Page 1
Pennsylvania Banner Users Group
2010 Fall Conference
SSO to Blackboard
Utilizing Luminis' CAS
Melissa MillerManager, Web Applications
[email protected]
La Salle University Philadelphia, PA
Alicia StonesiferManager, Instructional Systems
[email protected]
Page 2
General Announcements:
Please turn off all cell phones/pagers
If you must leave the session early, please do so as discreetly as possible
Please avoid side conversations during the session
Questions will be answered after the presentation
Thank you for your cooperation
Page 3
La Salle University
La Salle is a Catholic University founded by the Christian Brothers in Philadelphia in 1863.
Three campuses: North East Philadelphia, Bucks County and Montgomery County
Recent expansion projects◦ The acquisition of Germantown Hospital for
the School of Nursing and Health Sciences
◦ The expansion of Roland Holroyd Science Center to include environmentally friendly laboratories, classrooms, and lounges
Page 4
La Salle University
The University student body of 7,500 students includes
◦ 3,400 full-time undergraduates
◦ 1,400 part-time undergraduates
◦ 2,700 graduate and doctoral students.
Enrollment has grown 16 percent in the past 10 years.
Students come from 44 states and 27 foreign countries
Two-thirds of undergraduates live on campus
Page 5
Agenda
What is CAS?
Luminis’ CAS
Blackboard SSO
Page 7
CAS
Central Authentication Service
CAS is an authentication system
originally created by Yale University
Provides a trusted way for an
application to authenticate a user
without a password
Page 8
CAS
CAS involves three components- a client
web browser, the web application
requesting authentication, and the CAS
server.
Client visits an application, the application
redirects it to CAS.
CAS validates the client's authenticity
Page 9
CAS
If the authentication succeeds, CAS
returns the client to the
application, passing along a security ticket
Application validates ticket by contacting
CAS over a secure connection.
CAS passes information about whether
the client has been successfully
authenticated
Page 11
Luminis CAS
“Yale CAS 2.0 is integrated by default with Luminis IV, and will issue tickets recognized by CAS-enabled clients.”
http://www.yale.edu/tp/cas/
Can be locked down to only trust specified services or applications
Usernames or Immutable ID’s can be used
See Appendix B in Luminis IV install guide for more details and Parallel deployment settings
Page 12
Luminis CAS Example
which sends the browser to CAS with a “Service ID”
User logs into Luminis Portal and clicks a link or Icon
CAS Returns Ticket and Cookie
Browser redirects to the “Service” with ticket.
If Ticket is valid, then continue to application
CAS
Ticket
Validation
Luminis
Web Service
1
2
3
4
5
Blackboard
Page 14
Blackboard 9 SSO
Asked BB community for help
Pointed to oscelot.org
Downloaded AutoSignOn1.0
by Mark O’Neil◦ http://projects.oscelot.org/gf/project/autosignon/frs
Page 15
Blackboard 9 SSO
Install as Building Block
Configure
◦ A Building Block file (sessionservice.class) was
modified to use Username instead of
Batch_UID.
◦ loadByBatchUid changed to loadByUserName,
Page 18
Blackboard 9 SSO
BB is now listening for the SSO Request
Minimum URL for Request is:http://<host>/webapps/bbgs-autosignon-BBLEARN/autoSignon.do ?timestamp=<unix_epoch_time>&userId=<ubatch_uid>&auth=<mac>
So The Variables We Need Are:**Info From AutoSignon Admin Guide
<host> The hostname/port of the Learn server.
<unix_epoch_time> The timestamp in Unix epoch format
<mac> A generated Message Authentication Code
<ubatch_uid> On integrated systems, the user’s Batch Uid is equivalent to the Snapshot external person key.
The Batch Uid of users created through the Learn GUI will be the same as their username.
Page 19
Blackboard 9 SSO
Our Task: Write some code to build
the URL
Step 1: Need to grab Username
We used phpCAS client
◦ Free, easy install
◦ Installation & Usage Instructions at
https://wiki.jasig.org/display/CASC/phpCA
S
◦ Also clients for
.NET, JAVA, VBSCRIPT, PERL…
Next, phpCAS Sample
Page 20
<? php // phpCAS simple client
include_once('CAS.php'); // import phpCAS lib
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'sso-cas.univ-rennes1.fr',443,''); //
initialize phpCAS
phpCAS::setNoCasServerValidation(); // no SSL validation for the CAS server
phpCAS::forceAuthentication(); // force CAS authentication
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
if (isset($_REQUEST['logout'])) {phpCAS::logout();} // logout if desired
// for this test, simply print that the authentication was successfull
?>
<html>
<head> <title>phpCAS simple client</title></head>
<body> <h1>Successfull Authentication!</h1>
<p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
<p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
<p><a href="?logout=">Logout</a></p>
</body>
</html>
Page 21
Blackboard 9 SSO
We use phpCAS to forces user to
sign-in to our portal if they have not
already.
Once
authenticated, phpCAS::getUser()
grabs the users Portal ID which is the
same as their Blackboard User ID$userId = phpCAS::getUser();
Page 22
Blackboard 9 SSO
Next, We generate the Unix Time
Stamp
function msTimeStamp() {
return round(microtime(1) * 1000);
}
$timestamp = msTimeStamp();
Page 23
Blackboard 9 SSO
Next, We Generate the MAC
In AutoSignOn guide we are given the
following:
PHP ExampleSecure Algorithm:
/* Calculates a MAC (message authentication code) from an array of strings and a
secret.
Sort request parameters alphabetically by parameter name first, then pass values of
sorted
parameters and shared secret to calculateSecureMac */
function calculateSecureMac($params, $secret) {
$data = implode('', $params); // concatenate param values
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
Page 24
Blackboard 9 SSO
Set Shared Secret
In Building Block:
In Our Code:
// Shared Secret
$secret= '12345'; // associated password
Page 25
Blackboard 9 SSO
Given the sample, we built this:
$params = array($timestamp, $userId);
function calculateSecureMac($params, $secret)
{
// concatenate param values
$data = implode('', $params);
// get md5 of concatenated param values and secret
$mac = md5($data . $secret);
return $mac;
}
$mac = calculateSecureMac($params,$secret);
Page 26
Blackboard 9 SSO
So We Have…
◦ HOST
◦ USERID
◦ TIMESTAMP
◦ MAC
Finally, Build URL and Redirect
//redirect to site with required parameters
header( 'Location: https://bb.myschool.edu/webapps/bbgs-
autosignon-BBLEARN/autoSignon.do?timestamp=‘
.$timestamp.'&userId=' .$userId. '&auth='.$mac);