Beruflich Dokumente
Kultur Dokumente
June 2014
Banner®, Colleague®, PowerCampus™, and Luminis® are trademarks of Ellucian Company L.P. or its affiliates and are registered in the U.S.
and other countries. Ellucian®, Ellucian Advance™, Ellucian Degree Works™, Ellucian Course Signals™, Ellucian SmartCall™, and Ellucian
Recruiter™ are trademarks of Ellucian Company L.P. or its affiliates. Other names may be trademarks of their respective owners.
Contains confidential and proprietary information of Ellucian and its subsidiaries. Use of these materials is limited to Ellucian licensees, and is
subject to the terms and conditions of one or more written license agreements between Ellucian and the licensee in question.
In preparing and providing this publication, Ellucian is not rendering legal, accounting, or other similar professional services. Ellucian makes no
claims that an institution's use of this publication or the software for which it is provided will guarantee compliance with applicable federal or state
laws, rules, or regulations. Each organization should seek legal, accounting and other similar professional services from competent providers of
the organization's own choosing.
Revision History
Publication Date Summary
November 2013 New version that supports CAS single sign on for Ellucian products.
April 2014 Added chapters for Banner Document Management, Banner Workflow, and Ellucian Degree Works
May 2014 Updated text for cas.properties and deployerConfigContext.xml files.
June 2014 Added text for integrating Banner Document Management with Banner Workflow.
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Identity management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Functional Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What is SSO? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What is CAS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
An analogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Map GUIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
If BEIS account provisioning is deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
If BEIS account provisioning is not deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Processing flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Your institution must maintain numerous software applications and environments to meet
the daily needs of your students, faculty, and administrators. The complexity of these
applications and environments requires the implementation of an identity management
infrastructure.
Identity management
An identity management infrastructure provides two basic functions:
• Single sign on (SSO) allows a user to securely access multiple systems with a single
login. Web applications can authenticate a user without accessing the user’s security
credentials. Many higher education institutions use Central Authentication Service
(CAS) to implement SSO.
This handbook focuses on the use of CAS to authenticate users for SSO.
This handbook describes the configuration of the following Ellucian applications for use
with CAS:
Configuration
Ellucian application instructions
Documentation will be added to this handbook as more Ellucian applications are tested for
integration with CAS.
This chapter describes functional concepts regarding the role of single sign on (SSO) and
Central Authentication Service (CAS) in your identity management infrastructure. You
should read and understand this information before you implement CAS at your institution.
What is SSO?
Single sign on (SSO) allows a user to securely access multiple systems with a single
login. Defined business processes and a supporting technical infrastructure determine
who can access systems, when systems can be accessed, and from where systems can
be accessed. Once a central service authenticates a user, the user is granted access to
multiple systems without repeated requests for login.
SSO gives your institution a unified mechanism to authenticate users and implement
business rules that determine user access to local, remote, and legacy applications and
data. SSO provides the following benefits:
• Improved user productivity. Users do not need to log in multiple times. Users do not
need to remember multiple IDs and passwords.
• Simplified administration. The burden of managing user accounts is simplified. The need
to reset forgotten passwords is reduced.
The key element in the UDCIdentity XML structure is the UDCIdentifier, a globally unique
identifier (GUID) that is assigned to each user at your institution and stored in a central
identity vault. The UDCIdentifier is an unchanging, system-generated, 32-character,
alphanumeric value. The following example shows the UDCIdentifier:
<UDCIdentifier>36BE6D6D18560C44E0440003BA33B440</UDCIdentifier>
What is CAS?
Central Authentication Service (CAS) is an open source SSO authentication service for
web applications. Originally developed by Yale University, CAS became a Jasig project in
December 2004.
Many higher education institutions use CAS to implement SSO. Although CAS can be
implemented in a few hours, a fully functional SSO implementation that is supported by
CAS requires considerable planning and preparation. Integrated applications must be
configured to participate in a CAS-controlled environment. Many client programs are
available to customize applications so they can use CAS for user authentication.
The following diagram shows an example of ticket-based SSO using CAS. In this
example, several applications use a centralized CAS server and LDAP directory. Various
versions of Banner® are used at the same time: Banner 9.x, Internet-Native Banner (INB),
and Self-Service Banner (SSB). Third-party applications are also configured to participate
in the CAS-controlled environment.
If BEIS is used
If BEIS account provisioning components are deployed, BEIS performs the following
processing:
The SSO Manager relies on a central access manager (such as CAS) to authenticate a
user and assert the user’s identity. Once a user is authenticated, the SSO Manager
performs the operations that allow the user to access SSB or INB.
• CAS-based authentication. CAS protects the SSO Manager by authenticating the user.
After the user is authenticated, the SSO Manager invokes a validation service that is
exposed by the CAS server. This service validates the CAS session and provides the
identity of the user to the SSO Manager in a defined XML format.
Note: The SSO Manager fully supports the CAS server that is delivered
with Luminis® Platform 5.x.
The SSO Manager also provides services that other Ellucian applications can use to
facilitate claims-based authentication based on the UDCIdentifier.
An analogy
The following analogy illustrates how Ellucian applications work with CAS to establish and
manage SSO.
The terminal and the airline require a Ellucian applications (such as Banner and
passenger to authenticate his or her Luminis) require a user to authenticate his
identity. or her identity.
Airport security performs the operations The SSO Manager performs the
that allow the passenger to board the operations that allow the user to access
airplane. INB or SSB.
The following tasks should be performed before you configure Ellucian products to use
Central Authentication Service (CAS) for single sign on (SSO):
• Include both technical and functional representation in the planning and implementation
process.
• Determine the overall goal. Identify which applications should participate in a claims-
based SSO environment, and which applications should not.
• Determine the differences between the old and new versions of CAS.
• Determine the impact on the applications that are participating in your claims-based
environment?.
• Determine how the CAS upgrade impacts your current Ellucian applications.
• Create a test plan and a test environment.
Map GUIDs
SSO with CAS is designed to use the UDCIdentifier as the globally unique identifier
(GUID) for each user at your institution. The UDCIdentifier identifies a user whenever
access to protected resources is requested. The UDCIdentifier for each user is stored in
the central identity vault.
The coordination of the UDCIdentifier in Banner and in the central identity vault facilitates
SSO. After a user is authenticated, the consuming application uses the UDCIdentifier that
is stored in the central identity vault to identify the user in Banner. If the identifiers match,
access is granted to the authenticated user.
• GUID stored in Banner. The GUID for a person is stored in the GOBUMAP table. The
column GOBUMAP_UDC_ID is VARCHAR2(225) and is designed to store the
UDCIdentifier. Any unique identifier for the person can be stored in this column.
As long as the GUIDs stored in these two repositories are coordinated and retrievable as
the UDCIdentifier, access through the consuming application is possible.
Prerequisites
CAS server 3.4.12 is the minimum supported version. Before you configure the CAS
server, you must be familiar with the following applications:
Note: If you are moving to Luminis® Platform 5, you can install the CAS
server that is delivered with Luminis Platform 5. Refer to “Installing a new
CAS server as part of the Luminis Platform 5 installation” on page 27 for
details.
Warning! Be careful if you copy and paste code samples from this
document into your configuration files. Unexpected spaces in copied code
can cause problems.
Example: cas-server-3.4.12
2. Open <PROJECT_WEBROOT>/WEB-INF/cas.properties.
3. Update the server.prefix property to specify the CAS server protocol, host, and
port.
Example: server.prefix=https://cas.ellucian.com:8443/cas
Example: host.name=cas.ellucian.com
5. (Optional) In the default deployment, volatile data is cleared when the application
restarts. If you want to persist the data, use the following steps to change the
configuration:
5.1. Make sure the following entry is present and uncommented:
database.hibernate.dialect=org.hibernate.dialect.
OracleDialect
5.2. Add the following property:
ticket.cleaner.database.platform=SQL92
6. Save and close cas.properties.
<bean class=
"org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean class=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter" value="(uid=%u)" />
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=users,dc=ellucian,dc=com" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
7. Replace the attributeRepository bean with the following bean. This bean is
used to specify the attributes that must be fetched from LDAP.
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="ou=users,dc=ellucian,dc=com" />
<property name="requireAllQueryAttributes" value="true" />
<!--Attribute mapping between principal (key) and LDAP (value) names used to perform the
LDAP search. By default, multiple search criteria are ANDed together. Set the queryType
property to change to OR.-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping between LDAP entry attributes (key) and Principal's (value) -->
<entry key="cn" value="UDC_IDENTIFIER"/>
<entry key="uid" value="uid" />
</map>
</property>
</bean>
8. Add the contextSource bean. This bean is used to specify the LDAP properties.
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls">
Note: Modify the LDAP URL, userDn, and password to reflect your LDAP
configuration. Change "dc=ellucian,dc=com" to reflect your
environment.
9. Use one of the following methods (in-memory data store or JPA-based registry) to
store session and service registry data.
9.1. An in-memory (persistent) data store can be used to store session and service
registry data. Volatile data is cleared during application restarts. Service
registrations are stored statically in deployerConfigContext.xml.To
implement an in-memory data store, change the following bean:
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- Protect CAS Manged Services Endpoint -->
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1" />
<property name="name" value="CAS Managed Services" />
<property name="description" value="CAS Managed Services Endpoint" />
<property name="serviceId" value="https://[cas.host.edu]:[cas.port]/cas/
services/**" />
<property name="allowedAttributes">
<list>
<value>uid</value>
</list>
</property>
<property name="evaluationOrder" value="10000001" />
</bean>
<!-- Protect SSB/INB via the SSO Manager Client -->
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="2" />
<property name="name" value="SSO Manager" />
<property name="description" value="CAS Client for SSB/INB" />
<property name="serviceId" value="http://
[ssomanager.host.edu]:[ssomanager.port]/ssomanager/c/**" />
<property name="allowedAttributes">
<list>
<value>UDC_IDENTIFIER</value>
</list>
</property>
<property name="evaluationOrder" value="10000002" />
</bean>
</list>
</property>
</bean>
Note: For bean id="dataSource", modify the URL, user name, and
password to reflect your environment. The user name and password must
be a valid Oracle user name and password. You can use the ssomgr
Oracle account that was created to store CAS managed services
information.
Note: Use this step only if you are using a JPA-based session and service
registry. Skip this step if you are using an in-memory data store to store
session and service registry data.
1. Open <PROJECT_WEBROOT>/WEB-INF/spring-configuration/
ticketRegistry.xml.
casLoginView.jsp
casLogoutView.jsp
Note: Future product upgrades will overwrite the edits. You can use the
backup to reset the changes.
Another way to customize the style sheet and images is to create a new theme in the
<PROJECT_WEBROOT>/themes directory. Once you create a new theme, you must
edit the CAS service to use the new theme rather than the default theme. The new theme
is not overwritten during a product upgrade. Refer to "Custom-themed login pages" in the
Luminis Platform Multi-Entity Processing Implementation Guide for details.
2. Locate cas.war.
Note: Use this step only if you are using a JPA-based session and service
registry. Skip this step if you are using an in-memory data store to store
session and service registry data.
Note: Skip this step if this CAS service was previously configured.
The CAS server needs to know which application URLs must be protected for SSO. This
is accomplished by configuring a CAS service for each application in your CAS
environment. Application-specific instructions are provided in individual chapters of this
handbook.
You must also configure a CAS service to protect the CAS service URL itself. This CAS
service applies to all applications in your CAS environment. Use the following steps to
configure this CAS service.
1. Access the CAS server management page:
https://<CAS host>:<CAS port>/<CAS context path>/
services/manage.html
2. Log in with a valid administrator user name and password (obtained from the CAS
administrator).
3. Select the Add New Service tab.
4. Enter the following values:
If you have a supported version of CAS, refer to “Configuring Banner for CAS” on page 29
for instructions to configure Banner for the existing CAS server.
If you do not have a supported version of CAS, refer to “Installing a new CAS server from
the Jasig distribution” on page 17 for instructions to install and configure a supported
version of the CAS server.
This chapter describes the configuration of Banner® to support single sign on (SSO) via
Central Authentication Service (CAS). Instructions are provided for configuring the
following Banner products:
The SSO Manager relies on CAS to authenticate a user and assert the user’s identity. This
protects the SSB access URLs that are exposed by the SSO Manager. Once CAS
authenticates a user, the SSO Manager collaborates with Banner Web Tailor to allow the
user to access SSB.
Supporting components
The following components support SSO for SSB:
Component Description
CAS CAS is the central access manager for SSO. CAS attribute
assertion features facilitate SSO. A CAS validation service
(/samlValidate) retrieves the attributes that identify the user.
SSO Manager The SSO Manager, a component of BEIS, acts as the SSO
gateway for SSB, facilitating the following processes when
starting an SSO session:
• Retrieval of the user’s unique identifier (UDCIdentifer) from the
central identity vault via /samlValidate
• Proxy of SSO requests in an SSO environment that is
administered by BEIS
Refer to the Banner Enterprise Identity Services Installation
Guide for instructions on installing the SSO Manager. You can
install the SSO Manager with or without other BEIS
components.
Banner Web Tailor Banner Web Tailor accepts the identity assertion from the SSO
Manager, determines the user based on the assertion, and
creates an SSB session for the user.
Processing flow
The following processing occurs when SSB is accessed in an SSO session:
Configuration steps
Use the following steps to configure SSB for CAS:
• Step 1 - Configure Banner Web Tailor to use the SSO Manager with SSB
• Step 2 - Configure the SSO Manager for SSB
Step 1 - Configure Banner Web Tailor to use the SSO Manager with SSB
Use the following steps to edit the Banner Web Tailor parameters that are used by the
SSO Manager.
1. Enter the Secure Area of Self-Service Banner.
2. Navigate to Web Tailor Administration.
3. From the Web Tailor Menu, select Web Tailor Parameters.
4. For each of the following parameters, click the parameter name, enter the parameter
value, and click Submit Changes.
Parameter Description
4. Click Save.
5. Select the SSB Configuration tab.
SSB URL Default URL where users are redirected when they request
the protected SSB URL. This is normally the SSB main
menu page:
http(s)://<host>:<port>/<dad-name>/
twbkwbis.P_GenMenu?name=bmenu.P_MainMnu
SSB Deep Linking Check box that indicates whether deep-linking is supported:
Base URL Base URL for accessing SSB. This URL is used to construct
the full URL when the SSO Manager requests a deep-linked
page.
http(s)://<host>:<port>/<dad-name>
The base URL does not identify a specific SSB page. Refer
to “Deep-linking to SSB pages” on page 39 for more details
about deep-linking.
Cookie Name Name of the cookie that asserts the user’s identity
(UDCIdentifier) to SSB. The value of this parameter must
equal the value of the IDMCOOKIE parameter that is
defined in Banner Web Tailor. The suggested value is
IDMSESSID.
7. Click Save.
Note: A server restart is not required for these entries to take effect.
Note: Skip this step if a CAS service was previously configured for the
SSO Manager.
The CAS server needs to know that the SSO Manager URL is protected for SSO. This is
accomplished by configuring a CAS service for the SSO Manager. Both INB and SSB
need this CAS service. Use the following steps to configure the CAS service that protects
the SSO Manager.
1. Access the CAS server management page:
https://<CAS host>:<CAS port>/<CAS context path>/
services/manage.html
2. Log in with a valid administrator user name and password (obtained from the CAS
administrator).
5. Click Save Changes. The CAS server is now protecting the SSO Manager URL.
The default SSB URL is defined on the SSB Configuration page within the SSO Manager
administrative interface. The browser is redirected to this default URL whenever a user
requests the SSB URL that is exposed by the SSO Manager.
Example:
The SSO Manager is configured to access the protected SSB main menu whenever
SSB is requested. In a CAS-based environment, the following URL is used to access
SSB:
http://<host>:<port>/ssomanager/c/SSB
Once the user is successfully authenticated, SSO Manager redirects the user to the
Self-Service Banner main menu:
http(s)://<host>:<port>/<dad-name>/
twbkwbis.P_GenMenu?name=bmenu.P_MainMnu.
To use this feature, the following parameters must be defined on the Self-Service Banner
Configuration page within the SSO Manager administrative interface:
Parameter Description
Base URL Base URL for accessing SSB. This URL is used to
construct the full URL when the SSO Manager requests a
deep-linked page:
http(s)://<host>:<port>/<dad-name>
The base URL does not identify a specific SSB page to
access.
Example: https://ssbserver.institution.
edu:9500/smpl/
URL Parameter Name Delimiter used to specify a target resource (packaged
procedure, function, or URL) to the SSO Manager. The
SSO Manager looks for this delimiter in deep-linked URL
requests to determine the requested target resource.
The SSO Manager expects deep-link requests to SSB to use the following syntax:
<SSO Manager SSB URL>?<URL parameter name>=<target
resource>
When a request for a resource is received, the SSO Manager evaluates the URL, looking
for the delimiter specified as the URL parameter name. One of the following occurs:
• If the delimiter is not found, the SSO Manager redirects the browser to the default SSB
URL.
• If the delimiter is found and the target resource is a URL, the SSO Manager redirects to
the specified URL.
• If the delimiter is found and the target resource is not a URL, the SSO Manager
constructs a redirect URL and redirects the browser to the constructed URL:
<base URL>/<target resource>
The SSO Manager relies on CAS to authenticate a user and assert the user’s identity. This
protects the INB access URLs that are exposed by the SSO Manager. Once CAS
Supporting components
The following components support SSO for INB:
Component Description
CAS CAS is the central access manager for SSO. CAS attribute
assertion features facilitate SSO. A CAS validation service
(/samlValidate) retrieves the attributes that identify the user.
SSO Manager The SSO Manager, a component of BEIS, acts as the SSO
gateway for INB, facilitating the following processes when
starting an SSO session:
• Retrieval of the user’s unique identifier (UDCIdentifer) from the
central identity vault via /samlValidate
• Creation of the INB ticket that is used to retrieve the user’s
Oracle credentials from the Credential web service
• Exposure of the Credential web service for storing and
retrieving application-specific credentials
Refer to the Banner Enterprise Identity Services Installation
Guide for instructions on installing the SSO Manager. You can
install the SSO Manager with or without other BEIS components.
ssoclient.jar This file contains Java components that communicate with the
Credential web service to obtain a user’s Oracle credentials for
logging in to INB.
GOBEACC table Each user must have a record in the GOBEACC table. This
record associates the user’s PIDM with the user’s Oracle ID.
ssoclient.jar 13.Uses the INB ticket to retrieve user credentials from the
Credential web service, which is exposed by the SSO
Manager.
Note: The SSO Manager can be configured to automatically
generate a password if the Credential web service does not
know the user credentials.
14.Logs the user into Oracle Forms and starts the user session.
The INB ticket is never reused. The ticket that the SSO Manager forwards to
ssoclient.jar is destroyed as soon as ssoclient.jar uses it to request
credentials from the Credential web service.
Configuration steps
Use the following steps to configure INB for SSO:
Note: The SSO client is configured when the SSO Manager is installed.
Use the following steps only if you want to reconfigure the SSO client after
installation.
The ssoclient.properties file supports the configuration of the SSO client. This
file is configured when the SSO Manager is installed.
1. Download and extract BEIS_8.2.zip from the Ellucian Download Center. The file
is located in the Banner General product folder.
2. Extract SSOManager_8.2.zip. The extract directory is referred to as
<ZIP_HOME>.
3. Open a command prompt and navigate to <ZIP_HOME>/ant-installer.
4. Execute the following command:
java -jar sso-manager-weblogic-installer.jar
The automated installer is launched. The user interface depends on whether you are
running in a windowing (GUI) or in a non-windowing (command-line) environment.
The remaining instructions are based on using the GUI for configuration.
Configuration options are identical for a command-line interface.
7. Click Next.
SSOManager Port Managed server port number where the SSO Manager is
running
9. Click Next.
10. Enter the SSO Manager user configuration:
The message Install Finished is displayed when the installation is complete. The
ssoclient.jar file is saved in the selected folder.
1. Place ssoclient.jar on your Oracle Forms server in a directory where you have
read and execute permissions. This location is referred to as <Banner SSO
client directory>.
2. Locate and open the Forms environment file (.env extension). This file is used to set
variables (such as ORACLE_HOME, FORMS_PATH, and CLASSPATH) in the
Oracle Forms runtime environment.
Example:
/u01/app/oracle/middleware/user_projects/domains/
ClassicDomain/config/fmwconfig/servers/WLS_FORMS/
applications/formsapp_11.1.1/config/SMPL.env
CLASSPATH=/u01/app/oracle/middleware/as_1/forms/j2ee/
frmsrv.jar:/<Banner SSO client directory>/ssoclient.jar:/
u01/app/oracle/middleware/as_1/jlib/ldapjclnt11.jar:/u01/
app/oracle/middleware/as_1/jlib/debugger.jar:/u01/app/
oracle/middleware/as_1/jlib/ewt3.jar:/u01/app/oracle/
middleware/as_1/jlib/share.jar:/u01/app/oracle/
middleware/as_1/jlib/utj.jar:/u01/app/oracle/middleware/
as_1/jlib/zrclient.jar:/u01/app/oracle/middleware/as_1/
reports/jlib/rwrun.jar:/u01/app/oracle/middleware/as_1/
forms/java/frmwebutil.jar:/u01/app/oracle/middleware/
as_1/jlib/start_dejvm.jar:/u01/app/oracle/4middleware/
as_1/opmn/lib/optic.jar:/u01/app/oracle/middleware/as_1/
forms/java/frmall.jar::/u01/app/oracle/middleware/as_1/
forms/java/auainit-8.5.1.jar
1. Place ssoclient.jar on your Oracle Forms server in a directory where you have
read and execute permissions. This location is referred to as <Banner SSO
client directory>.
5. Select the default or environment-specific file name from the Show drop-down list.
/u01/app/oracle/middleware/as_1/forms/j2ee/frmsrv.jar:/
<Banner SSO client directory>/ssoclient.jar:/<WebLogic
Home>/middleware/as_1/jlib/ldapjclnt11.jar:/<WebLogic
Home>/middleware/as_1/jlib/debugger.jar:/<WebLogic Home>/
middleware/as_1/jlib/ewt3.jar:/<WebLogic Home>/
middleware/as_1/jlib/share.jar:/<WebLogic Home>/
middleware/as_1/jlib/utj.jar:/<WebLogic Home>/middleware/
as_1/jlib/zrclient.jar:/<WebLogic Home>/middleware/as_1/
reports/jlib/rwrun.jar:/<WebLogic Home>/middleware/as_1/
forms/java/frmwebutil.jar:/<WebLogic Home>/middleware/
as_1/jlib/start_dejvm.jar:/<WebLogic Home>/middleware/
as_1/opmn/lib/optic.jar
7. Click Apply.
8. In the navigation pane, expand and click Forms > forms.
4. Click Save.
5. Select the INB Configuration tab.
6. Enter the following INB configuration information:
INB URL Default URL where users are redirected when they request
the protected INB URL. This is normally the INB server:
http(s)://<host>:<port>/forms/frmservlet
When a valid SSO request is received, the SSO Manager
redirects the user request to this location with the
appropriate parameters. This value is referred to as the INB
URL.
Example: http(s)://<host>:<port>/forms/
frmservlet?config=<forms environment
value>
The configuration of this environment is normally specified
through an Oracle Forms environment file with a similar
name (for example, smpl and smpl.env).
Ticket Parameter Name of the HTTP request parameter that the SSO
Name Manager creates to pass an INB ticket to the Oracle Forms
server to perform SSO. This name must match the value
configured in the Oracle Forms server (see “Step 2 -
Configure the Oracle Forms server for INB SSO” on
page 49). The default name is iamticket.
http://<host>:<port>/forms/frmservlet?
iamticket=<ticket parameter value>
Password Policy Method used to create a password if the Credential web
service does not know a user’s password:
Store Password Check box that determines whether INB user passwords are
stored for future use.
Note: A server restart is not required for these entries to take effect.
Note: Skip this step if a CAS service was previously configured for the
SSO Manager.
The CAS server needs to know that the SSO Manager URL is protected for SSO. This is
accomplished by configuring a CAS service for the SSO Manager. Both INB and SSB
need this CAS service. Use the following steps to configure the CAS service that protects
the SSO Manager.
1. Access the CAS server management page:
https://<CAS host>:<CAS port>/<CAS context path>/
services/manage.html
2. Log in with a valid administrator user name and password (obtained from the CAS
administrator).
3. Select the Add New Service tab.
5. Click Save Changes. The CAS server is now protecting the SSO Manager URL.
The SSO Manager expects deep-link requests to INB to use the following syntax:
<SSO Manager INB URL>?otherParams=launch_form=<target
form>
Oracle Forms does not require any configuration changes to accept this parameter.
Example:
http://beisserver.institution.edu:7777/ssomanager/c/
INB?otherParams=launch_form=AFACAMP&BAN_ARGS=CAMPAIGN::XC
ELL
If the requested form is not found, the Banner menu page is displayed.
The INB ssoclient.jar file places an additional load on the in-process, private JVM.
Over time, as the number of INB sessions increases, swap space utilization also
increases.
Oracle Forms services offer JVM pooling to help manage swap space utilization. JVM
pooling allows multiple frmweb processes to share a pool of JVM resources. This reduces
the need for each process to continue growing its private JVM heap allocation.
Use the following steps to configure JVM pooling for INB single sign on:
Note: The SSO client is configured when the SSO Manager is installed.
Use the following steps only if you want to reconfigure the SSO client after
installation.
The ssoclient.jar file contains the Java components that communicate with the
Credential web service to obtain the user credentials needed to access INB. The
ssoclient.jar file uses Oracle Forms Java integration to allow Java classes to
execute from the Oracle Forms server.
The ssoclient.properties file supports the configuration of the SSO client. This
file is configured when the SSO Manager is installed.
1. Download and extract BEIS_8.2.zip from the Ellucian Download Center. The file
is located in the Banner General product folder.
2. Extract SSOManager_8.2.zip. The extract directory is referred to as
<ZIP_HOME>.
3. Open a command prompt and navigate to <ZIP_HOME>/ant-installer.
4. Execute the following command:
java -jar sso-manager-weblogic-installer.jar
The automated installer is launched. The user interface depends on whether you are
running in a windowing (GUI) or non-windowing (command-line) environment. The
remaining instructions are based on using the GUI for configuration. Configuration
options are identical for a command-line interface.
5. Click Next.
7. Click Next.
8. Enter the following SSO Manager information:
SSOManager Port Managed server port number where the SSO Manager is
running
9. Click Next.
The message Install Finished is displayed when the installation is complete. The
ssoclient.jar file is saved in the selected folder.
CLASSPATH=/u01/app/oracle/middleware/as_1/forms/j2ee/
frmsrv.jar:<Banner SSO client directory>/ssoclient.jar:/
u01/app/oracle/middleware/as_1/jlib/ldapjclnt11.jar:/u01/
app/oracle/middleware/as_1/jlib/debugger.jar:/u01/app/
oracle/middleware/as_1/jlib/ewt3.jar:/u01/app/oracle/
middleware/as_1/jlib/share.jar:/u01/app/oracle/
middleware/as_1/jlib/utj.jar:/u01/app/oracle/middleware/
as_1/jlib/zrclient.jar:/u01/app/oracle/middleware/as_1/
reports/jlib/rwrun.jar:/u01/app/oracle/middleware/as_1/
forms/java/frmwebutil.jar:/u01/app/oracle/middleware/
as_1/jlib/start_dejvm.jar:/u01/app/oracle/middleware/
as_1/opmn/lib/optic.jar:/u01/app/oracle/middleware/as_1/
forms/java/frmall.jar:/u01/app/oracle/middleware/as_1/
forms/java/auainit-8.5.1.jar
4. Click Create.
6. Click Create.
7. Click Apply.
9. Click Add.
Name classpath
Value Full path to ssoclient.jar
Example: /home/oracle/ssoclient/
ssoclient.jar
Comments Full path to ssoclient.jar
Name maxsessions
Value 50 (number of concurrent Forms sessions that can
connect to the JVM Controller before a new JVM process is
spawned)
Name jvmoptions
Value -Xms512m -Xmx1024m
These are examples. Tune the values based on your
environmental requirements.
Name jvmcontroller
Value INBSSOController
Comments Jvmcontroller for named section of
formsweb.cfg
5. Click Create.
6. Click Add.
7. Enter the following information:
Name allowJVMControllerAutoStart
Value true
1. Navigate to $ORACLE_HOME/../asinst_1/config/FormsComponent/
forms/server/basejpi.htm.
2. Add JVM Controller references to the following two sections:
• <PARAM NAME="serverArgs" VALUE="%escapeParams%
module=%form% userid=%userid% debug=%debug% host=%host%
port=%port% %otherParams% jvmcontroller=%jvmcontroller%
%wfargs%">
• serverArgs="%escapeParams% module=%form% userid=%userid%
debug=%debug% host=%host% port=%port% %otherparams%
jvmcontroller=%jvmcontroller% %wfargs%"
3. Click Shutdown.
3. Select INBSSOController.
Supporting components
The following components support SSO for Banner 9.x applications:
Component Description
CAS CAS is the central access manager for SSO. CAS attribute
assertion features facilitate SSO. A CAS validation service
(/samlValidate) retrieves the attributes that identify the user.
Banner 9.x Banner 9.x applications (for example, Student Course Catalog)
applications include a common authentication provider that supports CAS
authentication.
Processing flow
The following processing occurs when a Banner 9.x application is the first application
accessed in an SSO session:
Banner 9.x 11. Makes sure the UDCIdentifier matches a person in Banner.
application 12.Grants access to the Banner 9.x application.
The following processing occurs when a Banner 9.x application is accessed in a session
where SSO was previously established:
Configuration steps
Use the following steps to configure a Banner 9.x application for CAS:
Before: banner {
sso {
authenticationProvider = 'default' // Valid
values are: 'default', 'cas'
After: banner {
sso {
authenticationProvider = 'cas' // Valid
values are: 'default', 'cas'
authenticationAssertionAttribute =
'UDC_IDENTIFIER'
Parameter Description
serviceUrl Banner 9.x application URL. Each Banner 9.x application has
its own URL.
filterProcessesUrl URL that the filter intercepts for login (for example,
/j_spring_cas_security_check)
afterLogoutUrl CAS logout and redirection URLs, respectively. This
parameter is enforced if useSingleSignout is true.
Example:
grails {
plugins {
springsecurity {
cas {
serverUrlPrefix = 'https://mycas.school.edu:8443/cas'
serviceUrl = 'http://myXE.school.edu:8081/
StudentCourseCatalog/j_spring_cas_security_check'
serverName = 'http://myXE.school.edu:8081'
proxyCallbackUrl = ' http://myXE.school.edu:8081/
StudentCourseCatalog/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'ticket'
}
logout {
afterLogoutUrl = 'https://mycas.school.edu:8443/cas/
logout?url=http://myXE.school.edu:9010/reg_systest/index.html
3. Save the changes and close the file.
Note: You can optionally locate the configuration file on an external file
system. Refer to “Step 4 - Externalize the SSO configuration (optional)”
on page 83 for details. An external file system can be used for test and
development environments, but should not be used for a production
environment.
Note: For Unix, make sure the ant file is executable (chmod +x ant).
If the SSO configuration file is located on an external file system, you must use the
following instructions to override the configuration in the .war file. Instructions are provided
for Tomcat and Oracle WebLogic.
Tomcat
Use the following steps to override the configuration in the ,war file.
1. Set system properties to point to the external configuration file.
Example:
To point to a configuration file residing in the PRODUCT_HOME directory:
export JAVA_OPTS="- DBANNER_APP_CONFIG=/PRODUCT_HOME/
shared_configuration/banner_configuration.groovy -
DSTUDENT_COURSE_CATALOG_CONFIG=/PRODUCT_HOME/
catalog_home/current/instance/config/
StudentCourseCatalog_configuration.groovy".
2. Restart Tomcat.
Oracle WebLogic
Use the following steps to override the configuration in the ,war file.
1. Connect to the Oracle WebLogic server administration console:
http://<host>:<port>/console
2. In the Change Center pane, click Lock & Edit.
3. In the Domain Configuration section, click Servers.
4. On the Summary of Servers page, click the name of the managed server where the
Banner 9.x application is deployed.
5. On the Settings page, select the Server Start tab.
6. In the Arguments field, enter the following:
–D<Banner 9.x application name>_CONFIG=<full file path to
Banner 9.x application name>_configuration.groovy
Example:
-DSTUDENT_CLASS_SCHEDULE_CONFIG=<full file path to
StudentCourseCatalog>_configuration.groovy
7. Click Save.
8. In the Change Center pane, click Activate Changes.
9. Restart the Banner 9.x manged server.
Note: If you are redeploying a Banner 9.x application, you must undeploy
the original version before you deploy the new version.
Tomcat
The systool module (built in Step 3 - Create a .war file) can be used to deploy the Banner
9.x application .war file to a Tomcat server. This target supports the deployment of the
dist/ .war file using the Tomcat Manager.
Alternatively, the .war file can be deployed to the Tomcat server by copying the .war file to
the Tomcat webapps directory. Hence, use of this target is not critical.
Use the following steps to deploy the Banner 9.x application to a Tomcat server.
1. Navigate to the <product home>\current\installer directory.
Examples:
Unix $ bin/systool deploy-tomcat
Windows > bin\systool deploy-tomcat
2. When prompted, enter the URL of the Tomcat Manager.
Example: http://localhost:8080/manager
3. When prompted, enter a valid Tomcat user name and password.
This user must have the manager-gui role that is used to deploy applications to the
Tomcat server. The password is not persisted.
For Tomcat 6.x, you must configure at least one user name/password combination in
your Tomcat user database <TOMCAT_HOME>\conf\tomcat-users.xml with
the manager role.
Example: <user username="tomcat" password="tomcat"
roles="manager-gui, manager"/>
Note: Roles in the Tomcat server changed between Tomcat 6.x interim
releases. Refer to Tomcat documentation for your specific release for
information on enabling the appropriate role that allows a user account to
deploy an application.
Oracle WebLogic
Use the following steps to deploy the Banner 9.x application to an Oracle WebLogic
server.
1. Connect to the Oracle WebLogic Server administration console:
http://<host>:<port>/console
2. In the Change Center pane, click Lock & Edit.
3. In the Domain Structure pane, click Deployments.
4. On the Summary of Deployments page, click Install.
5. On the Install Application Assistant page, click upload your file(s).
6. Select the file to be uploaded as follows:
6.1. In the Deployment Archive field, click Browse.
6.2. Navigate to the .war file for the application.
6.3. Select the file and click Open.
7. Click Next.
8. Select the application .war file from the list at the bottom of the page.
9. Click Next.
10. Select Install this deployment as an application.
11. Click Next.
12. Select the server where the application should be deployed.
13. Click Next.
14. Click Finish to start the deployment. When deployment is completed, the Summary of
Deployments page is redisplayed with the newly deployed application.
15. In the Change Center pane, click Activate Changes.
16. On the Summary of Deployments page, start the newly deployed application as
follows:
16.1. Select the newly deployed application.
16.2. Click Start > Servicing all requests.
16.3. Click Yes to start the application.
17. Access the Banner 9.x application:
http://<Banner 9.x host>:<port>/<Banner 9.x application
name>/banner.zul?page=<main_page>
5. Click Save Changes. The CAS server is now protecting the URL of the Banner 9.x
application.
SSO via CAS uses the CAS /samlValidate service to retrieve and validate user identities. If
your institution uses the /bannerValidate service instead of the /samlValidate service, refer
to the Banner Document Management 8.4 Installation Guide with ApplicationXtender 6.5
Patch 1 for SSO configuration details.
• When SSO via CAS is enabled, password synchronization from Internet-Native Banner
(INB) to ApplicationXtender Web Access .NET is disabled automatically.
• If the user preference setting on the User Preference (EXAUPRF) form enables
ApplicationXtender Document Manager instead of ApplicationXtender Web Access,
.NET, password synchronization still occurs from INB to ApplicationXtender Document
Manager.
Prerequisites
• ApplicationXtender 6.5 SP2 or higher is required.
• BDM 8.0 or higher is required. In addition, one of the following patches is required to
provide support for the CAS /samlValidate service. The required patch depends on your
version of ApplicationXtender:
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 89
BDM patch ... Is required for ...
• BDM is integrated with Internet-Native Banner (INB) and Self-Service Banner (SSB).
SSO with INB and SSB requires the SSO Manager, a component of Banner Enterprise
Identity Services (BEIS). Refer to “SSB configuration for CAS” on page 29 and “INB
configuration for CAS” on page 41 for details on configuring the SSO Manager.
Processing flow
The following processing occurs when ApplicationXtender Web Access .NET is accessed
in an SSO session:
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 90
Configuration steps
Use the following steps to configure BDM for CAS:
-or-
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 91
5.3. Execute the following command:
start install.bat
A message is displayed as each command in the install.bat file is
completed.
Note: If you want to uninstall SSO support at a later time, you must
manually remove the code that you add to Login.aspx or restore the
backup version of Login.aspx.
2. Back up Login.aspx.
4. Copy and paste the following code at the end of the file, between the </form> tag
and the </body> tag. This code calls BDM SSO logic.
<script runat="server">
protected override void Page_Load(object sender, EventArgs e)
{
new bdms.idm.sso.LoginHelper().PageLoadHelper();
base.Page_Load(sender,e);
}
</script>
3. Modify the CASLoginUrl by entering the login URL of the CAS server.
Example
<CASLoginUrl>
https://<host>:<port>/cas/login
</CASLoginUrl>
4. Restart Internet Information Services (IIS).
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 92
Step 4 - Configure integration between Banner and ApplicationXtender
Web Access .NET
Use the following steps to set up SSO from Banner to ApplicationXtender Web Access
.NET.
1. Access the BDM System Settings (EXAINST) form in Internet-Native Banner.
2. Change the value of ApplicationXtender WebXtender Root to http://<host>/
appxtender/ISubmitQuery.aspx?sso=true
3. Save the record.
5. Click Save Changes. The CAS server is now protecting ApplicationXtender Web
Access .NET.
Once SSO is configured, the following URL can be used to log in to ApplicationXtender
Web Access .NET through SSO:
http://<ApplicationXtender Web Access server>/AppXtender/
Login.aspx?sso=true
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 93
Step 6 - Map UDCIdentifiers to ApplicationXtender IDs (optional)
If BEIS account provisioning is deployed, you can skip this step.
If BEIS account provisioning is not deployed, you must use this step to map
UDCIdentifiers to ApplicationXtender user names. This mapping involves the following
Banner tables:
• GOBUMAP. This table stores a person’s GUID in the GOBUMAP_UDC_ID column. This
column is VARCHAR2(225) and is designed to store the UDCIdentifier. Any unique
identifier for a person can be stored in this column.
Run eieobumap.sql to initialize the EOBUMAP table with seed data from the
GOBUMAP and GOBTPAC tables.
• Three URL links, contained in BDM, can be used to open a document, search for
documents, or upload a document.
• The Custom Activity Designer, contained in Banner Workflow, can be used to create
custom activities. A custom activity can include simple HTML tags such as <href> for
URL links that use workflow context parameters.
• Business event parameters are delivered as part of the integration between BDM and
Banner Workflow.
The following sections provide details about the BDM integration URLs that can be used in
custom Banner Workflow activities.
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 94
For SSO to work, a Banner Workflow user must have the proper privileges to access
BDM. Refer to the Banner Document Management Administration Guide for information
on creating user accounts for your Banner Workflow users.
