Download
1 / 37
E N D
1. Understanding Single Sign-on Part 3 - Halfway There SSO Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary.
In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols.
Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail.
Ive been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then.
Scott has been our Luminis Engineer for the last several years.
Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary.
In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols.
Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail.
Ive been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then.
Scott has been our Luminis Engineer for the last several years.
2. Halfway There SSO If it were done when 'tis done, then 'twere well it were done quickly.
(William Shakespeare, Macbeth) Last years presentation was called Putting all the eggs in one basket.
It turns out that the title was more than just clever it was somewhat prescient.
Single sign-on has a great deal to do with this notion of putting everything in one place and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested...
At least years Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several hacks we had developed to provide various forms of SSO into closed/proprietary systems all in ONE 90-minute session!
Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each.
Last years presentation was called Putting all the eggs in one basket.
It turns out that the title was more than just clever it was somewhat prescient.
Single sign-on has a great deal to do with this notion of putting everything in one place and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested...
At least years Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several hacks we had developed to provide various forms of SSO into closed/proprietary systems all in ONE 90-minute session!
Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each.
3. Understanding Single Sign-on Part 3 - Halfway There SSO Welcome. I hope you are finding the conference beneficial.
I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary.
Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using CPIP for several years.
Our Single Sign-on discussions began In Spring 2002 with our Portal roll-out (Blackboard, Webmail).
Ive personally been involved in the CPIP SSO code since Jan 2004.
In this session well be covering how the Luminis/Campus Pipeline Integration Protocol (CPIP) can provide a single sign-on solution.
The concepts will work with other Single Sign-on systems as well. But the Luminis/CPIP connection form the basis for the solutions weve developed at William and Mary.
Before we begin, Id like to get an idea of who is here, and possibly gear my remarks accordingly. In particular, Im interested in knowing:
Show of hands:
1) Are you using Luminis?
2) Are you evaluating Luminis?
3) Are you using another portal? (Which?)
4) Are you using another Single Sign-on mechanism (such as Shibboleth or the Liberty Alliance framework)?
5) Do you have any Single Sign-on Applications at this time? (What?)
Welcome. I hope you are finding the conference beneficial.
I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary.
Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using CPIP for several years.
Our Single Sign-on discussions began In Spring 2002 with our Portal roll-out (Blackboard, Webmail).
Ive personally been involved in the CPIP SSO code since Jan 2004.
In this session well be covering how the Luminis/Campus Pipeline Integration Protocol (CPIP) can provide a single sign-on solution.
The concepts will work with other Single Sign-on systems as well. But the Luminis/CPIP connection form the basis for the solutions weve developed at William and Mary.
Before we begin, Id like to get an idea of who is here, and possibly gear my remarks accordingly. In particular, Im interested in knowing:
Show of hands:
1) Are you using Luminis?
2) Are you evaluating Luminis?
3) Are you using another portal? (Which?)
4) Are you using another Single Sign-on mechanism (such as Shibboleth or the Liberty Alliance framework)?
5) Do you have any Single Sign-on Applications at this time? (What?)
4. Halfway There SSO I love deadlines. I especially like the whooshing sound they make as they go flying by.
(Douglas Adams) So whats our agenda today?
Ive made a bit of an outline of the things well be talking about today, in case youre one of those folks who follows along better if you know where were planning to end up...So whats our agenda today?
Ive made a bit of an outline of the things well be talking about today, in case youre one of those folks who follows along better if you know where were planning to end up...
5. Halfway There SSO Overview
Methods of Handoff
Portal as Gateway to Everything
Careful What you Wish
Outages, portal infrastructure, and mitigating risk
Review Two-step SSO solutions
Network Infrastructure
Types of Systems
Implementaion
The Easy Part, the Hard Part, and the Even Harder Part
Halfway There SSO
Security Concerns
Summary of Topics
Lets dive in...Summary of Topics
Lets dive in...
6. Halfway There SSO Prediction is especially difficult.
Especially about the future.
(Niels Bohr) Were looking at making a framework for connecting to things you dont have yet, and therefore cannot know how to connect to them...
Were looking at making a framework for connecting to things you dont have yet, and therefore cannot know how to connect to them...
7. Two-Step SSO Methods for Handoffs
Several ways of getting external services to the user.
Basic Links
No authentication
Links with simple identifiers
Bucket sorting parents vs. students, etc.
(Secure) Single Sign-on (SSO)
Single Redirect SSO
Two-step SSO
Other Hacks
Halfway There
Closed Systems Who are you? Does it matter?
There are several type of content we might want to supply...
Some of them depend upon who you are others not so much.
(Basic Links)
Some might present things based on role if it is known, but arent secure info so if you pretend to be something else, you just see a different set of public info...
(simple identifiers)
And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be!Who are you? Does it matter?
There are several type of content we might want to supply...
Some of them depend upon who you are others not so much.
(Basic Links)
Some might present things based on role if it is known, but arent secure info so if you pretend to be something else, you just see a different set of public info...
(simple identifiers)
And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be!
8. Halfway There SSO One Ring to Rule them all...
(Tolkien) You probably recognize this quote from The Lord of the Rings.
I might be mixing metaphors a bit, but I thought it appropriate.
Weve created this portal that is now the authoritative source for information and services. We now have all the convenience *and* inconvenience associate with a single point of entry...You probably recognize this quote from The Lord of the Rings.
