Geeks With Blogs

News This is the *old* blog. The new one is at
Elton Stoneman
This is the *old* blog. The new one is at


The Enterprise Single Sign On database can function as a centralized configuration store, as well as an identity store, which is available to all BizTalk instances in a group, and also to custom .Net apps. For a clear explanation of the benefits and drawbacks of the EntSSO approach (and the alternative options), see Michael Stephenson's post Where do I store my custom configuration for a BizTalk solution.

Here I'll look at overcoming some of the practical issues in developing, deploying and maintaining config in an EntSSO store using another tool I've been using for a while and have recently put onto CodePlex: SSO Config Tool.

The original purpose was to codegen a strongly-typed configuration model that abstracted away the EntSSO store, and made read-only config values available from a static class for expressions:

- or .Net code:

//extract the UDDI config settings:

string uddiUrl = ConsolidatedGyroscope_App1Config.UDDIServerUrl;

uint uddiTimeout = ConsolidatedGyroscope_App1Config.UDDICacheTimeout;

So it does that (if you're looking for an app which just lets you manage SSO stores, have a look at Richard Seroter's Config Application Manager), and it also gives you:

  • a console app to generate the config, and to import/export between EntSSO and an XML config file
  • MSBuild task versions of the console functionality
  • a UI version of the console functionality, which also lets you maintain config settings:

There are a couple of things worth noting here.

Application Settings

These are all mandatory. The Groups specify who has access to read and update the config store settings. Groups must exist at the time you try and save the app to EntSSO, and they cannot be built-in groups or the "Everyone" group (not that you would…). The BizTalk groups are sensible options, so they're the default for the UI.


Field types are limited (by EntSSO) to one of the following built-in types:

  • String
  • Int32
  • UInt32
  • Boolean

The type you select will be emitted as the type of the property in the generated config model. Values are validated against the given type. The Masked option is a little misleading – all entries in EntSSO are encrypted, but if the field is defined as Masked in the config store then you can only retrieve it if you access EntSSO with a specific flag. The generated config model gives itself this permission, so the Masked value has no effect if you only use the config model.


A custom schema is used so I can capture the expected field data type (rather than inferring it) – so it's similar but not compatible with the structure used by ssomanage.

Generated Code

The config model produced by SSOConfigTool uses a couple of helper classes in the SSOConfig namespace. When you generate the model, you can either generate the source code (so you'll have to add the SSOConfig assembly to your app as well as adding the C# class), or a compiled assembly (which contains the configuration model in your selected namespace, and the helper classes in SSOConfig, so you can use it on its own). The API (Microsoft.BizTalk.Interop.SSOClient) should be in the GAC.

Structure is quite basic – there's an SSOApplication class that represents the config store for an application, and the business of wrapping the EntSSO API is done in SSOHelper. The config class uses SSOApplication behind the scenes to get field values, and exposes them as the correct type. The class also exposes a CacheSSOAccess property which determines whether values are fetched from EntSSO on each call, or lazy loaded – it defaults to being lazy loaded (this is a static class so be aware of the thread implications if you're changing this value).

Some quirks with the EntSSO API are documented here:

For the config tool, the implication is that it creates a dummy field in the config app, but you won't see it unless you look in SSODB.


I've mainly used the UI to create the app in the EntSSO store, then used the MSBuild tasks to extract the app as XML and generate code from it. Alternatively you can use the build tasks to create the SSO store and/or generate code from a saved config file. The sample MSBuild files in the project show these uses.

Work Outstanding

Only a couple of things – firstly the SSO Config Tool (in its various guises) expects the EntSSO store to be available locally, so currently it doesn't allow you to run it from one machine to update SSO on another. The other one is more of an annoying niggle – if you try to open an SSO app from the UI, you'll probably find the dropdown list of available apps empty. This is down to ISSOMapper.GetApplications always returning an empty list, so until I work out why it thinks the user isn't entitled to view them, you'll need to type in the name of the app. Think of it as a security measure.


Posted on Sunday, June 29, 2008 7:41 PM BizTalk 2006 R2 , CodePlex Project , CodeGen | Back to top

Comments on this post: SSO Config Tool

# re: SSO Config Tool
Requesting Gravatar...
This is helpful, thanks.
Left by flag poles on Sep 22, 2010 3:37 PM

# re: SSO Config Tool
Requesting Gravatar...
This is a great article thanks for sharing this informative information.. I will visit your blog regularly for some latest post.Keep sharing your views with us.
Left by data backup solutions on Oct 07, 2010 3:27 AM

# re: SSO Config Tool
Requesting Gravatar...
I didn't know a tool like this exists. So I built half the way with same functionality as this tool has, rather your tool has more. I am glad I reached your article. Now I don't need to finish my tool.

And it would be great if we can have support for a xml spreadsheet (something like EnvironmentSettingsExporter where I want to maintain settings for several environments.
Left by Raghava on Oct 14, 2010 5:10 PM

# re: SSO Config Tool
Requesting Gravatar...
This is a great tool. Thanks for the info! I'll keep checking out your site.
Left by Flag Poles on Nov 22, 2010 8:09 PM

# re: SSO Config Tool
Requesting Gravatar...
It is used in Microsoft Office SharePoint Server 2007. Using SSO, you can access data from server computers and services that are external to Office SharePoint Server 2007. From within Office SharePoint Server 2007 Web Parts, you can view, create, and change this data.
Left by enigin on Feb 03, 2011 9:40 AM

# re: SSO Config Tool
Requesting Gravatar...
These days, I used to generate code from a saved config file and didn't use XML extraction. I will try your suggestion in next project.
Left by online statistics course on May 13, 2011 5:32 AM

# re: SSO Config Tool
Requesting Gravatar...
Subject of this post is very interested. Really an interesting post u got there looking forward to see more of it keep it up!
Left by eco friendly tote bags on Jun 02, 2011 5:48 AM

# re: SSO Config Tool
Requesting Gravatar...
I get the feeling the config tool is stuck in som cache and isn't applying itself enough to search the domain, like a tired teenager, you know?
Left by premature ejaculation on Dec 20, 2011 6:03 PM

# re: SSO Config Tool
Requesting Gravatar...

Thanks for sharing such a useful information, will be checking out more from yours.
Left by Sanovnik on Jan 29, 2012 4:53 PM

# re: SSO Config Tool
Requesting Gravatar...
Thanks for the post. Here I found many useful tricks. Recently I had some problems with understanding SSO Config Tool. But your clear article helped to understand some issues.
Left by duty free alcohol on May 03, 2012 7:53 PM

# re: SSO Config Tool
Requesting Gravatar...
feeling problems with functionality as this This is helpful Recently
Left by ovan on Sep 01, 2012 3:30 PM

Your comment:
 (will show your gravatar)

Copyright © Elton Stoneman | Powered by: