Banner 8 INB/SSB Single SIgn On with SSO Manager

My prior series talks about how to establish Single Sign On environment for Banner XE modules by using Ellucian Identity Service. In Banner 8, we need to add one more component on top of EIS to implement Single Sign On. That’s SSO Manager of Banner Enterprise Identity Service (BEIS).

SSO Manager is one of modules of BEIS and it’s based on Oracle Weblogic Server. The basic steps are listed below.

  1. Oracle Weblogic Server (WLS) installation
  2. Create basic domain and Install admin server
  3. Start basic domain
  4. Create machine definition
  5. Start and Stop weblogic node manager
  6. Create managed server for SSO Manager
  7. Deploy SSO Manager
  8. Create EIS service provider
  9. Configure Banner 8 INB/SSB for EIS

The first two steps are very generic and the good source is “Oracle WebLogic Server (WLS) 11gR1 (10.3.5 and 10.3.6) Installation on Oracle Linux 5 and 6pdf.

Once the oracle weblogic server and admin server are installed (Step 1 and 2), the next step is to start basic domain (Step 3).

1.On the server where oracle weblogic server is installed, set two environment parameters

WL_HOME=$MIDDLEWARE_HOME/wlserver_10.3
DOMAIN_HOME=$MIDDLEWARE_HOME/user_projects/domains/base_domain

2.Start the domain’s Admin Server interactively

   sh $DOMAIN_HOME/startWebLogic.sh

3.create new file $DOMAIN_HOME/servers/AdminServer/security/boot.properties and input username weblogic with password like
 
   username=weblogic
   password=password

4.Start Admin Server

   nohup $DOMAIN_HOME/startWebLogic.sh > startWebLogic.log 2>&1 &

5.Wait 60 seconds, then test the WebLogic Console’s URL
 
  
http://weblogic_server.domain:7002/console

6.Login to the console using “weblogic” and password

Step 4. Create machine definition

In the base domain panel, go to Environment –> Machine, and accept all defaults to create new machine.

image

Step 5. Start and Stop weblogic node manager

1.Start Node Manager
 
  nohup $WL_HOME/server/bin/startNodeManager.sh > startNodeManager.log 2>&1 &

2.Check the NodeManger’s availability within WebLogic Console

  In the base domain panel, go to Environment -> Machine -> ‘Click on ssomanager (machine)’ -> Monitoring -> Node Manager Status
  The proper Status should be ‘Reachable’
 
3.In the shell session, Stop Node Manager and check that it is stopped:

  pkill -f weblogic.NodeManager
  pgrep -f weblogic.NodeManager

image

Step 6. Create Managed Server for SSO Manager

In the base domain panel, go to Environment –> Servers –> Create new Server called ssomanager.

image

Select the Name (ssomanager) in the ‘Server Start’ tab, Click in the Arguments box and make proper setting for your environment.

in SSL tab –> Advance, and make sure the check box of “Use JSSE SSL” box is checked.

Posted in Ellucian | Tagged , , | Leave a comment

Ellucian Identify Service (Part 6)–Banner XE Configuration for EIS

The Steps below outline implementing this with the Banner XE StudentClassSchedule module. The steps would be similar for other Banner XE modules.

Step 1.

Edit the file $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/instance/ config/StudentClassSchedule_configuration.groovy

Locate this
banner {
    sso {
        authenticationProvider           = ‘default’ //  Valid values are: ‘default’, ‘cas’
        authenticationAssertionAttribute = ‘UDC_IDENTIFIER’
    }
}

Change to

banner {
    sso {
        authenticationProvider           = ‘cas’ //  Valid values are: ‘default’, ‘cas’
        authenticationAssertionAttribute = ‘UDC_IDENTIFIER’
    }
}

Step 2.

