The Central Authentication Server (CAS) is used by Ellucian Banner to perform Single-Sign-On authentication services for Banner 9/INB and SSB products. CAS functions in the following manner:
The overall process flow for a Banner Application CAS login can be summarized as follows:
The connector can be either from Tomcat directly or from using apache-httpd. Please note the SSL certificate must be added into the Java truststore which is running tomcat.
You must have an LDAP server for CAS to authenticate against. In most cases, this will be from Active Directory. However, for sites that do not have Microsoft, OpenLDAP seems to work also.
In addition, you must also create an LDAP user that has the ability to browse the entire LDAP tree. This is required so that attributes can be looked up when a user authenticates.
Finally, each user under LDAP MUST have at least ONE attribute that is unique. The attribute name can be anything as long as the value is unique for all accounts (example EmployeeNumber). This attribute will be returned by CAS if they successfully authenticate.
Several changes need to be made in this file. Simply search for the various code blocks.
|LDAP Server and Port||
<bean id="LDAPcontextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls"> <list> <value>ldap://my.ldaphost:port</value> </list> </property>
LDAP User Password and Base Domain
1. Specify the username and password for your LDAP user here. You must also specify the context of this user. Remember the user must have FULL abilities to browse the LDAP Tree Note the username/password and context must be entered in (2) places.
2. You must also specify the BASE DN of the LDAP Tree
<property name="userDn" value="CN=username,ou=context,dc=context,dc=more-context " />
<property name="password" value="password for username" />
<property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property>
</bean> <sec:user-service id="userDetailsService"> <sec:user name="username" password="password for username" authorities="ROLE_ADMIN" /> </sec:user-service>
Unique Attribute UDC_IDENTIFIER
In this example the EmployeeNumber will be returned.
This value will then passed into Banner and checked against GOBEACC and GOBUMAP.
<map> <entry key="employeeNumber" value="UDC_IDENTIFIER" /> <entry key="sAMAccountName" value="uid" /> </map>
If the authentication to CAS is successful, a unique identifier (UDC_IDENTIFIER) will be return from CAS to the Banner application.
Banner will then check following tables
Users that want to login to Banner SSB using CAS must have a record in GOBUMAP.
Users that want to login to Banner 9/INB using CAS must have a record in BOTH GOBUMAP and GOBEACC.
Setup of CAS with Ellucian Banner Applications
After CAS is setup, you will need to enter this information into the various Banner applications:
Banner 8 INB and SSB require SSOManager. In most cases you will need to rebuild SSOManager with the updated CAS server information. The CAS server URL can be validated in the SSOManager application, but cannot be changed.
In addition, if you are running Banner 8 SSB, you must update the Webtailor values IDMLOGINURI, IDMLOGOUTURI, and IDMSSO to your CAS login URL, logout URL, and Y, respectively.
Navigate to: Webtailor Administration->Webtailor Parameters as shown below:
Finally, if you are running Banner 9, you must update the CAS server URL for the corresponding Banner instance under Ellucian Solution Manager (ESM)