Note: The functions that are called to open, search for, or upload
documents are provided within ApplicationXtender. ApplicationXtender
Web Access is the preferred product for using the BDM integration with
Banner Workflow.
URL format
The URL must contain parameters in the following format:
http://<server>/AppXtender/<function>.aspx?sso=true
&DataSource=<datasource parameter>
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 95
Parameters are defined as follows:
Parameter Description
URL examples
The following examples show URLs that are used to open a document, search for
documents, and upload a document in ApplicationXtender Web Access. Documents are
stored on the INSTSRV1 server. The BXS.B-S-ADMIN.I (insert student admissions)
business event is used in these examples. Parameters for the business event have the
following values:
Parameter Value
BXS.ADMISSIONS_REQUIREMENT CLT1
BXS.APPNAME B-S-ADMN
BXS.DATASOURCE TESTDB01
BXS.DOCID 1302
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 96
Parameter Value
BXS.ID AABBCCDD1
BXS.TERM_CODE 201320
BXS.APPLICATION_NUMBER 1
Parameter Description
Example
http://INSTSRV1/AppXtender/IDocument.aspx?sso=true
&DataSource=TESTDB01&Docid=1302&appname=B-S-ADMN
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 97
URL that searches for documents
When you search for documents in ApplicationXtender Web Access, the number of
parameters in the URL determines the granularity of the query. When multiple documents
meet the query criteria, ApplicationXtender Web Access displays a list of matching
documents.
The URL that searches for documents has the following format:
http://<server>/AppXtender/ISubmitQuery.aspx?sso=true
&DSN=<BXS.DATASOURCE>&appname=<BXS.APPNAME>&ID=<BXS.ID>
Parameter Description
Example 1
http://INSTSRV1/AppXtender/ISubmitQuery.aspx?sso=true
&DSN=TESTDB01&appname=B-S-ADMN&ID=AABBCCDD1
The appname and ID parameters are passed. The URL retrieves a single document
or a list of documents, depending on how many documents are indexed in the B-S-
ADMN application for the ID.
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 98
Example 2
http://INSTSRV1/AppXtender/ISubmitQuery.aspx?sso=true
&DSN=TESTDB01&appname=B-S-ADMN&ID=AABBCCDD1
&APPLICATION NUMBER=1&TERM CODE=200820
The appname, ID, APPLICATION NUMBER, and TERM CODE parameters are
passed. The URL retrieves a single document or a list of documents for the ID,
depending on how many documents are indexed in the B-S-ADMN application for the
ID, application, and term code.
Parameter Description
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 99
Parameter Description
Example
http://INSTSRV1/AppXtender/IDocImport.aspx?sso=true
&DataSource=TESTDB01&appname=B-S-ADMN&ID=AABBCCDD1
&APPLICATION_NUMBER=1&TERM CODE=200820
&ADMISSIONS_REQUIREMENT=CLT1
Several parameters are passed with the appname parameter. The more parameters
that are passed, less lookup is needed when the document is indexed in BDM.
Refer to the "Banner Workflow Integration" chapter in the Banner Document Management
Administration Guide for details on the following tasks:
Example 1
<a href="http://INSTSRV1/AppXtender/IDocument.aspx?
sso=true&DataSource=@BXS_DATASOURCE&Docid=@BXS_DOCID
&appname=@BXS_APPNAME" target="new">View the Document</a>
This Text attribute creates the View the Document link in the custom activity. The link
opens a new window with the document that created the initial event.
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 100
Example 2
<a href="http://INSTSRV1/AppXtender/ISubmitQuery.aspx?
sso=true&DSN=@BXS_DATASOURCE&appname=@BXS_APPNAME
&ID=@BXS_ID" target="new">Query Documents</a>
This Text attribute creates the Query Documents link in the custom activity. The link
opens a new window with the ID’s documents in the specified application.
Example 3
<a href="http://INSTSRV1/AppXtender/IDocImport.aspx?
sso=true&DataSource=@BXS_DATASOURCE&appname=@BXS_APPNAME
&ID=@BXS_ID" target="new">Upload a Document</a>
This Text attribute creates the Upload a Document link in the custom activity. The link
opens a new window with the BDM page that is used to upload a document. The
person’s ID is displayed. You can optionally include the APPLICATION NUMBER,
TERM CODE, and ADMISSIONS REQUIREMENT parameters.
Advanced options
If you want to use advanced integration options, such as including direct links to BDM
documents from workflow notifications, contact your account manager or Banner
Workflow Professional Services consultant.
CAS Single Sign On Handbook | Configuring Banner Document Management for CAS 101
Configuring Banner Effort Reporting
and Labor Redistribution for CAS
Single sign on (SSO) via Central Authentication Service (CAS) for Banner® Effort
Reporting and Labor Redistribution is implemented by configuring Banner Employee Self-
Service for SSO. The Effort Reporting and Labor Redistribution links within Banner
Employee Self-Service launch the Effort Reporting and Labor Redistribution applications
without prompting for user credentials.
Effort Reporting and Labor Redistribution as standalone applications do not support CAS-
based single sign on.
CAS Single Sign On Handbook | Configuring Banner Effort Reporting and Labor Redistribution for CAS 102
Configuring Banner Flexible
Registration for CAS
Prerequisites
• The UDC_IDENTIFIER attribute must be properly configured on the CAS server.
• The UDC_IDENTIFIER must be published using /samlValidate, a native CAS validation
service.
Processing flow
When a user accesses Banner Flexible Registration as the first application in an SSO
session, the Banner Flexible Registration home page provides instructions and a URL link
for signing in. The user clicks the URL link, is redirected to the CAS login page, and logs in
to CAS. CAS authenticates the user. The user is then redirected to the Banner Flexible
Registration application.
CAS Single Sign On Handbook | Configuring Banner Flexible Registration for CAS 103
CAS to determine if the user is already logged in to CAS. CAS handles authentication into
Banner Flexible Registration.
When a user signs out of Banner Flexible Registration, the user can choose to log out of
CAS as well.
Configuration steps
Use the following steps to configure Banner Flexible Registration for CAS:
Example:
https://ellucianuniversity.com:443/
flexibleregistration
SSL must be enabled on the Banner Flexible Registration
server.
CAS server URL Full URL to the CAS server. Include the protocol (https),
machine name, port number, and CAS application root.
Example:
https://ellucianuniversity.com:443/cas
SSL must be enabled on the CAS server.
CAS Single Sign On Handbook | Configuring Banner Flexible Registration for CAS 104
3. Save the changes.
CAS logout redirect Full URL to a page where users are redirected after the CAS
URL logout process is completed. Include the protocol, machine
name, port number, application root, and page if required.
Example:
http://ellucianuniversity.com:443/
home.html
The URL in this example redirects all users to the home.html
page when they log out of CAS from Banner Flexible
Registration.
In some situations, however, you might not want to force students to log out of CAS after
they exit Banner Flexible Registration. For example, you might want students to log out of
all applications and CAS when they are using Banner Flexible Registration on a kiosk or
public computer.
CAS Single Sign On Handbook | Configuring Banner Flexible Registration for CAS 105
Use the following steps if you want to force Banner Flexible Registration to call the CAS
sign out process whenever students sign out of Banner Flexible Registration.
1. Access the Flexible Registration Catalog Rules (SFRACTLG) form.
2. In the URL Redirect on Sign Out parameter field on the Rules tab, enter the URL of
the page that should be displayed when users sign out of Banner Flexible
Registration.
3. Save the change.
5. Click Save Changes. The CAS server is now protecting Banner Flexible Registration.
CAS-protected URLs
You must provide users with a CAS-protected URL that can be used to access Banner
Flexible Registration through SSO. This special URL ensures that a user signs in through
CAS. A CAS-protected URL has the following structure:
<protocol>://<host>:<port>/<application>/cas/
index.jsp?frc= <catalog code>
CAS Single Sign On Handbook | Configuring Banner Flexible Registration for CAS 106
The only difference between the CAS-protected URL and the normal URL is the context
path (/cas) before the index.jsp link.
