The Secure Store Service is an authorization service that runs with an application server. It provides a database that credentials can be stored in. Such credentials consist of a user identity and password. Sometimes, they also have other fields that you can choose to define for each user as well.
For example, with SharePoint Server 2013, it is possible for the Secure Store database and credentials for retrieval to be used to access external sources of data. The Secure Store Service provides support for being able to store multiple sets of credentials for various back end systems.
The following scenarios are offered through Secure Store:
- Excel Services Provides access to external data sources in published workbooks. This can be a substitute for passing the credentials of a user to the data source. This process will require Kerberos delegation to be configured in most instances. Excel Services also requires Secure Store for that configuration to be an unattended service account relating to data authentication.
- Visio Services Provides access to external data sources with published data connected diagrams. This can be a substitute for passing the credentials of a user to the data source. This process will require Kerberos delegation to be configured in most instances. Visio Services requires Secure Store for that configuration to be an unattended service account to data authentication.
- Performance Point Services Provides access to external data sources. Performance Point Services requires Secure Store for that configuration to be an unattended service account to data authentication.
- PowerPivot Requires Secure Store in order for PowerPivot workbooks to be refreshed according to a schedule.
- Microsoft Business Connectivity Services Able to use Secure Store for mapping the users credentials to a set of credentials for an external system. It is possible to map each user’s credentials to a unique account on the external system. The other option is to map a set of authenticated users to a single group account. With Business Connectivity Services, you can also use Secure Store to store the certificates for accessing an on premise data source via SharePoint online.
- SharePoint Runtime The Secure Store is used to also store credentials that are needed for communication with Azure services. Any of the user apps that require SharePoint Runtime will have a provision that they can use Azure Services.
To prepare for deploying the Secure Store Service, you will need to follow some very important guidelines:
- Run the Secure Store Service separately as an application pool that isn’t being used for any other services.
- Create the Secure Store database with a separate application server that is running SQL server. Don’t use the same SQL Server installation that you do for your databases of content.
- Prior to generating a new encryption key, make sure you back up the Secure Store database. You should do this as soon as you create it, and then every single time that you re-encrypt your credentials. When a new key gets generated, the credentials have to be re-encrypted. Should the key refresh fail, the credentials can be used.
- Don’t store the backup media for the encryption key in the same location at the backup media for the Secure Store database. When a user obtains a copy of both the database and the key, the credentials that are stored in the database can be compromised.
A target application allows for a collection of information that map users to a set of encrypted credentials. They are stored in the Secure Store database. Target applications will contain all of the following information once you have defined it:
- Is it an individual or group mapping?
- What fields will be stored in the Secure Store Database? Windows Username and Windows Password are the default but you can add extra fields in most of the applications.
- Which users have permission to administer the target application?
- What is the name of the individual or group that you are mapping credentials for?
All target applications have a unique application ID that you will define. It is used for referencing the target application from external applications. They can include SharePoint Designer and Excel Services.
Secure Store Service offers support for individual and for group mapping. With a group, every user that is a member of a specified domain group will be mapped to the same set of credentials. With individual mapping, each of the individuals will have a unique set of credentials assigned to them. Individuals mapping is used when you need login information about an individual user and their access to shared resources.
With group mapping, a security layer will map the credentials for multiple domain users. This is done against a single set of credentials. They get stored in the Secure Store database. Group mapping is easier to maintain than individual mapping. They can also offer better overall performance.
Secure Store Service offers a claims aware service for accepting security tokens. It also decrypts those tokens in order to get to the application ID. Next, it will perform the lookup. When SharePoint Sever 2013 Preview STS issues a security token, the response for authentication request is to decrypt that token and then to read the application ID value. The Secure Store Service will use the application ID to retrieve the credentials from the secure store database. These credentials will then be used to authorize access to resources.