Edit the same file
$TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/instance/ config/StudentClassSchedule_configuration.groovy

Locate this and change the highlighted items with proper EIS server name, banner xe app host, bannxe xe app name, and port number.

grails {
    plugins {
        springsecurity {
            cas {
                serverUrlPrefix  = http://CAS_HOST:PORT/cas’
                serviceUrl       = http://BANNER9_HOST:PORT/APP_NAME/j_spring_cas_security_check’
                serverName       =http://BANNER9_HOST:PORT’
                proxyCallbackUrl = http://BANNER9_HOST:PORT/APP_NAME/secure/receptor’
                loginUri         = ‘/login’
                sendRenew        = false
                proxyReceptorUrl = ‘/secure/receptor’
                useSingleSignout = true
                key = ‘grails-spring-security-cas’
                artifactParameter = ‘ticket’
                serviceParameter = ‘service’
                filterProcessesUrl = ‘/j_spring_cas_security_check’
            }
            logout {
                    afterLogoutUrl    = https://cas-server/logout?url=http://myportal/main_page.html’
            }
        }
    }
}

Step 3.

Recreate WAR file and redeploy it in Tomcat 

change directory to  $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/installer

Recreate WAR file  ant bin\systool war

Copy regenerated WAR to $TOMCAT_HOME/webapps

cp $TOMCAT_HOME/ban9temp/banner_test_homes/StudentClassSchedule/current/dist/   StudentClassSchedule-9.3.war $TOMCAT_HOME/webapps

Step 4.

once it’s deployed, confirm the access to it via browser

Step 5.

EIS service provider for this Banner XE module is created already in prior post Ellucian Identity Service (Part 5) – EIS Configuration for Banner XE SSO.

Step 6.

It should log you into the XE StudentClassSchedule using the LDAP credentials Click “Sign Out” and it should log you out of Banner XE StudentClassSchedule and redirect the browser to your defined portal URL.


							
Posted in Ellucian | Tagged , | Leave a comment

Ellucian Identity Service (Part 5) – EIS Configuration for Banner XE SSO

In the first four parts of this series, I talked about installation, preparation, troubleshooting and dealing with LDAP of Ellucian Identity Service. Upon this point, EIS is ready for further configuration to provide Single Sign On for Banner XE modules along with Banner 8 INB/SSB (requires SSO Manager of Banner Enterprise Identity Service).

Configuration the UDC_IDENTIFIER Claim

A UDC_IDENTIFIER claim dialect needs to be created in the EIS Admin Console for a local claim mapping. This UDCID claim will map to the “cn” LDAP attribute, which will contain the user’s UDC_IDENTIFIER from Banner.

1. Navigate to the EIS Admin Console (ex. http(s)://<host>:<port>/carbon)

2. On the EIS Admin Console, select Configure > Claim Management > http://wso2.org/claims

clip_image002

3. On the http://wso2.org/claims page, select “Add New Claim Mapping”

4. Configure the new claim mapping, as follows:

clip_image004

5. Verify that the claim has been added on the “Available Claims for http://wso2.org/claims” page within Home > Configure > Claim Management > http://wso2.org/claims.

Once the UDC_IDENTIFIER claim is created, we can start to configure the integration between EIS identity provider and the Banner XE modules via CAS single sign on standard.

EIS Service Provider Configuration

The first step is to create a service provider to represent Banner XE module in EIS.

1. Create a Service Provider in EIS for Application Navigator:

image

2. On the EIS Management Console, Navigate to Main > Service Provider List > then select the newly registered “Banner XE StudentClassSchedule” service provider and click “Edit” link.

3. Click on the “Claim Configuration” drop down and configure the claims as follows in order to map a Banner user’s UDCID from the EIS LDAP user store to Banner XE modules. Also, configure the Inbound Authentication for CAS Configuration. The service URL here is the URL itself of Banner XE module.

image

Posted in Ellucian | Tagged , | Leave a comment

Ellucian Identity Service (Part 4) – Dealing with LDAP

The proper configuration on EIS side to connect LDAP overwrites the EIS admin console credential, which means default account “admin”  won’t work. Instead, LDAP account defined in $EIS_HOME/repository/conf/user-mgt.xml is the one to log in EIS admin console. For instance, I simply replaced with my ad account “wangr”. The password change is not required as ad account password will be used.

image

This is the change you need to do to have ad account as admin. This adding can’t be applied by using “ant config-all-xml” commands described in my prior post “Ellucian Identify Server (Part 2) – Preparation”, it need to be changed manually.

