Professional Documents
Culture Documents
Notices
© 2018 Ellucian.
Contains confidential and proprietary information of Ellucian and its subsidiaries. Use of these
materials is limited to Ellucian licensees, and is subject to the terms and conditions of one or more
written license agreements between Ellucian and the licensee in question.
In preparing and providing this publication, Ellucian is not rendering legal, accounting, or other
similar professional services. Ellucian makes no claims that an institution's use of this publication
or the software for which it is provided will guarantee compliance with applicable federal or state
laws, rules, or regulations. Each organization should seek legal, accounting, and other similar
professional services from competent providers of the organization's own choosing.
Ellucian
2003 Edmund Halley Drive
Reston, VA 20191
United States of America
Contents
Configure service providers for Ethos Identity. . . . . . . . . . . . . . . . . . . 4
Configure CAS service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
(Optional) Make a service provider visible to additional administrators. . . . . . . . . . 6
Add CAS configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Modify CAS context path (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example: Configure Banner 8 applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Example: Configure Banner 9.x applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configure SAML 2.0 service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure service provider certificate exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Optional) Make a service provider visible to additional administrators. . . . . . . . . 13
Add SAML configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Modify identity provider issuer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Example: Configure Colleague Self-Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Example: Configure Google Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure Google Apps to use Ellucian Ethos Identity as IDP. . . . . . . . . . . . . . . . 17
Configure WS-Federation service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure service provider certificate exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Optional) Make a service provider visible to additional administrators. . . . . . . . . 20
Add Passive STS realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Modify STS timeout (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Modify STS issuer (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Example: Configure Ellucian Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Service providers can require different configurations for application and protocol combinations.
These procedures describe configurations for CAS, SAML 2.0, and WS-Federation. For
information about other configuration options for service providers, refer to Configuring a Service
Provider on the WSO2 documentation site.
The following diagram shows the login and service ticket validation process for a CAS service
provider against Ellucian Ethos Identity.
Protocol Supports
Login /login
Logout /logout
CAS single logout capability is not supported by all service provider applications, it is not set by
default, and it generates extraneous traffic.
If you want a service provider to use the CAS single logout capability, you must set the Enable
Single Logout option on the CAS configuration panel for that service provider in the Management
Console.
A service provider might require specific user store attributes that must be passed to the service
provider. Ellucian Ethos Identity provides some default claims that map to user store attributes.
You might need to add claims, or change the existing mappings to point to a different attribute in
your directory server.
Procedure
1. In the Management Console, click the Main tab.
2. Under Claims, click List.
3. Click http://wso2.org/claims.
4. Review the existing claims to determine whether you need to add claims, or modify an
existing claim to point to a different attribute in your user store.
5. If you need to add a claim, follow the instructions in the WSO2 procedure for Adding Claim
Mapping.
For example, you might need to add one of the claims listed in the table below.
Claim Description
logonname Logon name claim mapping
Example value: sAMAccountName
upn User principal name claim mapping
Example value: userPrincipalName
objectguid Object GUID claim mapping
Example value: objectGUID
udcid Banner UDC Identifier claim mapping
Example value: udcid
personid Colleague Person Identifier claim mapping
Example value: employeeNumber
6. If you need to modify an existing claim, follow the instructions in the WSO2 procedure for
Editing Claim Mapping.
Procedure
1. Log in to the Management Console.
Log in as a user who has access to all service providers. You can either always use the same
login to maintain service providers, or give multiple users access to each service provider
using the procedure in (Optional) Make a service provider visible to additional administrators.
2. Click the Main tab.
3. Go to Service Providers > Add.
4. In the Service Provider Name field, enter a name that uniquely identifies the application.
For example, MyApplication
5. Click Register.
For a service provider to be visible to an administrator, that user must either have created that
service provider or be assigned the role associated with the service provider.
• Perform the procedure below to assign that role to other users, so that multiple users can view
and maintain the service provider.
• Always log in as the same user (for example, the administrator created by Ellucian Ethos
Identity) to add or maintain service providers.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Users and Roles > List.
4. On the User and Roles page, click Roles.
5. On the Roles page, search for the role associated with the service provider.
The role name is Application/<service_provider_name>. WSO2 Identity Server
created this role when you added the service provider.
6. Click Assign Users in that row.
7. On the User List of Role page, select the check boxes for any users who you want to be able
to view and maintain this service provider.
8. Click Finish.
After mapping the identity claims, add the CAS Service URL for the integrating application.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Service Providers > List.
