630 likes | 646 Views
SETA Central 2007. Achieving Single Sign On with Luminis and the Generic Connector Framework (GCF) Christopher Frost Tuesday, October 9 th , 9:30am. Session Rules of Etiquette. Please turn off your cell phone/beeper If you must leave the session early, please do so as discretely as possible
E N D
SETA Central 2007 Achieving Single Sign On with Luminis and the Generic Connector Framework (GCF) Christopher Frost Tuesday, October 9th, 9:30am
Session Rules of Etiquette • Please turn off your cell phone/beeper • If you must leave the session early, please do so as discretely as possible • Please avoid side conversation during the presentation Thank you for your cooperation!
Goals of this Session • Review Setting up SSO with Luminis • Discuss using External Authentication (EAS) • Talk about Luminis IV
A Little About Me . . . • Christopher Frost • Programmer / Analyst for Collin College in Plano, TX • Two Years of Luminis Experience • Familiar with Luminis III and IV • Not a Luminis Cheerleader
Initial Questions about GCF Is your system a viable candidate for SSO? How should Luminis connect to the external system? What do I need to know about GCF?
Is it a candidate for SSO? • Must Have a Web Based Login Interface <- DEAL-BREAKER • Host-Based Authentication • Frames • Heavy Client-side Javascript (Requires a Custom CPIP Connector, a Pickup-Response file, a Custom Java Code) • Support for URL Rewriting
Is it a candidate for SSO? Does the external system maintain: • Users • Timeouts • Session How does it handle system management? • URL rewriting • Cookies
Myths about CPIP / GCF . . . Myth # 1: Luminis supports single sign-on
Mimicking a Browser • Has to have an incoming browser • Name on the cookie has to match the computer that it is sent from
GCF vs. CPIP External System Luminis Connector Portal Tier
GCF vs. CPIP • Use CPIP when you want to authenticate using a Java servlet • CPIP gives you greater control over session management • Much more complex engagement than GCF
CPIP - Data Flow • User clicks on CPIP Link • Credentials for External Account retrieved from the Secret Store in PDS LDAP • CPIP Authentication call with credentials • Creates (or finds existing) session for the user • CPIP SSO Connector has the browser create a cookie • Simulates a browser and performs login steps • Collects and stores all cookies in the session • Browser collects cookies from the session in the connector
Luminis Review - File Structure $CP_ROOT/config - Initial settings $CP_ROOT/custom - New skin templates $CP_ROOT/events - Template files for the notification events $CP_ROOT/logs - Back up logs? Historical information can be useful $CP_ROOT/products - Capture the apps modification $CP_ROOT/shared - Good amount of items that change, files from Group Studio, login screens $CP_ROOT/webapps - CAR Files are deployed in the webapps directory
Luminis Review - File Structure Luminis uses at least three Tomcat containers on the portal tier: • $CP_ROOT/products/tomcat-cp Luminis Web Server • $CP_ROOT/products/tomcat-cpipconnector CPIP Connector • $CP_ROOT/products/tomcat-mb Message Broker You can add additional Tomcat containers for a dedicated heavy-duty connector
Single Sign On Link The only URL that will work to make single sign-on happen • http://cougarweb.ccccd.edu/cp/ip/login?sys=gwmail&url=<URL Encoded URL>
Single Sign On Link Base Luminis URLhttp://cougarweb.ccccd.edu/ Map to this processcp/ip/login? Use this as the external systemsys=gwmail And send the result to this address &url=URLencodedaddress