Also, if the LDAP setting the only one need to be changes, it’s no need to reapply all properties from $EIS_HOME/config/eis_condig.properties.  One option is to update directly in $EIS_HOME/repository/conf/user-mgt.xml. Doing that means setting in $EIS_HOME/config/eis_condig.properties is not updated one.

image

As “Single Sign On” usually works for multiple applications, EIS needs to deal with distinct user groups  in LDAP. For instance, in our organization, ad accounts for employees and students are using different types of account. Thus, that requires proper setting for listed three property names below:

  • UserSearchBase
  • UserNameSearchFilter
  • UserNameAttribute

One more thing is that if you are using ldaps (secured) to connect to the Active Directory, you need to import the certificate of Active Directory to the client-truststore.jks of the WSO2 product. More details can be found at my prior post “Ellucian Identity Service (Part 2) – Preparation”.

Posted in Ellucian | Tagged , | Leave a comment

Ellucian Banner INB Single Sign On error – “Ticket is expired”

My prior posts talk about the successful implementation of Single Sign On with Ellucian Banner 8 INB/SSB, along with Banner XE modules.

Recently, we rebooted the server where Ellucian BEIS SSO manager. Once it’s restarted, we experienced the login issue with INB, but had no issue with others. The login error looks like below.

image

 

Log file ssomgr.log shows:

2016-08-05 10:32:31,324 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Entered 
2016-08-05 10:32:31,330 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Credential Id:21 
2016-08-05 10:32:31,335 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Entered is Ticket Expired  
2016-08-05 10:32:31,335 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Time at which SSOTicket was created: 2016-08-05 10:28:00.0 
2016-08-05 10:32:31,336 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Number of seconds in which SSOTicket should timeout: 60 
2016-08-05 10:32:31,336 DEBUG [com.ellucian.sso.inb.ws.facade.impl.CredentialsServiceFacadeImpl.] - Ticket has expired. Deleting current ticket and all older tickets for the same credentials 
2016-08-05 10:32:31,348 ERROR [com.ellucian.sso.inb.ws.ep.CredentialsServiceEndPoint.] - com.ellucian.sso.exception.ApplicationException: com.ellucian.sso.exception.ApplicationException: SSO Ticket:[423B599F2DE23D3E5D4D37957362CDD3] expired 
2016-08-05 10:32:31,349 INFO [com.ellucian.sso.inb.ws.ep.CredentialsServiceEndPoint.] - Result:FAILURE 
2016-08-05 10:32:31,349 INFO [com.ellucian.sso.inb.ws.ep.CredentialsServiceEndPoint.] - Exited 
2016-08-05 10:32:31,355 DEBUG [com.ellucian.sso.inb.ws.security.AuthenticationFilter.] - Exited 

It’s obvious that the generated ticket is expired shortly after it’s created. To solve this issue, I tried to increase the value for parameter ticket.timeout.seconds from default 60 seconds to 600 seconds. Also, as suggested by Ellucian support, I added to new server start argument “-Dweblogic.client.socket.ConnectTimeout=120000” to admin server of weblogic base domain where sso manager is installed.

The good thing is that above actions solved this problem.

Note 1: To activate increase of the value for parameter ticket.timeout.seconds, the steps required to be implemented. Please see attachment.

 

Note 2: In weblogic console, select servers –> AdminServer(admin) –> Configuration –> ServerStart, and add -Dweblogic.client.socket.ConnectTimeout=120000 to Arguments section.

Posted in Ellucian | Tagged , | Leave a comment