used with claims based authentication, the client will interact with the security token service at SharePoint in order for a claims token to be retrieved. On client computers, BDC client runtime will use the data from the Business Data Connectivity Service in order to make the connection. This will also be the method for executing the operations for client access on external systems. The cache will store information from the Business Data Connectivity Service. That is necessary for the secure connection to be made to the external data. When cache is refreshed from the SharePoint farm, the information is updated. The Secure Store Service makes it possible for users to configure security credentials. Microsoft Business Connectivity Services has the ability to pass credentials to a database as well as services that are aware of claims.

The configuration of Microsoft Business Connectivity Services can be configured so that it can pass requests for authentication to external systems. This can be done through either credentials or claims.

  • Credentials This is in a format that asks for a name and password. There are external systems that may ask for additional information to validate such credentials such as a PIN.
  • Claims External data is passed to claims aware services through Security Assertion Markup Language (SAML) tickets.

In the next BCS post, we will be discussing these details more in depth. In the meantime, since we are talking about authentication, please see the following posts on the site if you need more authentication info (or the SharePoint security category).