About GCF • The GCF is installed as part of the Luminis installation Configuration directory $CP_ROOT/webapps/cpipconnector/WEB-INF/config • Luminis has GCF connectors already defined for Communications Express and MS Outlook Web Access (MOWA) • You can integrate other systems by defining additional generic connectors
About GCF • Customize a properties and XML file • Register the external system with Luminis using configman • Create your GCF Link
GCF - Properties File The GCF configuration files are under $CP_ROOT/webapps/cpipconnector/web-inf/config. In this directory, you will see the following files in an out-of-the-box installation. • comexp.properties • cpipconnector.properties • cpiplog4j.properties • messengerexpress.properties • mowa.properties
GCF - Properties File • Contains name-value pairs • Defines info required for a connection to a desired Web application (username, password, session) • Can define other variables necessary to communicate with external Web applications. (hidden fields)
GCF - Properties File comexp.externalSystemName = comexp convertSiteCookies = true comexp.protocol = http comexp.hostname = cougarmsg.ccccd.edu comexp.port = 6788 comexp.vpath = uwc comexp.externalSystemURL = ${comexp.protocol}://${comexp.hostname}:${comexp.port} comexp.loginpath = ${comexp.externalSystemURL}/${comexp.vpath}/auth comexp.logoutpath = ${comexp.externalSystemURL}/${comexp.vpath}/base/UWCMain?op=logout comexp.lastactivepath = ${comexp.externalSystemURL}/${comexp.vpath}/base/UWCMain comexp.operations = ${SSOROOT}/config/comexp.xml
Web.xml <web.xml> has <web-app> node • /cp/home/loginf • /cp/ip/login • /cp/ip/config • /cpipconnector Sends the request to the appropriate Java servlet
Web.xml <web-app> <servlet> <servlet-name>cpipconnector</servlet-name> <servlet-class>com....</servlet-class> </servlet> <servlet-mapping> <servlet-name>cpipconnector</servlet-name> <url-pattern>/gwcpip/*</url-pattern> </servlet-mapping> </web-app>
Single Sign On Link Tips for CPIP Requests VERY case sensitive; watch your parameter names Extra characters are not helpful - no spaces, hard returns, or underscores URL Encode any values : %3A / %2F ? %3F & %26
Single Sign On Link Our URL to the application below is http://groupwise.ccccd.edu/webapp Go to a URL Encoding Utility http://www.albionresearch.com/misc/urlencode.php Transforms the URL into this http%3A%2F%2Fgroupwise.ccccd.edu%2Fwebapp
Single Sign On Link Link can then be used within Luminis as: • Bookmark • Targeted content channel • Tab
Myths about CPIP / GCF . . . Myth # 2: Setting up Single Sign On to external systems with Luminis is easy
Two Flavors of Connector • Can be integrated into the web app - Less common (Pickup [Local or remote]) • Can exist as a stand-alone web app - Very common (Pickup-response) • Pickup.html is a javascript file that takes the cookie, sets the destination, and sends a response back. This allows the cookie to be placed on the user's browser instead of relayed back to the server.
How to Set Up Your Pickup • Create the “starter” external system configuration files. • Capture HTTP traffic between the browser and the external system using a tool like • Live HTTP headers, while authenticating/deauthenticating to the external system • Identify and analyze the HTTP requests that need to be executed, in order to get the user authenticated to the external system
How to Set Up Your Pickup • Design and implement the connector XML and property files to accomplish the authentication through the GCF. • Import/set the required properties in the Luminis system. • Set the CPIP external account for external system users. • Restart the cpipconnector and the Luminis platform webservers.
