Pennsylvania Banner Users Group

2010 Fall Conference

SSO to Blackboard

Utilizing Luminis' CAS

Melissa MillerManager, Web Applications

millermm@lasalle.edu

La Salle University Philadelphia, PA

Alicia StonesiferManager, Instructional Systems

stonesifer@lasalle.edu

General Announcements:

Please turn off all cell phones/pagers

If you must leave the session early, please do so as discreetly as possible

Please avoid side conversations during the session

Questions will be answered after the presentation

Thank you for your cooperation

La Salle University

La Salle is a Catholic University founded by the Christian Brothers in Philadelphia in 1863.

Three campuses: North East Philadelphia, Bucks County and Montgomery County

Recent expansion projects◦ The acquisition of Germantown Hospital for

the School of Nursing and Health Sciences

◦ The expansion of Roland Holroyd Science Center to include environmentally friendly laboratories, classrooms, and lounges

La Salle University

The University student body of 7,500 students includes

◦ 3,400 full-time undergraduates

◦ 1,400 part-time undergraduates

◦ 2,700 graduate and doctoral students.

Enrollment has grown 16 percent in the past 10 years.

Students come from 44 states and 27 foreign countries

Two-thirds of undergraduates live on campus

Agenda

What is CAS?

Luminis’ CAS

Blackboard SSO

WHAT IS CAS?

CAS

Central Authentication Service

CAS is an authentication system

originally created by Yale University

Provides a trusted way for an

application to authenticate a user

without a password

CAS

CAS involves three components- a client

web browser, the web application

requesting authentication, and the CAS

server.

Client visits an application, the application

redirects it to CAS.

CAS validates the client's authenticity

CAS

If the authentication succeeds, CAS

returns the client to the

application, passing along a security ticket

Application validates ticket by contacting

CAS over a secure connection.

CAS passes information about whether

the client has been successfully

authenticated

LUMINIS CAS

Luminis CAS

“Yale CAS 2.0 is integrated by default with Luminis IV, and will issue tickets recognized by CAS-enabled clients.”

http://www.yale.edu/tp/cas/

Can be locked down to only trust specified services or applications

Usernames or Immutable ID’s can be used

See Appendix B in Luminis IV install guide for more details and Parallel deployment settings

Luminis CAS Example

which sends the browser to CAS with a “Service ID”

User logs into Luminis Portal and clicks a link or Icon

CAS Returns Ticket and Cookie

Browser redirects to the “Service” with ticket.

If Ticket is valid, then continue to application

CAS

Ticket

Validation

Luminis

Web Service

1

2

3

4

5

Blackboard

BLACKBOARD 9 SSO

Blackboard 9 SSO

Asked BB community for help

Pointed to oscelot.org

Downloaded AutoSignOn1.0

by Mark O’Neil◦ http://projects.oscelot.org/gf/project/autosignon/frs

Blackboard 9 SSO

Install as Building Block

Configure

◦ A Building Block file (sessionservice.class) was

modified to use Username instead of

Batch_UID.

◦ loadByBatchUid changed to loadByUserName,

Blackboard 9 SSO

Blackboard 9 SSO

BB is now listening for the SSO Request

Minimum URL for Request is:http://<host>/webapps/bbgs-autosignon-BBLEARN/autoSignon.do ?timestamp=<unix_epoch_time>&userId=<ubatch_uid>&auth=<mac>

So The Variables We Need Are:**Info From AutoSignon Admin Guide

<host> The hostname/port of the Learn server.

<unix_epoch_time> The timestamp in Unix epoch format

<mac> A generated Message Authentication Code

<ubatch_uid> On integrated systems, the user’s Batch Uid is equivalent to the Snapshot external person key.

The Batch Uid of users created through the Learn GUI will be the same as their username.

Blackboard 9 SSO

Our Task: Write some code to build

the URL

Step 1: Need to grab Username

We used phpCAS client

◦ Free, easy install

◦ Installation & Usage Instructions at

https://wiki.jasig.org/display/CASC/phpCA

S

◦ Also clients for

.NET, JAVA, VBSCRIPT, PERL…

Next, phpCAS Sample

<? php // phpCAS simple client

include_once('CAS.php'); // import phpCAS lib

phpCAS::setDebug();

phpCAS::client(CAS_VERSION_2_0,'sso-cas.univ-rennes1.fr',443,''); //

initialize phpCAS

phpCAS::setNoCasServerValidation(); // no SSL validation for the CAS server

phpCAS::forceAuthentication(); // force CAS authentication

// at this step, the user has been authenticated by the CAS server

// and the user's login name can be read with phpCAS::getUser().

if (isset($_REQUEST['logout'])) {phpCAS::logout();} // logout if desired

// for this test, simply print that the authentication was successfull

?>

<html>

<head> <title>phpCAS simple client</title></head>

<body> <h1>Successfull Authentication!</h1>

<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>

<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>

<p><a href="?logout=">Logout</a></p>

</body>

</html>

Blackboard 9 SSO

We use phpCAS to forces user to

sign-in to our portal if they have not

already.

Once

authenticated, phpCAS::getUser()

grabs the users Portal ID which is the

same as their Blackboard User ID$userId = phpCAS::getUser();

Blackboard 9 SSO

Next, We generate the Unix Time

Stamp

function msTimeStamp() {

return round(microtime(1) * 1000);

}

$timestamp = msTimeStamp();

Blackboard 9 SSO

Next, We Generate the MAC

In AutoSignOn guide we are given the

following:

PHP ExampleSecure Algorithm:

/* Calculates a MAC (message authentication code) from an array of strings and a

secret.

Sort request parameters alphabetically by parameter name first, then pass values of

sorted

parameters and shared secret to calculateSecureMac */

function calculateSecureMac($params, $secret) {

$data = implode('', $params); // concatenate param values

// get md5 of concatenated param values and secret

$mac = md5($data . $secret);

return $mac;

}

Blackboard 9 SSO

Set Shared Secret

In Building Block:

In Our Code:

// Shared Secret

$secret= '12345'; // associated password

Blackboard 9 SSO

Given the sample, we built this:

$params = array($timestamp, $userId);

function calculateSecureMac($params, $secret)

{

// concatenate param values

$data = implode('', $params);

// get md5 of concatenated param values and secret

$mac = md5($data . $secret);

return $mac;

}

$mac = calculateSecureMac($params,$secret);

Blackboard 9 SSO

So We Have…

◦ HOST

◦ USERID

◦ TIMESTAMP

◦ MAC

Finally, Build URL and Redirect

//redirect to site with required parameters

header( 'Location: https://bb.myschool.edu/webapps/bbgs-

autosignon-BBLEARN/autoSignon.do?timestamp=‘

.$timestamp.'&userId=' .$userId. '&auth='.$mac);

Lessons Learned