Luminis Iv Sso 2010


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good morning everyone. My name is Melissa Miller and I work at La Salle University as the Manager of Web Applications. I am here today to talk about our method of providing Single Sign On to the Microsoft Exchange Labs email system.
  • Some things I have learned along the way is to allow plenty of time to deal with support issues. Microsoft is working on their support model and as of this writing this is still in progress. In particular the Windows Ed Desk was a major sticking point in trying to resolved certificate issues. Make sure you are clear from the beginning on your domains and if you will have sub domains or separate domains because that changes EVERYTHING as far as they are concerned.If you can land yourself one or two senior tech support people they will be your best friends and help escalade the process in a way that you cant.
  • Luminis Iv Sso 2010

    1. 1. Pennsylvania Banner Users Group 2010 Fall Conference SSO to Blackboard Utilizing Luminis CAS Melissa Miller Alicia StonesiferManager, Web Applications Manager, Instructional Systems La Salle University Philadelphia, PA
    2. 2. General Announcements: Please turn off all cell phones/pagers If you must leave the session early, please do so as discreetly as possible Please avoid side conversations during the session Questions will be answered after the presentation Thank you for your cooperation
    3. 3. La Salle University La Salle is a Catholic University founded by the Christian Brothers in Philadelphia in 1863. Three campuses: North East Philadelphia, Bucks County and Montgomery County Recent expansion projects ◦ The acquisition of Germantown Hospital for the School of Nursing and Health Sciences ◦ The expansion of Roland Holroyd Science Center to include environmentally friendly laboratories, classrooms, and lounges
    4. 4. La Salle University The University student body of 7,500 students includes ◦ 3,400 full-time undergraduates ◦ 1,400 part-time undergraduates ◦ 2,700 graduate and doctoral students. Enrollment has grown 16 percent in the past 10 years. Students come from 44 states and 27 foreign countries Two-thirds of undergraduates live on campus
    5. 5. Agenda What is CAS? Luminis’ CAS Blackboard SSO
    6. 6. WHAT IS CAS?
    7. 7. CAS Central Authentication Service CAS is an authentication system originally created by Yale University Provides a trusted way for an application to authenticate a user without a password
    8. 8. CAS CAS involves three components- a client web browser, the web application requesting authentication, and the CAS server. Client visits an application, the application redirects it to CAS. CAS validates the clients authenticity
    9. 9. CAS If the authentication succeeds, CAS returns the client to the application, passing along a security ticket Application validates ticket by contacting CAS over a secure connection. CAS passes information about whether the client has been successfully authenticated
    10. 10. LUMINIS CAS
    11. 11. Luminis CAS “Yale CAS 2.0 is integrated by default with Luminis IV, and will issue tickets recognized by CAS-enabled clients.” Can be locked down to only trust specified services or applications Usernames or Immutable ID’s can be used See Appendix B in Luminis IV install guide for more details and Parallel deployment settings
    12. 12. Luminis CAS Example 1 User logs into Luminis Portal and clicks a link or Icon CAS which sends the browser to CAS with a “Service ID” 2 CAS Returns Ticket and CookieLuminis Ticket Validation Browser redirects to the “Service” with ticket. 4 3 Web Service 5 If Ticket is valid, then continue to application Blackboard
    13. 13. BLACKBOARD 9 SSO
    14. 14. Blackboard 9 SSO Asked BB community for help Pointed to Downloaded AutoSignOn1.0 by Mark O’Neil ◦
    15. 15. Blackboard 9 SSO Install as Building Block Configure ◦ A Building Block file (sessionservice.class) was modified to use Username instead of Batch_UID. ◦ loadByBatchUid changed to loadByUserName,
    16. 16. Blackboard 9 SSO
    17. 17. Blackboard 9 SSO BB is now listening for the SSO Request Minimum URL for Request is: http://<host>/webapps/bbgs-autosignon- BBLEARN/ ?timestamp=<unix_epoch_time>&userId=<ubatch_uid>&auth =<mac> So The Variables We Need Are: **Info From AutoSignon Admin Guide<host> The hostname/port of the Learn server.<unix_epoch_time> The timestamp in Unix epoch format<mac> A generated Message Authentication Code<ubatch_uid> On integrated systems, the user’s Batch Uid is equivalent to the Snapshot external person key.The Batch Uid of users created through theLearn GUI will be the same as theirusername.
    18. 18. Blackboard 9 SSO Our Task: Write some code to build the URL Step 1: Need to grab Username We used phpCAS client ◦ Free, easy install ◦ Installation & Usage Instructions at S ◦ Also clients for .NET, JAVA, VBSCRIPT, PERL… Next, phpCAS Sample
    19. 19. <? php // phpCAS simple clientinclude_once(CAS.php); // import phpCAS libphpCAS::setDebug();phpCAS::client(CAS_VERSION_2_0,,443,); //initialize phpCASphpCAS::setNoCasServerValidation(); // no SSL validation for the CAS serverphpCAS::forceAuthentication(); // force CAS authentication// at this step, the user has been authenticated by the CAS server// and the users login name can be read with phpCAS::getUser().if (isset($_REQUEST[logout])) {phpCAS::logout();} // logout if desired// for this test, simply print that the authentication was successfull?><html> <head> <title>phpCAS simple client</title></head> <body> <h1>Successfull Authentication!</h1> <p>the users login is <b><?php echo phpCAS::getUser(); ?></b>.</p> <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p> <p><a href="?logout=">Logout</a></p> </body></html>
    20. 20. Blackboard 9 SSO We use phpCAS to forces user to sign-in to our portal if they have not already. Once authenticated, phpCAS::getUser() grabs the users Portal ID which is the$userId = as their Blackboard User ID same phpCAS::getUser();
    21. 21. Blackboard 9 SSO Next, We generate the Unix Time Stamp function msTimeStamp() { return round(microtime(1) * 1000); } $timestamp = msTimeStamp();
    22. 22. Blackboard 9 SSO Next, We Generate the MAC In AutoSignOn guide we are given the following:PHP ExampleSecure Algorithm:/* Calculates a MAC (message authentication code) from an array of strings and asecret. Sort request parameters alphabetically by parameter name first, then pass values ofsorted parameters and shared secret to calculateSecureMac */function calculateSecureMac($params, $secret) { $data = implode(, $params); // concatenate param values // get md5 of concatenated param values and secret $mac = md5($data . $secret); return $mac;}
    23. 23. Blackboard 9 SSO Set Shared Secret In Building Block: In Our Code:// Shared Secret$secret= 12345; // associated password
    24. 24. Blackboard 9 SSO Given the sample, we built this:$params = array($timestamp, $userId);function calculateSecureMac($params, $secret){ // concatenate param values $data = implode(, $params); // get md5 of concatenated param values and secret $mac = md5($data . $secret); return $mac;}$mac = calculateSecureMac($params,$secret);
    25. 25. Blackboard 9 SSO  So We Have… ◦ HOST ◦ USERID ◦ TIMESTAMP ◦ MAC  Finally, Build URL and Redirect//redirect to site with required parametersheader( Location:‘.$timestamp.&userId= .$userId. &auth=.$mac);
    26. 26. Lessons Learned