Luminis Review – Procedures $CP_ROOT/bin/rc - Customized any control scripts • 10_ldap • 20_config • 30_cal (calendar) • 40_mb (message broker) • 60_cpipconnector • 70_webserver • 80_ssl
Luminis Review – Procedures • Start up sequences runs in ascending numeric order, shut down sequences run in descending order. • TIP: Add a bounce webserver script to the bin directory • TIP: Include LMG or custom CPIP connector in start-up / shut-down process
Managing External Accounts 1) Be Stored in the "Secret Store“ 2) useSISCredentials set to "true" SIS ID and PIN 3) usePDSCredentials set to "true" Luminis ID and PIN Use for EAS or where the user ID and password are the sameIf usePDSCredentials is set to true, this check of external IDs against the secret store DOES NOT occur. 4) use PDS Store External Account Use cptool By hand or By Import Different Username, Same Password Password Sync Filter Password in Secret Store Synced with the Luminis Password
GCF – XML File Using the Tag Library end users are authenticated and able to use the application with one click of a link instead of having to enter usernames and passwords each time. There are three XML files that are included out of the box: • comexp.xml • messengerexpress.xml • mowa.xml
GCF – XML File Configure the XML to perform basic browser functions • “do a GET on this URL,” • “do a POST to this URL,” • “search the response for a particular string and tell me whether you found it or not,”
GCF – XML File (Plain) <operations> <authenticate> <CLIENT> <SESSION a:server="${properties.externalSystemURL}" > <RESULT a:value="TRUE" /> </SESSION> </CLIENT> </authenticate> <deauthenticate> <CLIENT> <SESSION a:server="${properties.externalSystemURL}" > <RESULT a:value="TRUE" /> </SESSION> </CLIENT> </deauthenticate> • <lastActive> • <CLIENT> • <SESSION a:server="${properties.externalSystemURL}" > • <RESULT a:value="FALSE" /> • </SESSION> • </CLIENT> • </lastActive> • <checkstate> • <CLIENT> • <SESSION a:server="${properties.externalSystemURL}" > • <RESULT a:value="FALSE" /> • </SESSION> • </CLIENT> • </checkstate> • </operations>
Session Management Uses checkstate and last active tags for session management First Scenario Luminis – Timeout 20 App – Timeout 15 Two Minutes Before Logout, Luminis sends a request to the app asking, “Are you logged in?” If yes, reset the user's timeout If no, forms a Deauthenticate URL and logs out Destructive because it pulls a page and resets the timer
Session Management Uses checkstate and last active tags for session management Second Scenario Luminis – Timeout 15 App – Timeout 20 If the Luminis timeout is smaller, then you could end up in a perpetual loop. Make the Application timeout smaller and the Luminis timeout larger OPEN QUESTION: Does Luminis always do a destructive reset on every logged in application? FERPA Issue – Luminis timeout has to be set to a reasonable amount of time (less than 2 hours) Important to configure the last active link or you could have the applications time out within Luminis.
Session Management Logout Steps Timeout or logout occurs Luminis sends Deauthenticate request (Using the User ID and CPIP OID for Deauthenticate) External systems removes cookies and resets internal tracking devices
GCF - Properties File (Part II) comexp.sso.operations.class = com.campuspipeline.sso.authenticator.SSOOperations comexp.urlBase = ${cpipconnector.urlBase}/${comexp.externalSystemName} # virtual urlBase is needed for FOS comexp.virtual.urlBase = ${cpipconnector.virtual.urlBase}/${comexp.externalSystemName} comexp.cpipconnector.getconfig.createonlogin = 1 comexp.cpipconnector.getconfig.authenticate = ${comexp.urlBase}/Authenticate comexp.cpipconnector.getconfig.authenticateOIDlist = 1.3.6.1.4.1.4409.1.1.4.2 comexp.cpipconnector.getconfig.deauthenticate = ${comexp.urlBase}/Deauthenticate comexp.cpipconnector.getconfig.deauthenticateOIDlist = 1.3.6.1.4.1.4409.1.1.6.1 comexp.cpipconnector.getconfig.lastactive = ${comexp.urlBase}/LastActive comexp.cpipconnector.getconfig.lastactiveOIDlist = 1.3.6.1.4.1.4409.1.1.5.1 comexp.cpipconnector.getconfig.sessionPlaceHolder = extsesid comexp.cpipconnector.getconfig.sendcpsession = false comexp.cpipconnector.getconfig.sendtimeout = false comexp.cpipconnector.getconfig.desturl_parmname = destURL comexp.cpipconnector.getconfig.sendlogin = true comexp.cpipconnector.getconfig.useSISCredentials = false comexp.cpipconnector.getconfig.usePDSCredentials = true comexp.cpipconnector.getconfig.configsleeptime = comexp.cpipconnector.getconfig.configattempts = comexp.pickup.destURLParameter = url
GCF - Configman • es.template.shortcircuitlogin false • es.template.domain = http://www.ccccd.edu • es.template.configsleeptime 10000 • es.template.configattempts 60 • es.template.configURL http://my.system.edu:8008/cpipconnector/template/GetConfigVersion2 • es.systems – (Space-Delimited List) sct pdc is epos mb cal gtmb • es.systems.secure.login (Comma-Delimited List) sct,pdc,is,epos,mb,cal,gtmb
Local Pickup Local Pickup – can only be used if the GCF and the external system are on the same domain For the local pickup method, no special property needs to be set in the GCF. The absence of the properties ES.pickup.remoteurl and ES.pickup.response will indicate to the GCF that the local pickup method is expected.