Examples:
For users with accounts at your institution who are using CAS for SSO:
https://ellucianuniversity.com:443/flexibleregistration/
cas/index.jsp?frc=A0
If you are using the Multi-Entity Processing (MEP) features of Banner Flexible
Registration:
https://ellucianuniversity.com:443/flexibleregistration/
cas/institution/CAMP1/catalog/A0/
CAS Single Sign On Handbook | Configuring Banner Flexible Registration for CAS 107
Configuring Banner Integration for
Ellucian Talent Management Suite for
CAS
This chapter describes the configuration of Banner® Integration for Ellucian Talent
Management Suite to support single sign on (SSO) via Central Authentication Service
(CAS). In a CAS-based environment, user authenticate to CAS instead of Banner
Integration for Ellucian Talent Management Suite.
Prerequisites
• The UDC_IDENTIFIER attribute must be properly configured on the CAS server.
• The UDC_IDENTIFIER must be published using /samlValidate, a native CAS validation
service.
• If you are using Banner Enterprise Identity Services (BEIS) to generate UDCIdentifiers,
BEIS 8.1.5 or higher is required. Refer to “How does Banner support identity
management?” on page 12 for more information about BEIS.
Processing flow
The following processing occurs when Banner Integration for Ellucian Talent Management
Suite is accessed in an SSO session:
CAS Single Sign On Handbook | Configuring Banner Integration for Ellucian Talent Management Suite for CAS 108
Component Processing step
Configuration steps
Use the following steps to implement CAS support for Banner Integration for Ellucian
Talent Management Suite:
web.xml
applicationContext-springSecurity.xml
The BITM-Installer.zip file, delivered with Banner Integration for Ellucian Talent
Management Suite, configures bitm-core.war for SSO support. Refer to the Banner
Integration for Ellucian Talent Management Suite Handbook for instructions on using this
tool.
If you are accessing the application using the Oracle HTTP Server (OHS), you should use
the same URL within web.xml to enable SSO.
CAS Single Sign On Handbook | Configuring Banner Integration for Ellucian Talent Management Suite for CAS 109
Step 2 - Configure a CAS service for Banner Integration for Ellucian Talent
Management Suite
The CAS server needs to know that the Banner Integration for Ellucian Talent
Management Suite URL is protected for SSO. This is accomplished by configuring a CAS
service for Banner Integration for Ellucian Talent Management Suite. Use the following
steps to configure the CAS service that protects the Banner Integration for Ellucian Talent
Management Suite.
1. Access the CAS server management page:
https://<CAS host>:<CAS port>/<CAS context path>/
services/manage.html
2. Log in with a valid administrator user name and password (obtained from the CAS
administrator).
3. Select the Add New Service tab.
4. Enter the following values:
5. Click Save Changes. The CAS server is now protecting Banner Integration for
Ellucian Talent Management Suite.
Processing notes
• The following URL must be used to access CAS-enabled Banner Integration for Talent
Management Suite:
https://<BITM server>:<port>/bitm-core/splash.zul
• If you get a certificate error when you launch Banner Integration for Ellucian Talent
Management Suite, you must import the certificate from the CAS server into the Java
Developer’s Kit (JDK) that is running the Banner Integration for Ellucian Talent
Management Suite application server.
CAS Single Sign On Handbook | Configuring Banner Integration for Ellucian Talent Management Suite for CAS 110
• If your server is behind proxy, the following error might occur when you launch the
application:
ERROR> <?:?> - Unable to parse SAML 1.0 Schemas:
org.xml.sax.SAXParseException:schema_reference.4: Failed to read schema
document 'xmldsig-core-schema.xsd', because 1) could not find the
document; 2) the document could not be read; 3) the root element of the
document is not <xsd:schema>.
To resolve the error, perform the following setup on the Oracle WebLogic command
window where the application is deployed. Do the setup before you start the managed
server.
Windows
set PROXY_SETTINGS=-Dhttp.proxyHost=<proxy server> -
Dhttp.proxyPort=<proxy port>
Unix/Linux
PROXY_SETTINGS=-Dhttp.proxyHost=<proxy server> -Dhttp.proxyPort=<proxy
port>export PROXY_SETTING
CAS Single Sign On Handbook | Configuring Banner Integration for Ellucian Talent Management Suite for CAS 111
Configuring Banner Travel and
Expense Management for CAS
This chapter describes the configuration of Banner® Travel and Expense Management to
support single sign on (SSO) via Central Authentication Service (CAS). In a CAS-based
environment, a user authenticates to CAS instead of Banner Travel and Expense
Management.
Prerequisites
• The UDC_IDENTIFIER attribute must be properly configured on the CAS server.
• The UDC_IDENTIFIER must be published using /samlValidate, a native CAS validation
service.
Processing flow
The following processing occurs when Banner Travel and Expense Management is
accessed in an SSO session:
CAS Single Sign On Handbook | Configuring Banner Travel and Expense Management for CAS 112
Component Processing step
Configuration steps
Use the following steps to implement CAS support for Banner Travel and Expense
Management:
The Configuration Assistant uses the following properties to configure SSO within
tvlexp.ear. If you are accessing the application using the Oracle HTTP Server (OHS),
you should use the same URL for the following configuration.
CAS Single Sign On Handbook | Configuring Banner Travel and Expense Management for CAS 113
Property name Purpose
When the Configuration Assistant is run with the preceding properties, the following files
are modified to enable SSO:
web.xml
applicationContext-springSecurity.xml
5. Click Save Changes. The CAS server is now protecting Banner Travel and Expense
Management.
CAS Single Sign On Handbook | Configuring Banner Travel and Expense Management for CAS 114
Processing notes
• The following URL must be used to access CAS-enabled Banner Travel and Expense
Management:
https://<TEM server>:<port>/tvlexp/tvlexp-flex/index.html
• If you get a certificate error when you launch Banner Travel and Expense Management,
you must import the certificate from the CAS server into the Java Developer’s Kit (JDK)
that is running the Banner Travel and Expense Management application server.
CAS Single Sign On Handbook | Configuring Banner Travel and Expense Management for CAS 115
Configuring Banner Workflow for
CAS
This chapter describes the configuration of Banner® Workflow to support single sign on
(SSO) via Central Authentication Service (CAS). In a CAS-based environment, users
authenticate to CAS instead of Banner Workflow.
Prerequisites
The external ID of Banner Workflow users must be set to the users’ UDCIdentifiers.
Processing flow
The following processing occurs when Banner Workflow is accessed in an SSO session:
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 116
Component Processing step
Configuration steps
Use the following steps to configure Banner Workflow for CAS:
1. Navigate to WORKFLOW_HOME/instance/config.
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 117
4. Modify the following properties in the CAS section:
Property Description
http://school.edu:7777/
workflow/j_spring_cas_
security_check
LoginUrl URL used to log in to CAS
Example:
http://school.edu:7777/cas
ExternalIDAttribute Name of the attribute that is returned by
/samlValidate in the SAML assertion and
contains the value used to look up a user
by external ID.
5. (Optional) If you wish to provide an external link to log users out of Banner Workflow
and CAS, set the <LogoffUrl> element as the last child element under
<SecurityIntegration>.
Note: If you do not set this element, the Logoff link in Banner Workflow
does not log users out of Banner Workflow or CAS.
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 118
Step 2 - Register the SSL certificate for the CAS server
The CAS server runs under SSL (Secure Sockets Layer). Register the SSL certificate
used by the CAS server into the keystore file (cacerts) that the Oracle WebLogic
Server uses for the Java installation. This is typically done by using the keytool command.
Example:
<JAVA_HOME>/bin/keytool -import -file <cas.cert> -
keystore <JAVA_HOME>/jre/lib/security/cacerts
<JAVA_HOME> is the path of the JDK that is used to launch the Banner Workflow
application server container, and <cas.cert> is the path of the certificate file for
the CAS server.
The keytool prompts for a password, which is typically 'changeit' for a default Java
installation.
Step 3 - Register the SSL certificate for the Banner Workflow server
The CAS-enabled Banner Workflow server also runs under SSL (Secure Sockets Layer).
