external authentication at cal poly ( single sign-on is not a fantasy)
DESCRIPTION
External Authentication at Cal Poly ( Single Sign-on is not a Fantasy). Session #10184 March 22, 2005 HEUG 2005 Conference Las Vegas, Nevada. San Luis Obispo, CA Information Technology Services Darren Kraker Terry Vahey. Overview. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/1.jpg)
External Authentication at Cal External Authentication at Cal PolyPoly
((Single Sign-on is not a Fantasy)Single Sign-on is not a Fantasy)
Session #10184March 22, 2005
HEUG 2005 ConferenceLas Vegas, Nevada
![Page 2: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/2.jpg)
San Luis Obispo, CASan Luis Obispo, CAInformation Technology ServicesInformation Technology Services
Darren KrakerDarren Kraker
Terry VaheyTerry Vahey
![Page 3: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/3.jpg)
Case study: Cal Poly’s implementation of external authentication for PeopleSoft Human Resources and Financials
Motivation: Easier for users, improved security administration
Tools: Yale University Central
Authentication Service JA-SIG uPortal LDAP using Oracle Internet Directory PeopleSoft 8.0 & 8.4
OverviewOverview
![Page 4: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/4.jpg)
MotivationMotivation
ImplementationImplementation
SupportSupport
Lessons learned Lessons learned
Next stepsNext steps
Questions Questions
Agenda/ContentsAgenda/Contents
![Page 5: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/5.jpg)
5 555
Cal PolyCal Poly – Who are we?
Part of the California State University (CSU) system CSU is the largest four-year
university in the nation. CSU comprised of 23 campuses
throughout California CSU enrolls approx 409,000
students CSU students taught by approx
22,000 faculty
![Page 6: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/6.jpg)
6 666
Cal PolyCal Poly – Who are we?San Luis Obispo100 Years Old20,000 StudentsPolytechnic
University Engineering, Agriculture,
Architecture, Science
“Learn by Doing”: technical and professional curricula with arts and humanities.
![Page 7: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/7.jpg)
MotivationMotivation
![Page 8: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/8.jpg)
8 8
Why Enterprise Single Sign-on & Portal? Easier on the users
One username and password Single login interaction / operation Integrated with other Web applications in one Enterprise Portal
Motivation
![Page 9: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/9.jpg)
9 9
Improved Security Administration Simplify account setup (provisioning) Passwords and authentication security consistently enforced and in one location Simplified change management, auditing For Web apps, do it once, do it right
Motivation (con’t)
![Page 10: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/10.jpg)
10 10
Vendor neutrality Integration with current and future vendor offerings Reusable by other web apps Higher education best practices Highly available Focus on web authentication
Considerations
![Page 11: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/11.jpg)
11 11
Primarily available for Web applications There is no standard in this space Requires custom integration with each application Additional time required to implement
Limitations of Web Single Sign-on
![Page 12: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/12.jpg)
ImplementationImplementation
![Page 13: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/13.jpg)
13 13
System Overview
![Page 14: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/14.jpg)
14 14
![Page 15: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/15.jpg)
15 15
![Page 16: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/16.jpg)
16 16
uPortal is an open-standard effort using Java, XML, JSP and J2EEBegan using uPortal Fall 2001 as our campus portal Integrate disparate campus systems in one location Aggregate content from campus constituents
uPortal - Cal Poly Enterprise Portal
![Page 17: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/17.jpg)
17 17
We want Single Sign-on but how? Evaluated Pubcookie, WebAuth . . . Simple to install and configure Variety clients available (Apache module, PHP, Java, etc) for integration Delivered implementation with uPortal Application can authenticate without the users credentials directly
CAS – Yale Central Authentication Service
![Page 18: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/18.jpg)
18 18
WebLogin
Service
UserWeb
Application
1 User requests access2 Browser redirected to Login
Service
6 Applicatio
n validates