Remote Pickup Remote Pickup - required if the GCF and the external system are on different domains, making it impossible for the GCF to set cookies on behalf of the external system.
How Remote Pickup Works • User clicks cpip login link of the form: /cp/ip/login?sys=<ES>&url=http://<yourdomain>?extsessid=place_holder • Luminis asks GCF to perform the login on the external system. • GCF executes the authenticate XML tag of the external system. • If response returns true, GCF sends back a pickup URL to Luminis. If not, it sends back an error code of 1.
How Remote Pickup Works • Luminis tacks on the destination URL to the pickup URL and redirects the browser to the pickup URL, which takes it to the GCF. • GCF redirects the browser to a location specified by the property ES.pickup.remoteurl after tacking on any cookies that it may have obtained during the authentication step. • Logic embedded in the pickup page reads the cookie query parameters and sets the cookies in the browser, and then redirects the browser to the final destination URL.
How Remote Pickup Works • Luminis tacks on the destination URL to the pickup URL and redirects the browser to the pickup URL, which takes it to the GCF. • GCF redirects the browser to a location specified by the property ES.pickup.remoteurl after tacking on any cookies that it may have obtained during the authentication step. • Logic embedded in the pickup page reads the cookie query parameters and sets the cookies in the browser, and then redirects the browser to the final destination URL.
Pickup Response GCF does not perform a proxy login on behalf of the user. Forces the browser to load a quantity of HTML/JavaScript prepopulated data Automatically posting any required credentials to the external system Process • GCF “fakes” a successful authentication using a method like the following: • GCF sends back a “false” success, pretending the login was done. • Luminis receives success and sends a response to the browser, which redirects the browser to the GCF connector pickup URL:8808/cpipconnector/alias/Pickup?sid=luminis_session_id • The GCF returns a response header and a completely “filled in” version of the External System’s Login page —username, password, and all to the end user’s browser as a web page response.
Pickup Response • Similar to remote pickup except that there is no pickup.html file on the server. • This means that Luminis has to be able to evaluate a successful response vs. a failed response • Does this through its XML File
GCF - XML File (Extended) <operations> <authenticate> <CLIENT> <SESSION a:server="${properties.externalSystemURL}" > <POST a:url="${properties.loginpath}" a:query="" a:redirects="no" > <PARAM a:name="fromlogin" a:value="true" /> <PARAM a:name="username" a:value="${_CPUSERNAME}" /> <PARAM a:name="password" a:value="${_PASSWORD}" /> </POST> <SEARCH a:symbol="RetVal" a:source="${_RESPONSE}" a:value="${_VALUE}" > <EXISTS a:string="Authentication Failed" a:found="FALSE" a:notfound="TRUE" /> </SEARCH> <RESULT a:value="TRUE" /> </SESSION> </CLIENT> </authenticate>
GCF - XML File (Extended) <lastActive> <CLIENT> <SESSION> <GET a:url="${properties.lastactivepath}" a:query="" a:redirects="no" /> <SEARCH a:symbol="RetVal" a:source="${_RESPONSE}" a:value="${_VALUE}" > <EXISTS a:string="UserName:" a:found="FALSE" a:notfound="TRUE" /> </SEARCH> <RESULT a:value="${RetVal}" /> </SESSION> </CLIENT> </lastActive> <deauthenticate> <CLIENT> <SESSION a:server="${properties.externalSystemURL}" > <GET a:url="${properties.logoutpath}" a:query="" a:redirects="no" /> <RESULT a:value="TRUE" /> </SESSION> </CLIENT> </deauthenticate>