I discovered a presentation bug in the SSO Administration console today, regarding the display of ticket time-out value.

The Enterprise Single Sign-On works in the following way:
1. You request a ticket, the SSO issues a ticket for you. The ticket is time-stamped.
2. You use the ticket to get a user name and password for it, for a specific affiliate application. This is called to “redeem” the ticket. If the ticket is no longer valid, an exception is thrown.
3. Use the user name and password.

In BizTalk, all of this is handled by the adapters for you. You only specify the affiliate application name in your port bindings, request a ticket in the receive pipeline, configure the SSO, and, voilà!, the port logs in as specified.

The ticket validity time period is specified with a default value in the server settings, which can be overridden in each affiliate application. The bug is that the SSO Administration console does not read the system value when viewing/setting properties for an affiliate application, instead it uses a factory default of 2 minutes as the default value.

Consequences

The consequences are:

• If you use the factory settings as default value (2 minutes), no worries. Works as designed.
• If you have set the default value to something other than 2 minutes:
• 1. The settings for an affiliate application will display 2 minutes if you haven’t customized it.
  2. You cannot customize an affiliate application to exactly 2 minutes.
  3. To reset a customized affiliate application to the default, set it to 2 minutes.