ticket
9 User gets access
4 Login Service
provides ticket
5 Ticket provided to application
7 Username provided
to application
8 Application decides if
user is authorized
User interaction
No user interaction
CASAuthenticatio
n Flow
3 Web Login Service
recognizes user session
![Page 19: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/19.jpg)
19 19
Oracle Internet Directory, 9i Currently single source of username and password Allows non-web based apps to authenticate Contains data from HR, Foundation, ASI, Student Info Systems, … Was in place before CAS (2001)
LDAP
![Page 20: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/20.jpg)
20 20
Making PeopleSoft use a central authentication service Evaluate known solutions Integration with CAS
PeopleSoft
![Page 21: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/21.jpg)
21 21
Accept a ticket and then validate it PeopleSoft accepts CAS ticket parameter as part of login PeopleCode calls Java client CAS java client performs the CAS validation
PeopleSoft - Implementation
![Page 22: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/22.jpg)
22 22
Function VALIDATE_TICKET() /* [email protected] 20030122 Trusted Authentication Impl */ If %PSAuthResult = False Then
&validator = GetJavaClass("PSCASClient");/* retrieve fullUrl and ticket value from HTTP request */&fullUrl = %Request.FullURI | "?" | %Request.QueryString;&ticket = %Request.GetParameter("ticket");If &ticket <> "" Then
/* have a ticket, load CAS client class and attempt to validate */
&cas_result = &validator.validate(&fullUrl, &ticket);If &cas_result <> "" Then
/* ResultDocument (3rd parm) seems to be ignored by front end */
SetAuthenticationResult( True, &cas_result, "", False);
&authMethod = "SLO";Return;
End-If; /* got username back from CAS */End-If; /* got ticket */
End-If; /* user not yet authenticated */End-Function;
PeopleSoft - Implementation
![Page 23: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/23.jpg)
23 23
URL u = new URL(URL u = new URL(validateURL + "?ticket=" + ticket + "&service=" + service);validateURL + "?ticket=" + ticket + "&service=" + service);BufferedReader in = new BufferedReader(BufferedReader in = new BufferedReader(new InputStreamReader(u.openStream()));new InputStreamReader(u.openStream()));if (in == null){if (in == null){
return null;return null;}else {}else {
String line1 = in.readLine();String line1 = in.readLine();String line2 = in.readLine();String line2 = in.readLine();if (line1.equals("no")){if (line1.equals("no")){
return null;return null;}else{}else{// make fully qualified username ("[email protected]")// make fully qualified username ("[email protected]")
// into PSFT username ("jdoe")// into PSFT username ("jdoe")return line2;.substring(0, line2.indexOf('@')).toUpperCase();return line2;.substring(0, line2.indexOf('@')).toUpperCase();
}}}}
23
PSCASClient.java
![Page 24: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/24.jpg)
24 24
Configure SLO_AUTH hook in PeopleSoft Sign-on Page (Exec Auth Fail)
PeopleSoft - Implementation
![Page 25: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/25.jpg)
25 25
Set Exec Auth Fail PeopleCode
![Page 26: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/26.jpg)
26 26
Customize HTML files now that original sign-on page is obsolete
• index.html• Logout_page.html (new) • Signin_alternate (new)• Signon.html • signonError.html (new)• Cookiesrequired.html
Modify configuration.properties to point to new HTML files Install CAS client jar, class files
PeopleSoft - Implementation
![Page 27: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/27.jpg)
27 27
It’s never that easy . . . Service URL we use for CAS had to contain userid/pwd parameter PeopleSoft cookies After PTools upgrade (2003) HTTP GET no longer worked, POST required
Issues
![Page 28: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/28.jpg)
28 28
The next step . . . deep linking More direct and intuitive method for accessing services Add embedded PeopleSoft content within an IFrame using nested URL Similar solution with Oracle Collaboration Suite
Enterprise Portal Integration
![Page 29: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/29.jpg)
29 29
![Page 30: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/30.jpg)
30 30
![Page 31: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/31.jpg)
EnvironmentEnvironment
![Page 32: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/32.jpg)
32 32
Executive mgmt buy-in, enterprise wide Data providers Information security officer, Registrar
Skepticism Too hard to implement Don’t see the value
