MashPoint Single Sign-On (SSO) Installation

To understand why you would want to use Single-Sign-On (SSO) Service with MashPoint, please refer to this article.

How to install and configure SSO for MashPoint

To install and configure SSO for use with MashPoint, download the MashPoint .ZIP (which includes the SSOSetup file) and follow the appropriate instructions below, based on whether you are installing SSO on MOSS or WSS.  Make sure to follow these steps:

1. If you are upgrading from a previous beta version, make sure to uninstall all beta Web Parts and MashPoint. To uninstall, follow the procedure outlined here.
2. Install MashPoint Beta 2, you must install MashPoint before you install Bamboo SSO service.  The correct sequence to install MashPoint and its related products are:
   • Install MashPoint platform.
   • Install MashPoint Runtime component.
   • Install any Bamboo SSO Services.
   • Install other optional Bamboo Web Parts.
3. Install Bamboo SSO Services (this guideline).

How to install and configure MashPoint SSO in WSS

1. Extract the SSO services .zip files into a folder and run the correct version for your server: SsoSetup.x64.msi for 64 bit server and SsoSetup.x86.msi for 32 bit server.


2. Select the appropriate program folder.




3. If you are installing on Vista or Win2008, be advised that there is a known issue with the installer, and you might see this message:




 

This happens because of the User Access Control (UAC) feature of Windows Vista and Windows 2008 server.  These two operating systems need to run the program at an elevated level and the installation of MSI Custom Actions, which uses impersonation authentication by default, requires administrative privileges and so will fail to run.

To get around this problem, you can either temporary disable UAC, or follow these steps:

Open a command window and run it as Administrator.  In Start->All Programs->Accessories, right click and select Run As Administrator at the Command Prompt.



You need to manually register the Bamboo SSO Service with WSS by starting an elevated command prompt, so change your directory to [drive:]\program files\Bamboo Solutions Corporation\SSO\ and run "Bamboo.SSOService.exe /install."

 

4. You will then have the Bamboo SSO service listed under your services.

 

5. The next step is to activate this feature in Central Admin.  Under Site Settings, select Site Collection Administration->Site Collection Features.



6. To configure the account for Bamboo SSO Service, go to Central Admin, Operation Tab, select Security Configuration->Service accounts



Select the Bamboo Solutions SSO Service.  If you don't see the Bamboo SSO Services, go back to step 4 above to make sure that the service is started and running properly.  The SSO services account needs to be a domain user account. It must be a member of the local Administrators group on the master secret server (this is the first server on which you start the Bamboo Single Sign-On service). It must be a member of the Security Administrators role and db_creator role on the server running SQL Server.

7. Once the SSO service is running, you should now be ready to configure the Bamboo SSO.  You should see a Manage settings for Bamboo SSO menu under the Security configuration in the Central Admin page:



 

8. Select Manage settings for Bamboo SSO, then click on Manage server settings.



9. Next, you need to set up the service accounts that are used to administer the SSO database server.



On this screen, you need to fill in the domain access accounts that are used to manage the SSO service, and an access account or group that can access and edit the SSO application definitions.

In the Enterprise Application Definition Administrator Account section, in the Account name box, type the account name of the group or user who can set up and manage enterprise application definitions. Type the name by using the form domain\group or domain\username.

 

Note: The enterprise application definition administrator account can manage credentials of an SSO enterprise application definition, including changing the password of a group enterprise application definition, and changing or deleting credentials for an individual enterprise application definition.

 

The user or group that you specify must be the following:

- Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list.

- A member of the Reader SharePoint group on Central Administration.

 

In the Database Settings section, in the Server name box, type the NetBIOS name of the Single Sign-On database server (for example, computer_name or computer_name\SQL_Server_instance). Do not type the fully qualified domain name.

In the Database name box, enter the name of the Single Sign-On database server.

 

In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value for how many minutes must pass before a Single Sign-On ticket expires. The time-out should be long enough to last between the time that the ticket is issued and the time that the enterprise application redeems the ticket. Two minutes is the recommended value.

 

10. Once you have completed the server setup, you should be able to start to define and build your SSO definition.   For an example of how to configure and test Bamboo SSO, refer to this online article.