1. Pennsylvania Banner Users Group
2010 Fall Conference
SSO to Blackboard
Utilizing Luminis' CAS
Melissa Miller Alicia Stonesifer
Manager, Web Applications Manager, Instructional Systems
millermm@lasalle.edu stonesifer@lasalle.edu
La Salle University
Philadelphia, PA
2. General Announcements:
Please turn off all cell phones/pagers
If you must leave the session
early, please do so as discreetly as
possible
Please avoid side conversations
during the session
Questions will be answered after the
presentation
Thank you for your cooperation
3. La Salle University
La Salle is a Catholic University founded
by the Christian Brothers in Philadelphia
in 1863.
Three campuses: North East
Philadelphia, Bucks County and
Montgomery County
Recent expansion projects
◦ The acquisition of Germantown Hospital for
the School of Nursing and Health Sciences
◦ The expansion of Roland Holroyd Science
Center to include environmentally friendly
laboratories, classrooms, and lounges
4. La Salle University
The University student body of 7,500
students includes
◦ 3,400 full-time undergraduates
◦ 1,400 part-time undergraduates
◦ 2,700 graduate and doctoral students.
Enrollment has grown 16 percent in the
past 10 years.
Students come from 44 states and 27
foreign countries
Two-thirds of undergraduates live on
campus
7. CAS
Central Authentication Service
CAS is an authentication system
originally created by Yale University
Provides a trusted way for an
application to authenticate a user
without a password
8. CAS
CAS involves three components- a client
web browser, the web application
requesting authentication, and the CAS
server.
Client visits an application, the application
redirects it to CAS.
CAS validates the client's authenticity
9. CAS
If the authentication succeeds, CAS
returns the client to the
application, passing along a security ticket
Application validates ticket by contacting
CAS over a secure connection.
CAS passes information about whether
the client has been successfully
authenticated
11. Luminis CAS
“Yale CAS 2.0 is integrated by default
with Luminis IV, and will issue tickets
recognized by CAS-enabled clients.”
http://www.yale.edu/tp/cas/
Can be locked down to only trust
specified services or applications
Usernames or Immutable ID’s can be
used
See Appendix B in Luminis IV install
guide for more details and Parallel
deployment settings
12. Luminis CAS Example
1
User logs into Luminis Portal and clicks a link or Icon
CAS
which sends the browser to CAS with a “Service ID”
2 CAS Returns Ticket and Cookie
Luminis Ticket
Validation
Browser redirects to the “Service” with ticket. 4
3
Web Service
5 If Ticket is valid, then continue to application
Blackboard
14. Blackboard 9 SSO
Asked BB community for help
Pointed to oscelot.org
Downloaded AutoSignOn1.0
by Mark O’Neil
◦ http://projects.oscelot.org/gf/project/autosignon/frs
15. Blackboard 9 SSO
Install as Building Block
Configure
◦ A Building Block file (sessionservice.class) was
modified to use Username instead of
Batch_UID.
◦ loadByBatchUid changed to loadByUserName,
18. Blackboard 9 SSO
BB is now listening for the SSO Request
Minimum URL for Request is:
http://<host>/webapps/bbgs-autosignon-
BBLEARN/autoSignon.do
?timestamp=<unix_epoch_time>&userId=<ubatch_uid>&auth
=<mac>
So The Variables We Need Are:
**Info From AutoSignon Admin Guide
<host> The hostname/port of the Learn server.
<unix_epoch_time> The timestamp in Unix epoch format
<mac> A generated Message Authentication Code
<ubatch_uid> On integrated systems, the user’s Batch Uid is
equivalent to the Snapshot external person key.
The Batch Uid of users created through the
Learn GUI will be the same as their
username.
19. Blackboard 9 SSO
Our Task: Write some code to build
the URL
Step 1: Need to grab Username
We used phpCAS client
◦ Free, easy install
◦ Installation & Usage Instructions at
https://wiki.jasig.org/display/CASC/phpCA
S
◦ Also clients for
.NET, JAVA, VBSCRIPT, PERL…
Next, phpCAS Sample
20. <? php // phpCAS simple client
include_once('CAS.php'); // import phpCAS lib
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'sso-cas.univ-rennes1.fr',443,''); //
initialize phpCAS
phpCAS::setNoCasServerValidation(); // no SSL validation for the CAS server
phpCAS::forceAuthentication(); // force CAS authentication
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
if (isset($_REQUEST['logout'])) {phpCAS::logout();} // logout if desired
// for this test, simply print that the authentication was successfull
?>
<html>
<head> <title>phpCAS simple client</title></head>
<body> <h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>
21. Blackboard 9 SSO
We use phpCAS to forces user to
sign-in to our portal if they have not
already.
Once
authenticated, phpCAS::getUser()
grabs the users Portal ID which is the
$userId = as their Blackboard User ID
same phpCAS::getUser();
22. Blackboard 9 SSO
Next, We generate the Unix Time
Stamp
function msTimeStamp() {
return round(microtime(1) * 1000);
}
$timestamp = msTimeStamp();
23. Blackboard 9 SSO
Next, We Generate the MAC
In AutoSignOn guide we are given the
following:
PHP Example
Secure Algorithm:
/* Calculates a MAC (message authentication code) from an array of strings and a
secret.
Sort request parameters alphabetically by parameter name first, then pass values of
sorted
parameters and shared secret to calculateSecureMac */
function calculateSecureMac($params, $secret) {
$data = implode('', $params); // concatenate param values
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
24. Blackboard 9 SSO
Set Shared Secret
In Building Block:
In Our Code:
// Shared Secret
$secret= '12345'; // associated password
25. Blackboard 9 SSO
Given the sample, we built this:
$params = array($timestamp, $userId);
function calculateSecureMac($params, $secret)
{
// concatenate param values
$data = implode('', $params);
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
$mac = calculateSecureMac($params,$secret);
26. Blackboard 9 SSO
So We Have…
◦ HOST
◦ USERID
◦ TIMESTAMP
◦ MAC
Finally, Build URL and Redirect
//redirect to site with required parameters
header( 'Location: https://bb.myschool.edu/webapps/bbgs-
autosignon-BBLEARN/autoSignon.do?timestamp=‘
.$timestamp.'&userId=' .$userId. '&auth='.$mac);
Good morning everyone. My name is Melissa Miller and I work at La Salle University as the Manager of Web Applications. I am here today to talk about our method of providing Single Sign On to the Microsoft Exchange Labs email system.
Some things I have learned along the way is to allow plenty of time to deal with support issues. Microsoft is working on their support model and as of this writing this is still in progress. In particular the Windows Ed Desk was a major sticking point in trying to resolved certificate issues. Make sure you are clear from the beginning on your domains and if you will have sub domains or separate domains because that changes EVERYTHING as far as they are concerned.If you can land yourself one or two senior tech support people they will be your best friends and help escalade the process in a way that you cant.