luminis iv sso 2010
TRANSCRIPT
Pennsylvania Banner Users Group
2010 Fall Conference
SSO to Blackboard
Utilizing Luminis' CAS
Melissa MillerManager, Web Applications
La Salle University Philadelphia, PA
Alicia StonesiferManager, Instructional Systems
General Announcements:
Please turn off all cell phones/pagers
If you must leave the session early, please do so as discreetly as possible
Please avoid side conversations during the session
Questions will be answered after the presentation
Thank you for your cooperation
La Salle University
La Salle is a Catholic University founded by the Christian Brothers in Philadelphia in 1863.
Three campuses: North East Philadelphia, Bucks County and Montgomery County
Recent expansion projects◦ The acquisition of Germantown Hospital for
the School of Nursing and Health Sciences
◦ The expansion of Roland Holroyd Science Center to include environmentally friendly laboratories, classrooms, and lounges
La Salle University
The University student body of 7,500 students includes
◦ 3,400 full-time undergraduates
◦ 1,400 part-time undergraduates
◦ 2,700 graduate and doctoral students.
Enrollment has grown 16 percent in the past 10 years.
Students come from 44 states and 27 foreign countries
Two-thirds of undergraduates live on campus
Agenda
What is CAS?
Luminis’ CAS
Blackboard SSO
WHAT IS CAS?
CAS
Central Authentication Service
CAS is an authentication system
originally created by Yale University
Provides a trusted way for an
application to authenticate a user
without a password
CAS
CAS involves three components- a client
web browser, the web application
requesting authentication, and the CAS
server.
Client visits an application, the application
redirects it to CAS.
CAS validates the client's authenticity
CAS
If the authentication succeeds, CAS
returns the client to the
application, passing along a security ticket
Application validates ticket by contacting
CAS over a secure connection.
CAS passes information about whether
the client has been successfully
authenticated
LUMINIS CAS
Luminis CAS
“Yale CAS 2.0 is integrated by default with Luminis IV, and will issue tickets recognized by CAS-enabled clients.”
http://www.yale.edu/tp/cas/
Can be locked down to only trust specified services or applications
Usernames or Immutable ID’s can be used
See Appendix B in Luminis IV install guide for more details and Parallel deployment settings
Luminis CAS Example
which sends the browser to CAS with a “Service ID”
User logs into Luminis Portal and clicks a link or Icon
CAS Returns Ticket and Cookie
Browser redirects to the “Service” with ticket.
If Ticket is valid, then continue to application
CAS
Ticket
Validation
Luminis
Web Service
1
2
3
4
5
Blackboard
BLACKBOARD 9 SSO
Blackboard 9 SSO
Asked BB community for help
Pointed to oscelot.org
Downloaded AutoSignOn1.0
by Mark O’Neil◦ http://projects.oscelot.org/gf/project/autosignon/frs
Blackboard 9 SSO
Install as Building Block
Configure
◦ A Building Block file (sessionservice.class) was
modified to use Username instead of
Batch_UID.
◦ loadByBatchUid changed to loadByUserName,
Blackboard 9 SSO
Blackboard 9 SSO
BB is now listening for the SSO Request
Minimum URL for Request is:http://<host>/webapps/bbgs-autosignon-BBLEARN/autoSignon.do ?timestamp=<unix_epoch_time>&userId=<ubatch_uid>&auth=<mac>
So The Variables We Need Are:**Info From AutoSignon Admin Guide
<host> The hostname/port of the Learn server.
<unix_epoch_time> The timestamp in Unix epoch format
<mac> A generated Message Authentication Code
<ubatch_uid> On integrated systems, the user’s Batch Uid is equivalent to the Snapshot external person key.
The Batch Uid of users created through the Learn GUI will be the same as their username.
Blackboard 9 SSO
Our Task: Write some code to build
the URL
Step 1: Need to grab Username
We used phpCAS client
◦ Free, easy install
◦ Installation & Usage Instructions at
https://wiki.jasig.org/display/CASC/phpCA
S
◦ Also clients for
.NET, JAVA, VBSCRIPT, PERL…
Next, phpCAS Sample
<? php // phpCAS simple client
include_once('CAS.php'); // import phpCAS lib
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'sso-cas.univ-rennes1.fr',443,''); //
initialize phpCAS
phpCAS::setNoCasServerValidation(); // no SSL validation for the CAS server
phpCAS::forceAuthentication(); // force CAS authentication
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
if (isset($_REQUEST['logout'])) {phpCAS::logout();} // logout if desired
// for this test, simply print that the authentication was successfull
?>
<html>
<head> <title>phpCAS simple client</title></head>
<body> <h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>
Blackboard 9 SSO
We use phpCAS to forces user to
sign-in to our portal if they have not
already.
Once
authenticated, phpCAS::getUser()
grabs the users Portal ID which is the
same as their Blackboard User ID$userId = phpCAS::getUser();
Blackboard 9 SSO
Next, We generate the Unix Time
Stamp
function msTimeStamp() {
return round(microtime(1) * 1000);
}
$timestamp = msTimeStamp();
Blackboard 9 SSO
Next, We Generate the MAC
In AutoSignOn guide we are given the
following:
PHP ExampleSecure Algorithm:
/* Calculates a MAC (message authentication code) from an array of strings and a
secret.
Sort request parameters alphabetically by parameter name first, then pass values of
sorted
parameters and shared secret to calculateSecureMac */
function calculateSecureMac($params, $secret) {
$data = implode('', $params); // concatenate param values
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
Blackboard 9 SSO
Set Shared Secret
In Building Block:
In Our Code:
// Shared Secret
$secret= '12345'; // associated password
Blackboard 9 SSO
Given the sample, we built this:
$params = array($timestamp, $userId);
function calculateSecureMac($params, $secret)
{
// concatenate param values
$data = implode('', $params);
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
$mac = calculateSecureMac($params,$secret);
Blackboard 9 SSO
So We Have…
◦ HOST
◦ USERID
◦ TIMESTAMP
◦ MAC
Finally, Build URL and Redirect
//redirect to site with required parameters
header( 'Location: https://bb.myschool.edu/webapps/bbgs-
autosignon-BBLEARN/autoSignon.do?timestamp=‘
.$timestamp.'&userId=' .$userId. '&auth='.$mac);
Lessons Learned