the college of william and mary portal2006 andrew bauserman [email protected] scott hayes [email protected]...

THE COLLEGE OF WILLIAM AND MARY PORTAL2006

Andrew [email protected]

Scott [email protected]

Putting All the Eggs in One Basket

Using CPIP for integrationof Luminis—SSO withexternal web services

INFORMATION TECHNOLOGY THE COLLEGE OF WILLIAM AND MARY PORTAL2006


Prediction is especially difficult.Especially about the future.

Niels Bohr

THE COLLEGE OF WILLIAM AND MARY PORTAL2006

Andrew [email protected]

Scott [email protected]


Using CPIP for integrationof Luminis—SSO withexternal web services



My agenda was hidden well.Now I don't know where I left it.

(Chagall Guevara, "Escher's World")


Putting All the Eggs in One BasketOverview

All the EggsOne BasketMitigating RiskPortal InfrastructurePutting the Eggs in the BasketSingle Sign-onCPIP IntegrationNetwork InfrastructureSorting the EggsImplementationDifficult Web ServicesSecurity Concerns



An ordinary genius is a fellow whom you and I would be just as good as, if we were only

many times better. There is no mystery as to how his mind works. Once we understand

what they've done, we feel certain that we, too, could have done it. It is different with the

magicians. Even after we understand what they have done it is completely dark.

(Mark Kac)


All the EggsPortal as Gateway to EverythingThe authoritative source for information and services

Course Registration, Course Evals, Grades (Banner)Admission, Financial Aid, HR, Payroll (Banner)Facilities Management, Other Admin AppsCourse Management System (Blackboard)Announcements and News (RSS)WebmailCalendarsDiscussion BoardsAuxiliaries (Bookstore, Express Card, Copy Center)Blogs, Wikis, and other Cool Things



One Ring to Rule them all...

(Tolkien)


One BasketThe Dangers of Success...

Don’t hatchet your counts before they chicken.Portal Timeout

How do external systems open?Within the Portal (frameset)In another window?The Portal times out while you’re taking a Blackboard testKeep alive polling

Portal LogoutAre other services open after the portal closes?

If Webmail tab is open when I hit logout on the Portal...

Public Access TerminalsClosing the browser session


One Basket



...and in the darkness bind them.

(Tolkien)


One BasketCareful What You Wish...The authoritative source for information and services

The Portal is DownScheduled Maintenance

Upgrades and patches“Unscheduled” Maintenance

Server goes downPortal goes downCPIP cannot connect

Now what?



In theory there is no difference between theory and practice. In practice there is.

(Yogi Berra)


Mitigating RiskKnow When the System is Down

Monitor, Poll, Alert

Present Users with OptionsOutage Page

Have some tricksAlternate Login Mechanism



My own strategy is to find a car, or the nearest equivalent, which looks as if it knows where it

is going and follow it.I rarely end up where I was intending to go,

but often I end up somewhere that I needed to be.

(Dirk Gently's Holistic Detective Agency)


Portal InfrastructureBasics of our “Outages” System

Cisco Content Services Switch (CSS)SSL managementPort-level forwardingLoad balancingFailoverRedirect on full failure

Outages serverJust a plain LAMP (or Solaris-Apache) serverCreate a page, directory, or vHost for each service



I love it when a plan comes together!

(Hannibal, The A-Team)


Putting the Eggs in the Basket



Who did you say you were, little fellow?Mister, I am the Lorax. I speak for the trees.

(Dr. Seuss)

Who are you and how did you get in here?I'm a locksmith. And, I'm a locksmith.

(Police Squad)

Who are you?No one of consequence.

(The Princess Bride)


Single Sign-onMethods for Handoffs

Several ways of getting external services to the user.Basic LinksLinks with simple identifiersSecure Single Sign-on (SSSO) via CPIPSSSO + Unique “Random” Handoff IdentifierSSSO + Post-Handoff Sign-on



Fact is there's nothin' out there you can't do.Yeah, even Santa Claus believes in you.