I might be mixing metaphors a bit, but I thought it appropriate.
Weve created this portal that is now the authoritative source for information and services. We now have all the convenience *and* inconvenience associate with a single point of entry...
9. Halfway There SSO Portal as Gateway to Everything
The authoritative source for information and services
Course Registration, Course Evals, Grades
Admission, Financial Aid, HR, Payroll
Facilities Management, Other Admin Apps
Course Management System (Blackboard)
Announcements and News (RSS)
Webmail
Calendars
Discussion Boards
Auxiliaries (Bookstore, Express Card, Copy Co)
Blogs, Wikis, and other Cool Things Before we get too deep into specific examples, lets talk about all of these eggs were putting into our proverbial basket...
The portal is our basket, which we want to be the primary gateway though which the campus community will access all manner of Web-based campus systems and services.
We want this portal to be the authoritative source for information and services to the campus. Its the one stop shop where members of the campus community can find all of the Web Services your campus provides. **Single Sign-on** is the mechanism by which the portal can consume or link to resources external to the portal itself.
So, heres a sample list of systems and services you might be running on your campus.
Its not meant to be exhaustive. But its a fair representation of what weve done or plan to do at William and Mary.
As Ive indicated, we use Banner as our main Enterprise Information System and Luminis as our Portal.
SunGard owns both Luminis and Banner so they supply the connector between these applications and the portal.
Blackboard is also a bit special in that (for an exorbitant fee) they can build the CPIP SSO connector for you.
The rest of these systems pretty much require a bit more work on our part to build the connector...
So we can summarize the types of connectors as:
Provided Connectors (Banner/Course Registration)
Purchased Connectors (Blackboard)
Developed CPIP Connectors (Webmail, CourseEvals)
Other Connectors (For difficult systems)Before we get too deep into specific examples, lets talk about all of these eggs were putting into our proverbial basket...
The portal is our basket, which we want to be the primary gateway though which the campus community will access all manner of Web-based campus systems and services.
We want this portal to be the authoritative source for information and services to the campus. Its the one stop shop where members of the campus community can find all of the Web Services your campus provides. **Single Sign-on** is the mechanism by which the portal can consume or link to resources external to the portal itself.
So, heres a sample list of systems and services you might be running on your campus.
Its not meant to be exhaustive. But its a fair representation of what weve done or plan to do at William and Mary.
As Ive indicated, we use Banner as our main Enterprise Information System and Luminis as our Portal.
SunGard owns both Luminis and Banner so they supply the connector between these applications and the portal.
Blackboard is also a bit special in that (for an exorbitant fee) they can build the CPIP SSO connector for you.
The rest of these systems pretty much require a bit more work on our part to build the connector...
So we can summarize the types of connectors as:
Provided Connectors (Banner/Course Registration)
Purchased Connectors (Blackboard)
Developed CPIP Connectors (Webmail, CourseEvals)
Other Connectors (For difficult systems)
10. Halfway There SSO ...and in the darkness bind them.
(Tolkien) So heres the other half of that Lord of the Rings quote.
Again, appropriate to our conversation of the portal being the authoritative source for information and services.
In this case, darkness indicates...`So heres the other half of that Lord of the Rings quote.
Again, appropriate to our conversation of the portal being the authoritative source for information and services.
In this case, darkness indicates...`
11. Halfway There SSO Careful What You Wish...
The authoritative source for information and services
The Portal is Down
Scheduled Maintenance
Upgrades and patches
Unscheduled Maintenance
Server goes down
Portal goes down
CPIP cannot connect
Now what? The portal is down.
The portal is the authoritative source for information and services. And it is DOWN ?!?!
What external services are available (and how people get directed to them) is directly related to how you implement single sign-on within your portal.
Lets go back over our list of systems:
* Services provided by the portal itself will be unavailable.
At William and Mary, this includes the student personal and group calendars and discussion areas, campus-wide and targeted announcements, and the convenience of subscribed headlines within the portal.
* Other services which were built with tight integration into the portal which may also be difficult to access.
At William and Mary this includes the Course Evaluations system.
* Some systems that have more complex integrations (well talk about a bit later)
An example of this at William and Mary is the Copy Center system
The portal is down.
The portal is the authoritative source for information and services. And it is DOWN ?!?!
What external services are available (and how people get directed to them) is directly related to how you implement single sign-on within your portal.
Lets go back over our list of systems:
* Services provided by the portal itself will be unavailable.
At William and Mary, this includes the student personal and group calendars and discussion areas, campus-wide and targeted announcements, and the convenience of subscribed headlines within the portal.
* Other services which were built with tight integration into the portal which may also be difficult to access.
At William and Mary this includes the Course Evaluations system.
* Some systems that have more complex integrations (well talk about a bit later)
An example of this at William and Mary is the Copy Center system
12. Halfway There SSO In theory there is no difference between theory and practice. In practice there is.
(Yogi Berra)
Yogi Berra is a pretty insightful guy.
In theory, we want to make our portal the authoritative source for information and services for the campus.
In practice, we need to mitigate the risk of putting all the eggs in one basket. Things happen. The system will eventually be down. What is the emergency plan?Yogi Berra is a pretty insightful guy.
In theory, we want to make our portal the authoritative source for information and services for the campus.
In practice, we need to mitigate the risk of putting all the eggs in one basket. Things happen. The system will eventually be down. What is the emergency plan?
13. Mitigating Risk
