a community of learning sungard summit 2007 | sungardsummit.com 1 extending sso – cas in luminis...
TRANSCRIPT
SUNGARD SUMMIT 2007 | sungardsummit.com 1
A Community of Learning
Extending SSO – CAS in Luminis
Presented by: Zachary Tirrell
Plymouth State University
March 19, 2007Course ID 455
2Course ID 455
Introduction
• Purpose: Show how CAS can be used to extend SSO services in Luminis
• Benefits of the session• Gain a new tool in your development toolkit• Secure and SSO to more applications• Start using CAS, immediately
3Course ID 455
Topics of Discussion
• Overview of Plymouth State University
• What is CAS?
• How is CAS useful?
• Where is CAS not useful?
4Course ID 455
Plymouth State University Overview
• Small town Plymouth in northern New Hampshire
• 4000 FTE undergraduates, 500 FTE graduates
• Small class sizes
• Growing distance education program
• High demand for web delivered services
• Expectation to serve all constituents
• Tight knit, collaborative community
SUNGARD SUMMIT 2007 | sungardsummit.com 5
A Community of Learning
What is CAS?
6Course ID 455
A bit about CAS
• Created By Yale, became a JA-SIG project in 2004
• Added as an installable module to Luminis in 2004
• From the JA-SIG site:• An open and well-documented protocol• An open-source Java server component• A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others• Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and
others• Community documentation and implementation support• An extensive community of adopters
7Course ID 455
What CAS is not…
Slide from Susan Bramhall of Yale University’s presentation on uPortal Security and CAShttp://www.ja-sig.org/wiki/pages/viewpageattachments.action?pageId=1216
8Course ID 455
So what is it??
Slide from Susan Bramhall of Yale University’s presentation on uPortal Security and CAShttp://www.ja-sig.org/wiki/pages/viewpageattachments.action?pageId=1216
9Course ID 455
How do I put CAS in Luminis?
• This is the best part… it’s a simple module install in III.2+ and just available in IV
• Read the Appendix D of Luminis Installation Guide
• Less than 8 pages!
10Course ID 455
API vs Server Based CAS Services
• API-Based (what PSU does)• ESUP’s phpCAS (http://esup-phpcas.sourceforge.net/)• Also available in ASP, JSP, Java, Perl, and more!
• Server-Based (better practice)• AuthCAS Apache module (
http://www.ja-sig.org/products/cas/client/authcas/index.html)
SUNGARD SUMMIT 2007 | sungardsummit.com 11
A Community of Learning
How is CAS useful?
CAS is ideal for homegrown applications or
Third Party CAS-ified applications
12Course ID 455
A simple bit of PHP
1.<?php 2. 3.function casify()4.{5. // import phpCAS lib (http://esup-phpcas.sourceforge.net/)6. include_once($GLOBALS['INCLUDES'].'/cas/CAS.php');7. 8. // initialize phpCAS9. phpCAS::client(CAS_VERSION_2_0,'luminis.institution.edu',443,'cp/cas/');10. 11. // check CAS authentication12. phpCAS::authenticateIfNeeded();13. 14. // at this step, the user has been authenticated by the CAS server15. // and the user's login name can be read with phpCAS::getUser().16. 17. return phpCAS::getUser();18.}19. 20. 21.$username = casify();22. 23.// nothing past the execution of casify() would occur without acquiring a valid CAS ticket24. 25.?>
13Course ID 455
Power in Simplicity
• Simple. CPIP and GCF is complicated, CAS is not. Any developer can put CAS in place in their homegrown application with a simple copy paste
• Friendly URLs. A URL to a CASified application is generally very simple, especially as opposed to CPIP…
• Blissful Ignorance. It is not necessary for everyone who secures an application with CAS to full understand the protocol, yet the security is still solid
• Speed. In one week of running CAS we converted over a dozen applications to use it as the sole way to authenticate
• Reliability. In two years of running CAS, it has never failed
14Course ID 455
If that’s not enough…
• CAS is a modern WebSSO technology
• CAS will be the underlying WebSSO that powers the Luminis implementation of Shibboleth in Luminis IV (unconfirmed but very likely)
• CAS has a large community of schools using it. In fact, it is the most popular WebSSO technology
• CAS is open-source
15Course ID 455
Solving WebCT SSO in CE 6 With CAS
• SunGard Higher Education did not support WebCT for SSO when we were ready to deploy CE 6
• Read WebCT’s guide for Custom SSO
• Adapted their PHP example to use CAS in less than 100 lines of code, in an afternoon
• Launched on time!
Luminis WebCTWebCT-provided PHP fileCA
S m
odUsername request
Username SSO
SUNGARD SUMMIT 2007 | sungardsummit.com 16
A Community of Learning
Where is CAS not useful?
17Course ID 455
CPIP/GCF Can Do More
• CPIP/GCF is complicated, CAS is not
• CPIP/GCF can do password caching
• No session management
• If a Third Party application requires a password, CAS cannot provide this without fairly advanced proxying• Examples of these application types may include:
• webmail systems (though a solution does exist)• ftp/sftp/smb backed web interfaces (smbwebclient)• Third party applications that will LDAP auth, but are not
CAS-ified
18Course ID 455
Summary
• CAS is super easy and secure!
• CAS is common, easy to support, open, and available now
• If you run Luminis and do any custom web application development, CAS should be part of your development toolkit.
• CPIP/GCF still has it’s place
19Course ID 455
Zachary [email protected]
Please complete the online class evaluation formCourse ID 455
SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.
© 2007 SunGard. All rights reserved.
Thank You, Questions & Answers