(The Muppet Movie, "Can You Picture That?”)


CPIP Integration



If we are wise, what is born of that pain matures into the promise of a better world,

because we learn that we can no longer afford the mistakes of the past.

(G'Kar in Babylon 5: "In the Beginning")


Network InfrastructureServer-to-Server Communications

Are communications really from the portal?Restrict by IP AddressCommunications Limited to a Private Subnet

Are handoff communications secure from interception?Tunnel via SSL

FYI - GET and POST variables are encrypted via SSLCommunicate over a Private Subnet

Possibly without SSL? Analyze the Risks...



"The major difference between a thing that might go wrong and a thing that cannot

possibly go wrong is that when a thing that cannot possibly go wrong goes wrong, it

usually turns out to be impossible to get at or repair."

Douglas Adams.


Sorting the Eggs



The first 90% of the code accounts for the first 90% of the development time

The remaining 10% of the code accounts for the other 90% of the development time.

(Tom Cargill)


ImplemetationThe Easy PartThe Campus Pipeline Integration Protocol

Coding the CPIP ConnectorGet a copy of “Campus Pipeline Integration Protocol”Visit LumDevNet for more samples and helpFor assistance translating to Perl or PHP

contact Andrew or Scott and we’ll try to help

The CPIP Actions (Coordinated Session Management)getConfigauthenticatedeauthenticatelastactive



[Y]ou've got it backwards.It's not death you have to be afraid of,

that's the easy part.It's life that you have to worry about.

(La Femme Nikita)


ImplementationThe Hard Part

The front-end handoff pageHacking the External Server’s Login Process

What happens when you login “normally” to the system?sets a Cookiecreates a Sessionmakes an entry in a database sessions tableother (dark?) processes

Receiving the handoffapply the same procedures that the “real” login system doesmake the handoff token non-reusabledirect the user to the external system’s main post-login page



I have tricks in my pocket, and I have things up my sleeve, but I am the opposite of a stage

magician. He gives you illusion that has the appearance of truth. I give you truth in the

pleasant disguise of illusion.

Tennessee Williams, The Glass Menagerie


Difficult Web ServicesThe Even Harder Part

Dealing with “Closed” systemsClosed Systems

Proprietary, Contract, Oft-Updated, etc.Cannot figure out (or gain access to) the things that happen during a “normal” login process

Hacking the “Closed” systemMake a generic jumping-off SSSO service with CPIPTake the handoff, then do something MORE

Option A: Use an API to handoff using some other protocol, shared secret, or form of trust (AlcoholEdu)Option B: Create accounts in the external system with “random” passwords and then log the user in via a 2-click process (Copy Center)



We will burn that bridge when we come to it.

(Johann Wolfgang von Goethe)


Security ConcernsA Few Points of Weakness

During CPIP Back-end HandoffOnly accept CPIP from known Luminis IP address?Is traffic secure (encrypted or on private subnet)?

During Front-end HandoffIs traffic secure (over SSL)?Does the token expire if not used?

After Front-end HandoffIs the token re-useable?

After Portal LogoutAre loosely coupled systems still logged in?

External “Hacked” Closed SystemIs the password algorithm still a secret?



Prove that all odd numbers are prime.Professor: 3 is prime, 5 is prime, 7 is prime,

and the rest are left as an exercise for the student.

http://www.gdargaud.net/Humor/OddPrime.html


Related LinksSingle Sign-on

Defined with examples in Wikipediahttp://en.wikipedia.org/wiki/Single_sign-on

Luminis/CPIPhttp://www.lumdev.net/index.php

Shibboleth (Blackboard, Moodle)http://shibboleth.internet2.edu/http://shibboleth.internet2.edu/seas.html

Liberty Alliancehttp://www.projectliberty.org



What kind of sycophant are you?

[W]hat kind of sycophant would you like me to be?

(101 Dalmations - 1996)


All the Eggs are in This Basket

http://www.wm.edu/it/portal2006

the college of william and mary portal2006 andrew bauserman [email protected] scott hayes [email protected]...

Documents