Banner 9 and Central Authentication Service (CAS) This FAQ is also available on the Commons at http://www.edu1world.org/CommonsBanner/wiki/document/7489 What is Single Sign-On? Single sign-on (SSO) is an authentication process that permits a user to enter one name and one password to access multiple web based applications. It provides a unified mechanism for organizations to manage the authentication of users and implement business rules that determine user access to local, remote, and legacy applications and data. Benefits include: Improved user productivity. Users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords. Also, support personnel answer fewer requests to reset forgotten passwords. Improved developer productivity. SSO provides developers with a common authentication framework. Simplified administration. When applications participate in a single sign-on protocol, the administration burden of managing user accounts is simplified. How will single sign-on be supported in Banner 9? Single sign-on for Banner 9 will be supported via Central Authentication Service (CAS). CAS is an open source Single Sign-On (SSO) protocol. Its purpose is to permit a user to access multiple applications while providing their login credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. CAS is the only solution for SSO between Banner 8, Banner 9, and Luminis Platform. Ellucian’s Identity Management strategy allows our applications to integrate with either an external access manager (i.e. Oracle, Sun, Novel, etc) where the SSO protocol can be implemented, or the applications can use Open Source CAS. CAS is the most popular utility for access management therefore this is what we are currently using for Banner 9. Additional testing will be done in the future to support external access manager in Banner 9. Will Banner 9 require both CAS and Banner Enterprise Identity Services (BEIS)? BEIS is not required for Banner 9 single sign-on implementation with CAS; CAS is natively supported within Banner 9 for single sign-on. Does Banner 8 currently support CAS single sign-on? Banner 8 requires BEIS to support CAS single sign-on. BEIS 8.1.5 has a new component called SSO Manager, which consolidates SSO functionality SSO Manager allows clients to achieve CAS-based SSO without BEIS account provisioning as long as a unique identifier for each user is synchronized between Banner (GOBUMAP) and the CAS LDAP repository. BEIS 8.1.5 with the SSO Manager component is due to be released in September 2011. Will a user have the ability to log in to Banner 8 and navigate to Banner 9 without logging in again? Yes, an end user will have the ability to navigate between Banner 8 and Banner 9 without needing to re-enter login credentials provided the institution has configured both Banner 8 and Banner 9 with CAS. Banner 8 to Banner 9 navigation CAS SSO example: Let’s say an institution has the following: Banner 8 configured with BEIS for CAS Banner 9 configured with CAS Luminis Platform is not a part of the Institution’s Digital Campus (see questions 10 and 11 for more information on SSO with Luminis Platform and Banner 9) The end user experiences single sign-on between Banner 8 and Banner 9 in the following manner: Action The user accesses the Banner 8 URL via their browser. The user enters their login credentials The user opens another browser or another tab in their browser and accesses Results Banner 8 redirects the user to the CAS Server. The CAS Server redirects the user back to Banner 8 to the Banner 8 main menu. Banner 9 redirects the user to the CAS Server. Since the user had already logged the Banner 9 URL. into the CAS Server for Banner 8 the user is then directed right back to Banner 9 and brought to the Banner 9 main menu. Note: the user is not required to submit their login credentials a 2nd time. Note: it does not matter whether or not the user starts with Banner 9 first and then accesses Banner 8 next – the single sign-on will still work in the same manner. If an institution chooses not to implement CAS what is the end user experience? Banner 8 to Banner 9 navigation without CAS example: Let’s say an institution has the following: Banner 8 with no BEIS/CAS configuration Banner 9 with no CAS configuration Luminis Platform is not a part of the Institution’s Digital Campus (see questions 10 and 11 for more information on SSO with Luminis Platform and Banner 9) The end user experiences navigating between Banner 8 and Banner 9 in the following manner: Action The user accesses the Banner 8 URL via their browser. The user submits their login credentials. The user opens another browser or another tab in their browser and accesses the Banner 9 URL. The user submits their login credentials. Results Banner 8 prompts the user for their login credentials. Banner 8 authenticates the user and the user is brought to the Banner 8 main menu. Banner 9 prompts the user for their login credentials. Banner 9 authenticates the user and the user is brought to the Banner 9 main menu. Is there a way for an end user to navigate to Banner 9 from within Banner 8? One suggestion to provide this functionality is to put the Banner 9 URL in as a personal link in Banner 8. This way the end user could access Banner 9 from the main menu of Banner 