Client SSO in BCS

As all of you guys must have seen by now that BCS let's you use BCS OM from client Office applications like Outlook/SharePoint Workspace etc. One interesting scenario which comes up is how things will behave when external system will be accessed using SSO( or SSS in SharePoint2010) service. I am sharing my findings based on a test SSO implementation and inputs from Product team.

In the new architecture, when you synchronize the list to client computer using browser, Office client applications leverage the Windows Credential Manager available on client to store the credentials used to access the External System. During synchronization, if it finds based on metadata that the BCS ECT is using Single Sign-On feature, it pops up the dialog for end user to provide credentails to connect to External System. It then stores the credentials in Credential Manager Secure Store and every time application need to do a SSO to the external system, it reads the credentials from store and connect to external system using SSO.

This helps to securely store the credentails using built-in features of Windows OS and also provides interesting scneario where each user can provide his/her own credentials to connect to external system.

Windows Credential Manager can be accessed from Control Panel->User Accounts->CredentialManager on Windows 7.