project overview single sign on solution robin lilly

Project OverviewProject Overview

Single Sign On Solution

Robin Lilly

Description of Single Sign OnDescription of Single Sign On

Single sign will allow user to sign on to UTEP’s system one time and be logged into all the diverse systems from that one session. – Exchange Mail– DotNetNuke Portals– CA’s CleverPath – GoldMine

Single Sign On GoalsSingle Sign On Goals

FeasibleScalableSecureWithin budgetImmediate solutionMeets future needsIndependent of 3rd party systems

Some Problems EncounteredSome Problems Encountered

Dependence on CleverPath– Password to use in other systems was stored in

CleverPath– Retrieval of Password will never be successful based on

current API Request & Response objects CleverPath XML API problems

– No API to keep session alive when not in CleverPath– No successful creation of CleverPath Session without

redirecting to CleverPath– No API ability to kill CleverPath session – Session Info is stored in CleverPath

SolutionSolution

Store’s session/password informationPass request & response objects Build independent solution

Look at some uses of Single Sign OnLook at some uses of Single Sign On

Sign On to SystemCheck if I’m signed on

CleverPathAPI

Active Directory

UsersUsers

iPlanet

ValidationValidation

Session DataSession Data(Session, Password, UserName)(Session, Password, UserName)

Session CookieSession Cookie(Session & Salt)(Session & Salt)

Other System

UI - User LoginUI - User Login

Create Session InfoCreate Session Info(SessionID, Encrypted Password, Salt)(SessionID, Encrypted Password, Salt)

Sign OnSign On

Check if I’m Signed On Check if I’m Signed On

Gold

Mine

Clever

Path

Is Session Is Session Active in Active in GoldMineGoldMine

Is Session Is Session Active in Active in

Clever PathClever Path

Various UTEP Various UTEP Sites Sites Session StatusSession Status

Goldmine

It site

CleverPath

Is Session Is Session Active in Active in DatabaseDatabase

Various UTEP Various UTEP Sites Sites

Goldmine

It site

CleverPath

ClassesClasses

Talk about supporting classes– Registry–MyRegistry– Rijndael– SessionInfo

See Page 2 of SingleSignOn Document

Users Session ClassesUsers Session Classes

UsersDB class wraps the UserSessionInfo table

UserCredentials class is passed the Session & Salt at instantiation– It then makes a call to GetUserSession– It then decrypts the password with a call to

Rijndael

UserAttributes ClassUserAttributes Class

UserAttributesInit()– Get Session Info from the

cookie (SSO Class)– Gets UserCredentials from

Database– GetUserAttributes()• Call iPlanet XML for attributes


Single Sign On ClassSingle Sign On Class

ConstructorsIsActiveSession()– Get Cookie Info– Check Database if

Session is valid– Check other systems

active

See Page 4-6 of SingleSignOn Document

Single Sign On Class (cont.)Single Sign On Class (cont.)

LogIn(UserID,Password), – Remove Old Session & Cookies– Generate Salt– AuthenticateUser(UserID, Password) • Call CleverPath XML API to Create Session

– Store Session in Cookie and Database



LogOut()– Calls RemoveSession()– Calls RemoveCleverPathCookie()

RemoveSession()– Removes Cookie & Database Entry

RemoveCleverPathCookie()– Removes CleverPath Cookie



GetSessionInfo()– Get Session Cookie– Put SessionId and Salt into SessionInfo



SetSessionCookie(SessionID,Salt)–Writes an in memory cookie with

SessionID and Salt OutSetCleverPathSessionStillActive(Ses

sionID)– Changes CleverPath Cookie to still be

active



GetSignOnURL(RedirectPage)– Returns the URL of the signon page

with the return page as the page passed in


Things CA should doThings CA should do

Changes to CleverPath API or do our own fix– Is Session Active– Remove Session– Keep Session Active

Fix CleverPath to go to Logout ScreenFix CleverPath to go to Logon Screen

ConclusionConclusion

No significant under site on designControl with UTEP not CACan grow with UTEPProbably have some new classes:– CASystem Class– GoldMineSystem Class–…

project overview single sign on solution robin lilly

Documents