8. If the institution has CAS configured with Banner 8 and Banner 9 and the Banner 9 URL is in as a personal link in Banner 8, the user experience is as follows: Action The user accesses the Banner 8 URL via their browser. The user enters their login credentials The user clicks the Banner 9 URL that has been defined as a personal link from the Banner 8 main menu. Results Banner 8 redirects the user to the CAS Server. The CAS Server redirects the user back to Banner 8 to the Banner 8 main menu. A new browser window is opened and calls the Banner 9 URL. Banner 9 redirects the user to the CAS Server. Since the user had already logged into the CAS Server for Banner 8 the user is then directed right back to Banner 9 and brought to the Banner 9 main menu. Note: the user is not required to submit their login credentials a 2nd time. If the institution does not have CAS configured for Banner 8 and Banner 9 and the Banner 9 URL is in as a personal link in Banner 8, the user experience is as follows: Action The user accesses the Banner 8 URL via their browser. The user submits their login credentials. The user clicks the Banner 9 URL that has been defined as a personal link from the Banner 8 main menu. The user submits their login credentials. Results Banner 8 prompts the user for their login credentials. Banner 8 authenticates the user and the user is brought to the Banner 8 main menu. A new browser window is opened and calls the Banner 9 URL. Banner 9 prompts the user for their login credentials. Banner 9 authenticates the user and the user is brought to the Banner 9 main menu. Note: Banner 9 does not yet support personal links on the main menu, so there is not a similar path to go from Banner 9 to Banner 8 using this same personal link methodology. Will a customer have the ability to have single sign-on from Luminis Platform 4 to Banner 9? Yes, single sign-on from Luminis Platform 4 to Banner 9 is supported. Both Luminis Platform 4 and Banner 9 support single sign-on via CAS. Note: The already existing ‘My Banner’ channel will continue to direct the user to Banner 8. At this time, there is not an update to the My Banner channel to include a link to Banner 9, nor will a new channel be delivered to direct a user to Banner 9 akin to the My Banner channel. An institution could choose to create their own channel with a link to their Banner 9 URL. Again, this would provide single sign-on if CAS is in place for both Luminis Platform 4 and Banner 9. Will a customer have the ability to have single sign-on from Luminis Platform 5 to Banner 9? Yes, single sign-on from Luminis Platform 5 to Banner 9 is supported. Both Luminis Platform 5 and Banner 9 support single sign-on via CAS. Note: The already existing ‘My Banner’ portlet will continue to direct the user to Banner 8. At this time, there is not an update to the My Banner channel to include a link to Banner 9, nor will a new portlet be delivered to direct a user to Banner 9 akin to the My Banner channel. An institution could choose to create their own portlet with a link to their Banner 9 URL. Again, this would provide single sign-on if CAS is in place for both Luminis Platform 5 and Banner 9. What is the single sign-on approach for other components within a Digital Campus featuring Banner 9? At the time of the writing of this FAQ, integrations with other Digital Campus products, i.e. Banner Document Management Suite and Workflow, have not yet been provided. The long term goal is to have all Ellucian Digital Campus products provide single signon via CAS. We are currently working on a SAML based Identity and Access Management system, will there be any provision for Banner to work with SAML? Banner 9 provides support for CAS Single Sign-on and external access manager products. Examples of external IDM systems that support SSO are Oracle Access Manager, Novell Access Manager, etc. Most Access Manager Products install a Web Gate, or interceptor component that integrates with the application server. In Oracle Access Managers case it installs its web gate as an Apache module which intercepts all requests. Oracle Access Manager is configured to authenticate the user and assert an identity attribute typically stored in LDAP to the application. Banner 9 can be configured to support external authentication and accept the UDC_IDENTIFIER as an http header variable. If your access manager product can be configured to support the same integration it should work. What is the path for institutions that currently use Luminis CPIP for SSO to move to CAS? Institutions that use Luminis CPIP or GCF in their Banner 8 Digital Campus to provide single sign-on will need to move to CAS to achieve single sign-on in Banner 9. To prepare for this: Establish and set up a CAS Server, if one doesn’t already exist or if the institution is not using the CAS Server within Luminis Platform Update Luminis Platform configuration to support CAS Define identity mappings between LDAP server and Banner 9. Please contact your Customer Relationship Manager for more information on services offerings in this area. Please note: Luminis CPIP or GCF is still supported for other applications but not for Banner 9. This means that not all applications within an institution’s Digital Campus need to move to CAS.