Register the SSL certificate used by the Banner Workflow server into the keystore file
(cacerts) that the CAS server uses for the Java installation. This is typically done by
using the keytool command.
Example:
<JAVA_HOME>/bin/keytool -import -file <workflow-
server.cert> -keystore <JAVA_HOME>/jre/lib/security/
cacerts
<JAVA_HOME> is the path of the JDK that is used to launch the CAS application
server container, and <workflow-server.cert> is the path of the certificate
file for the Banner Workflow server.
The keytool prompts for a password, which is typically 'changeit' for a default Java
installation.
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 119
4. Enter the following values:
5. Click Save Changes. The CAS server is now protecting Banner Workflow.
• Three URL links, contained in BDM, can be used to open a document, search for
documents, or upload a document.
• The Custom Activity Designer, contained in Banner Workflow, can be used to create
custom activities. A custom activity can include simple HTML tags such as <href> for
URL links that use workflow context parameters.
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 120
• Business event parameters are delivered as part of the integration between BDM and
Banner Workflow.
CAS Single Sign On Handbook | Configuring Banner Workflow for CAS 121
Configuring Ellucian Degree Works
for CAS
This chapter describes the configuration of Ellucian Degree Works to support single sign
on (SSO) via Central Authentication Service (CAS). CAS integrates Degree Works with
portals and other web applications.
CAS supports SSO by issuing a one-use ticket to an end user. The ticket can be validated
by a client application and is also used to retrieve the identity of the end user for internal
use. Degree Works uses different IDs to internally identify each end user and to log the ID
in to CAS. For example, an end user usually logs in to CAS using the LDAP ID, while
Degree Works internally uses the rad_id. As part of the CAS configuration, you must set
up a mapping of user IDs in your authentication data store to Degree Works IDs.
Note: The rad_id is used when Degree Works is integrated with Banner®
and equals the spriden_id.
Prerequisites
Degree Works uses AuthCasDgw.pm to support CAS single sign on for the main web
application. AuthCasDgw.pm is a Perl module that Degree Works adapted from an
open-source module called AuthCAS. Several other Perl modules are also required due to
dependencies from AuthCasDgw.pm.
The Web09 server and the IRISLink.cgi server use AuthCasDgw.pm. If these
components are deployed on different servers, for example the application server and the
web server, you must install the prerequisite Perl modules on both servers. Information on
installing CPAN Perl modules is available at http://www.troubleshooters.com/codecorn/
littperl/perlcpan.htm.
To install the Perl modules, log in as root and run the following commands:
perl -MCPAN -e 'shell'
install HTML::Entities
install IO::Socket::SSL
install LWP::UserAgent
install XML::DOM
CAS Single Sign On Handbook | Configuring Ellucian Degree Works for CAS 122
When you are prompted to include prerequisites/dependencies for each module, answer
[yes].
Processing flow
The Degree Works IRISLink.cgi CGI checks for a CAS ticket. If a ticket is not
present, the request is redirected to the CAS server. After CAS authentication takes place,
the CGI passes the user’s ticket to the Degree Works application server, Web09, where
the ticket is validated. The end user’s Degree Works ID is retrieved from CAS during ticket
validation.
Configuration steps
To configure the Degree Works Administrative Shell (DWShell) for CAS, all configurations
described in the following steps must be completed, including the configuration of the
Shepherd Settings. For Degree Works Web alone, the Shepherd Settings are not
required.
Use the following steps to configure Ellucian Degree Works for CAS:
Select access must be granted to the GOBUMAP table in Banner, for the Degree Works
user (typically dwmgr). When the Banner extract is run, if a GOBUMAP record is found for
the individual, the GOBUMAP_ID is loaded into the SHP_USER_MST.SHP_ALT_ID.
Refer to the Degree Works Banner Considerations Technical Guide for more details on
running Banner extracts.
CAS Single Sign On Handbook | Configuring Ellucian Degree Works for CAS 123
Step 2 - Configure a CAS Service for Degree Works
The CAS server needs to know that the Degree Works URL is protected for SSO. This is
accomplished by configuring a CAS service for Degree Works. Use the following steps to
configure the CAS service that protects Degree Works.
1. Access the CAS server management page:
https://<CAS host>:<CAS port>/<CAS context path>/
services/manage.html
2. Log in with a valid administrator user name and password (obtained from the CAS
administrator).
3. Select the Add New Service tab.
4. Enter the following values:
5. Click Save Changes. The CAS server is now protecting Degree Works.
Consult the documentation from your certificate provider, for example VeriSign or Thawte,
for more information on exporting SSL certificates to a file and converting between various
certificate formats.
CAS Single Sign On Handbook | Configuring Ellucian Degree Works for CAS 124
4. Set the CAS server URL.
Example: $CAS_URL = 'https://your.cas.server:8443/cas-
server-webapp-3.3.3';\
5. Set the location of the CAS server’s SSL certificate.
You can set the location two different ways, depending on how you set up your
certificates:
$CAS_CAFile = '/etc/httpd/conf/ssl.crt/ca-bundle.crt'
or
$CAS_CAFile = "/usr/local/certificates/tomcatcert.pem";
6. Set the user ID attribute name to the same value that is configured in CAS
attribRepository for the user ID attribute mapping:
$CAS_ID_Attribute_Name = 'UDC_IDENTIFIER';
This file is also located on your web server. You should make the same changes to
that file. The location of that file varies, but can be found by looking in
CgiSettingsDir.pm in the Degree Works Web root directory.
2. If you want to redirect users to a page or if you want to log users out of CAS when they
click Logout, configure the following settings in dwenv.config and then issue the
webrestart command:
ENABLE_EXTERNAL_LOGOUT=1
gsCfgExternalLogoutUrl=http://for.example.your.server/cas-web/logout
3. Customize the 0775 error message that Degree Works issues when CAS validation
fails. You can customize the message by editing shpscripts/SERR0775.
CAS Single Sign On Handbook | Configuring Ellucian Degree Works for CAS 125
Do not enable both core.security.externalAccessManager.enable and
core.security.cas.enable. Only one should be enabled at a time.
CAS Single Sign On Handbook | Configuring Ellucian Degree Works for CAS 126
Configuring Ellucian Luminis
Platform 5 for CAS
The Luminis® Platform 5 installation process includes an option to install a CAS server.
The method used to configure a CAS server depends on whether a CAS server is already
installed:
• If a CAS server is already installed, do not install the CAS server that is delivered with
Luminis Platform 5. Rather, you must install and configure Luminis Platform 5 against
the existing CAS server. Refer to Chapter 6, "External CAS Installation and
Configuration," in the Luminis Platform 5.1 Installation Guide for specific instructions.
• If a CAS server is not already installed, install the CAS server that is delivered with
Luminis Platform 5. Refer to the Luminis Platform 5.1 Installation Guide to review all
deployment options and associated instructions.
CAS Single Sign On Handbook | Configuring Ellucian Luminis Platform 5 for CAS 127
Glossary
account provisioning
A process that creates, maintains, and deactivates user identity data in a central
directory or multiple applications.
BEIS
See "Banner Enterprise Identity Services."
CAS
See "Central Authentication Service."
claims-based authentication
A method of authenticating a user’s identity where a trusted entity issues and signs a
trusted ticket that contains claims about the user’s identity.
deep-linking
The ability to bypass a menu page and hyperlink directly to a specific page in Self-
Service Banner (SSB) or to a specific form in Internet-Native Banner (INB).
federated identity
A method that connects a user’s digital identity and attributes across multiple identity
management systems.
IdM
See "identity management."
Jasig
Java Administration Special Interest Group, a US-based, nonprofit organization that
creates open source software for higher education.
SAML
See "Security Assertion Markup Language."
SSO
See "single sign on."
third-party authentication
A process that uses a trusted external source to facilitate access to specific
applications.
SSO Manager
A BEIS component that acts as an SSO gateway for Internet-Native Banner (INB) and
Self-Service Banner (SSB).
Article Title
1-18AH27R CAS BEIS SSO (SSO manager) integration with Active Directory