Single Sign-on (SSO)
One of the primary goals of Confluence and SharePoint integration effort was to make sure the products could work together seamlessly with a minimal amount of authentication requests presented to the user. Another goal was to implement this without requiring additional products and intrusive configuration requirements. We chose to use the SSO service that comes with MOSS as a base for SSO functionality and to rely on custom code in the Confluence Web parts and related Confluence Administrative Settings page.

SSO Overview
In Figure 5 and the number references below it provides a high-level view of how SSO works between SharePoint and Confluence.

1. The client browser will typically be configured with Windows Authentication/NTLM to access SharePoint.
2. The Confluence Web parts use the default MOSS SSO provider to look up stored credentials for "Confluence."
3. The Confluence Web parts will use the returned SSO credentials to access a Confluence Web Service to retrieve a list of pages or content for a specific page.
4. The Confluence page content will return a SSO ticket and related XMLHTTP JavaScript methods to retrieve and forward Confluence SSO credentials from the client to Confluence. This is used for seamless accessibility of images stored in Confluence or when the user clicks links in the Web part that access Confluence.
5. The Confluence page will begin rendering/processing the XMLHTTP JavaScript methods on the client.
6. The client will "redeem" the SSO ticket to retrieve SSO credentials and use the credentials to authenticate the client.
7. The client completes rendering content, including images and links in the context of the SSO credentials.

Microsoft SSO Service
The Microsoft SSO Service provides a way for a user to provide an individual set of credentials to use for back-end service/Web Service impersonation. The individual set of credentials is stored and associated with a user's Windows-based credentials.

Why Did We Choose the Microsoft SSO Service?

• The SSO Service is built into MOSS and doesn't require additional products.
• The service immediate provides the ability to pass individual user credentials to the Confluence Web Service. This automatically allows Confluence to trim returning content in the context of the correct user.
• The service supports the ability to plug in a different/custom SSO provider implementation.

Pros/cons of the Microsoft SSO Service:

Pros	Cons
Service and basic SSO provider implemntation included with MOSS.	Must use Windows authentication with SharePoint.
Simple yet powerful.	Requires credentials to be recaptured and stored in a separate repository (security risk).
Pluggable way to replace the out-of-the-box SSO provider; works very well providing credentials to a Web Service.	Note: To eliminate an extra prompt for credentials SSO credentials can be generated by an automated process.
Fairly simple to configure (depending on the server configuration)	Requires additional code for the browser to receive and impersonate credentials.

SSO Configuration
The following references helped to provide the specific configuration steps required to get the SSO service up-and-running for a Confluence-SharePoint integration environment. The first two links provide the basic Microsoft SSO service reference material. The third link helped to provide insight on the Microsoft SSO service itself and the relationship between service accounts, roles, etc.

• Start the Single Sign-on Service9
• Manage Settings for Single Sign-on10
• SharePoint 2007 Single Sign-on Setup Blog11

SSO Code Samples
The sections below reference the areas of custom code and configuration used to implement a simple SSO solution. Note that some code has been omitted (indicated by "..."). Most of the omitted code is unrelated to SSO functionality and has been left out to avoid confusion and clutter.