Banner 9 and Central Authentication Service (CAS)

advertisement
Banner 9 and Central Authentication Service
(CAS)
This FAQ is also available on the Commons at
http://www.edu1world.org/CommonsBanner/wiki/document/7489
What is Single Sign-On?
Single sign-on (SSO) is an authentication process that permits a user to enter one name
and one password to access multiple web based applications. It provides a unified
mechanism for organizations to manage the authentication of users and implement
business rules that determine user access to local, remote, and legacy applications and
data. Benefits include:

Improved user productivity. Users are no longer bogged down by multiple logins
and they are not required to remember multiple IDs and passwords. Also, support
personnel answer fewer requests to reset forgotten passwords.

Improved developer productivity. SSO provides developers with a common
authentication framework.

Simplified administration. When applications participate in a single sign-on
protocol, the administration burden of managing user accounts is simplified.
How will single sign-on be supported in Banner 9?
Single sign-on for Banner 9 will be supported via Central Authentication Service (CAS).
CAS is an open source Single Sign-On (SSO) protocol. Its purpose is to permit a user to
access multiple applications while providing their login credentials only once. It also
allows web applications to authenticate users without gaining access to a user's security
credentials, such as a password. CAS is the only solution for SSO between Banner 8,
Banner 9, and Luminis Platform.
Ellucian’s Identity Management strategy allows our applications to integrate with either
an external access manager (i.e. Oracle, Sun, Novel, etc) where the SSO protocol can
be implemented, or the applications can use Open Source CAS. CAS is the most
popular utility for access management therefore this is what we are currently using for
Banner 9. Additional testing will be done in the future to support external access
manager in Banner 9.
Will Banner 9 require both CAS and Banner Enterprise
Identity Services (BEIS)?
BEIS is not required for Banner 9 single sign-on implementation with CAS; CAS is natively
supported within Banner 9 for single sign-on.
Does Banner 8 currently support CAS single sign-on?
Banner 8 requires BEIS to support CAS single sign-on. BEIS 8.1.5 has a new component called
SSO Manager, which consolidates SSO functionality SSO Manager allows clients to achieve
CAS-based SSO without BEIS account provisioning as long as a unique identifier for each user
is synchronized between Banner (GOBUMAP) and the CAS LDAP repository. BEIS 8.1.5 with
the SSO Manager component is due to be released in September 2011.
Will a user have the ability to log in to Banner 8 and
navigate to Banner 9 without logging in again?
Yes, an end user will have the ability to navigate between Banner 8 and Banner 9 without
needing to re-enter login credentials provided the institution has configured both Banner 8 and
Banner 9 with CAS.
Banner 8 to Banner 9 navigation CAS SSO example:
Let’s say an institution has the following:

Banner 8 configured with BEIS for CAS

Banner 9 configured with CAS

Luminis Platform is not a part of the Institution’s Digital Campus (see questions
10 and 11 for more information on SSO with Luminis Platform and Banner 9)
The end user experiences single sign-on between Banner 8 and Banner 9 in the
following manner:
Action
The user accesses the Banner 8 URL via
their browser.
The user enters their login credentials
The user opens another browser or
another tab in their browser and accesses
Results
Banner 8 redirects the user to the CAS
Server.
The CAS Server redirects the user back to
Banner 8 to the Banner 8 main menu.
Banner 9 redirects the user to the CAS
Server. Since the user had already logged
the Banner 9 URL.
into the CAS Server for Banner 8 the user
is then directed right back to Banner 9 and
brought to the Banner 9 main menu.
Note: the user is not required to submit
their login credentials a 2nd time.
Note: it does not matter whether or not the user starts with Banner 9 first and then
accesses Banner 8 next – the single sign-on will still work in the same manner.
If an institution chooses not to implement CAS what is the
end user experience?
Banner 8 to Banner 9 navigation without CAS example:
Let’s say an institution has the following:

Banner 8 with no BEIS/CAS configuration

Banner 9 with no CAS configuration

Luminis Platform is not a part of the Institution’s Digital Campus (see questions
10 and 11 for more information on SSO with Luminis Platform and Banner 9)
The end user experiences navigating between Banner 8 and Banner 9 in the following
manner:
Action
The user accesses the Banner 8 URL via
their browser.
The user submits their login credentials.
The user opens another browser or
another tab in their browser and accesses
the Banner 9 URL.
The user submits their login credentials.
Results
Banner 8 prompts the user for their login
credentials.
Banner 8 authenticates the user and the
user is brought to the Banner 8 main
menu.
Banner 9 prompts the user for their login
credentials.
Banner 9 authenticates the user and the
user is brought to the Banner 9 main
menu.
Is there a way for an end user to navigate to Banner 9 from
within Banner 8?
One suggestion to provide this functionality is to put the Banner 9 URL in as a personal link in
Banner 8. This way the end user could access Banner 9 from the main menu of Banner 8.
If the institution has CAS configured with Banner 8 and Banner 9 and the Banner 9 URL is in as
a personal link in Banner 8, the user experience is as follows:
Action
The user accesses the Banner 8 URL via
their browser.
The user enters their login credentials
The user clicks the Banner 9 URL that has
been defined as a personal link from the
Banner 8 main menu.
Results
Banner 8 redirects the user to the CAS
Server.
The CAS Server redirects the user back to
Banner 8 to the Banner 8 main menu.
A new browser window is opened and
calls the Banner 9 URL. Banner 9 redirects
the user to the CAS Server. Since the user
had already logged into the CAS Server
for Banner 8 the user is then directed right
back to Banner 9 and brought to the
Banner 9 main menu. Note: the user is not
required to submit their login credentials a
2nd time.
If the institution does not have CAS configured for Banner 8 and Banner 9 and the Banner 9
URL is in as a personal link in Banner 8, the user experience is as follows:
Action
The user accesses the Banner 8 URL via
their browser.
The user submits their login credentials.
The user clicks the Banner 9 URL that has
been defined as a personal link from the
Banner 8 main menu.
The user submits their login credentials.
Results
Banner 8 prompts the user for their login
credentials.
Banner 8 authenticates the user and the
user is brought to the Banner 8 main
menu.
A new browser window is opened and
calls the Banner 9 URL. Banner 9 prompts
the user for their login credentials.
Banner 9 authenticates the user and the
user is brought to the Banner 9 main
menu.
Note: Banner 9 does not yet support personal links on the main menu, so there is not a similar
path to go from Banner 9 to Banner 8 using this same personal link methodology.
Will a customer have the ability to have single sign-on from
Luminis Platform 4 to Banner 9?
Yes, single sign-on from Luminis Platform 4 to Banner 9 is supported. Both Luminis
Platform 4 and Banner 9 support single sign-on via CAS.
Note: The already existing ‘My Banner’ channel will continue to direct the user to
Banner 8. At this time, there is not an update to the My Banner channel to include a link
to Banner 9, nor will a new channel be delivered to direct a user to Banner 9 akin to the
My Banner channel. An institution could choose to create their own channel with a link
to their Banner 9 URL. Again, this would provide single sign-on if CAS is in place for
both Luminis Platform 4 and Banner 9.
Will a customer have the ability to have single sign-on from
Luminis Platform 5 to Banner 9?
Yes, single sign-on from Luminis Platform 5 to Banner 9 is supported. Both Luminis
Platform 5 and Banner 9 support single sign-on via CAS.
Note: The already existing ‘My Banner’ portlet will continue to direct the user to Banner
8. At this time, there is not an update to the My Banner channel to include a link to
Banner 9, nor will a new portlet be delivered to direct a user to Banner 9 akin to the My
Banner channel. An institution could choose to create their own portlet with a link to
their Banner 9 URL. Again, this would provide single sign-on if CAS is in place for both
Luminis Platform 5 and Banner 9.
What is the single sign-on approach for other components
within a Digital Campus featuring Banner 9?
At the time of the writing of this FAQ, integrations with other Digital Campus products,
i.e. Banner Document Management Suite and Workflow, have not yet been provided.
The long term goal is to have all Ellucian Digital Campus products provide single signon via CAS.
We are currently working on a SAML based Identity and
Access Management system, will there be any provision for
Banner to work with SAML?
Banner 9 provides support for CAS Single Sign-on and external access manager
products. Examples of external IDM systems that support SSO are Oracle Access
Manager, Novell Access Manager, etc. Most Access Manager Products install a Web
Gate, or interceptor component that integrates with the application server. In Oracle
Access Managers case it installs its web gate as an Apache module which intercepts all
requests. Oracle Access Manager is configured to authenticate the user and assert an
identity attribute typically stored in LDAP to the application. Banner 9 can be
configured to support external authentication and accept the UDC_IDENTIFIER as an
http header variable. If your access manager product can be configured to support the
same integration it should work.
What is the path for institutions that currently use Luminis
CPIP for SSO to move to CAS?
Institutions that use Luminis CPIP or GCF in their Banner 8 Digital Campus to provide
single sign-on will need to move to CAS to achieve single sign-on in Banner 9. To
prepare for this:

Establish and set up a CAS Server, if one doesn’t already exist or if the
institution is not using the CAS Server within Luminis Platform

Update Luminis Platform configuration to support CAS

Define identity mappings between LDAP server and Banner 9. Please contact
your Customer Relationship Manager for more information on services offerings
in this area.
Please note: Luminis CPIP or GCF is still supported for other applications but not for
Banner 9. This means that not all applications within an institution’s Digital Campus
need to move to CAS.
Download