PeopleSoft application Fear of losing control of authorization
Non Technical Challenges
![Page 33: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/33.jpg)
33 33
Technical Specifications
![Page 34: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/34.jpg)
34 34
CAS servers Central Authentication Server 2.0 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9
Three servers high availability Cisco switches provide failover
Technical Specifications
![Page 35: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/35.jpg)
35 35
LDAP servers Oracle Internet Directory: 9.2.0.6 Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9
Three servers for high availability Cisco hardware provides load balancing and failover
Technical Specifications
![Page 36: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/36.jpg)
36 36
uPortal server uPortal 2.1.4 One server: Sun E450 4 - 400 mhz, 4 GB RAM Solaris 9
Technical Specifications
![Page 37: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/37.jpg)
37 37
PeopleSoft Applications: HR total accounts: 2,500 (admin accounts: 700) Concurrent users average: 22 (high 75) Finance total admin accounts: 700 Concurrent users average: 23 (high 95)
Single Sign-on Unique Users per month: Approx: 12,000 - 28,000 Average: 20,000 (including summer quarters)
Single Sign-on Unique users per DAY Maximum: 14,000 Average: 5,700
Single Sign-on Concurrent users of the Portal: High: 2,800
Statistics on Usage
![Page 38: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/38.jpg)
38 38
Single clicks to HR PRD and FS PRD per month
2,200 – 6,100 Average: 4,200 (including summer quarters)
Single Sign-on Outages Unplanned: Less than 1/2 hour per month Planned:
4 hours/month Updates, new application rollouts Users CAN authenticate to PS and other applications
Statistics on Usage
![Page 39: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/39.jpg)
39 39
SupportSupport
![Page 40: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/40.jpg)
40 40
Organization of Ext Auth Support
![Page 41: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/41.jpg)
41 41
Technology is very low maintenance CAS Production updates: ~ 3 hrs month Reviewing logs, usage patterns: ~ 4 hrs month Troubleshooting:
Password management – in a single location now Made passwords more secure
Plan: Upgrade CAS code this year
Support
![Page 42: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/42.jpg)
42 42
NSF funded grant project Helping member campuses
directory services and CAS PeopleSoft and Oracle integration
Funded by the NSF Middleware Initative through the NMI-EDIT Consortiumof Internet2, EDUCAUSE, and SURA
Other campuses
Academic Outreach
![Page 43: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/43.jpg)
43 43
Implement Student Administration (SSO already in place with HR) Upgrade CAS Integration with PeopleSoft version 8.9 Add redundancy for uPortal Alternate authentication methods
Next Steps
![Page 44: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/44.jpg)
44 44
PeopleSoft Applications and PeopleTools Support of Standards Make the application’s content available via:
WSRP (as producer) JSR 168
Our Wish List
![Page 45: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/45.jpg)
45 45
Technical lessons Involve campus Information Security Officer (ISO), CIO at the beginning “It’s all about the data” Ongoing process
Department’s understanding Work with application programmers for integration and testing challenges
Lessons Learned
![Page 46: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/46.jpg)
46 46
CAS http://www.yale.edu/tp/cas/
JA-SIGhttp://www.ja-sig.org/
uPortalhttp://www.uportal.org/
PeopleBooks Cal Poly’s: PPT, PeopleSoft Single Sign-on Guides
http://www.calpoly.edu/~cms/ExtAuthentication/index.html
References
![Page 47: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/47.jpg)
QUESTIONS?QUESTIONS? Darren Kraker
Software [email protected]
Ryan MattesonWeb Architect and Info
Security [email protected]
Ken SperowSoftware [email protected]
Terry VaheyTechnical Lead [email protected]
Greg Weir PeopleSoft
http://www.calpoly.edu/~cms/ExtAuthentication/index.html
![Page 48: External Authentication at Cal Poly ( Single Sign-on is not a Fantasy)](https://reader036.vdocument.in/reader036/viewer/2022062304/56812e53550346895d93f7da/html5/thumbnails/48.jpg)
This presentation and all HEUG This presentation and all HEUG 2005 presentations are 2005 presentations are
available for download from available for download from HEUG OnlineHEUG Online
http://heug.orghttp://heug.org