4. In the row for the service provider, click Edit.
5. Expand Inbound Authentication Configuration > CAS Configuration.
6. In the Service URL field, enter the URL of the target application deployment with a trailing
slash.
The table below shows the standard URL deployment patterns for CAS-enabled Ellucian
products.
7. In the Enable Single Logout field, enter true if you want to let this service provider
participate in single logout with other CAS service providers.
8. Click Update to save the settings.
Modify the CAS context path if it is different from the default of /cas.
The CAS context path appears in the base URL for Ellucian Ethos Identity, for example https://
eis.server.edu:8443/cas. The default is /cas. You might have CAS-enabled applications
that require a different context path. For example, existing CAS-enabled applications can point
to /cas-web, which is provided by Luminis Portal 5 installation. If Ellucian Ethos Identity is
installed on the same server as the Luminis CAS deployment, then Ellucian Ethos Identity will be
able to service CAS requests without modifying application configurations that point to /cas-web.
Procedure
1. In an editor, open the eis_config.properties file located in the <IS_HOME>/config directory.
2. Set the following property to the appropriate value:
Property Description
eis.cas.ContextPath Desired CAS context path
Example value: /cas-web
Linux/UNIX:
ANT_HOME=../apache-ant/
export ANT_HOME
../apache-ant/bin/ant config-all-xml
Windows:
..\apache-ant\bin\ant config-all-xml
7. Change directories (cd) to the <IS_HOME>/bin directory.
8. Stop and restart Ellucian Ethos Identity, using the appropriate commands for your operating
system:
Linux/UNIX:
sh wso2server.sh stop
sh wso2server.sh start
Windows:
wso2server.bat stop
wso2server.bat start
Banner 8 applications implement single sign-on using Banner SSO Manager, a component of
Banner Enterprise Identity Services (BEIS). The following steps demonstrate how to configure a
Banner SSO Manager service provider in Ellucian Ethos Identity.
Procedure
1. Create a service provider for Banner SSO Manager in the Management Console.
2. Create a new custom claim mapping for the service provider.
For the claim mapping, select the identity attribute configured in the Banner SSO Manager
Admin interface. For this example, the unique identifier name is UDC_IDENTIFIER and the
LDAP attribute cn contains the value.
3. Enter the Service URL for Banner SSO Manager. Include a trailing slash.
Example: https://sso.server.edu:8443/ssomanager/
4. Click Update to save the settings.
Banner 9.x applications are configured individually for SSO functionality, but follow similar steps
for Ellucian Ethos Identity configuration. The following steps demonstrate how to configure a
Banner Student Overall service provider in Ellucian Ethos Identity.
Procedure
1. Create a service provider for Banner 9.x Student Overall in the Management Console.
2. Create a new custom claim mapping for the service provider.
For the claim mapping, select the identity attribute configured in the Banner 9.x Student
Overall configuration. For this example, the unique identifier name is UDC_IDENTIFIER and
the LDAP attribute cn contains the value.
3. Enter the Service URL for Banner 9.x Student Overall. Include a trailing slash.
Example: https://banner.server.edu:8443/StudentOverall/
4. Click Update to save the settings.
The following diagram depicts the login and SAML Response validation process for a SAML 2.0
service provider against Ellucian Ethos Identity.
Certificate exchange entails exporting the public certificate from the keystore of one application
and importing it into the keystore of the other application.
Procedure
1. Export the public certificate from the Ellucian Ethos Identity server keystore.
A service provider might require specific user store attributes that must be passed to the service
provider. Ellucian Ethos Identity provides some default claims that map to user store attributes.
You might need to add claims, or change the existing mappings to point to a different attribute in
your directory server.
Procedure
1. In the Management Console, click the Main tab.
2. Under Claims, click List.
3. Click http://wso2.org/claims.
4. Review the existing claims to determine whether you need to add claims, or modify an
existing claim to point to a different attribute in your user store.
5. If you need to add a claim, follow the instructions in the WSO2 procedure for Adding Claim
Mapping.
For example, you might need to add one of the claims listed in the table below.
Claim Description
logonname Logon name claim mapping
Example value: sAMAccountName
upn User principal name claim mapping
Example value: userPrincipalName
Claim Description
objectguid Object GUID claim mapping
Example value: objectGUID
udcid Banner UDC Identifier claim mapping
Example value: udcid
personid Colleague Person Identifier claim mapping
Example value: employeeNumber
6. If you need to modify an existing claim, follow the instructions in the WSO2 procedure for
Editing Claim Mapping.
For a service provider to be visible to an administrator, that user must either have created that
service provider or be assigned the role associated with the service provider.
• Perform the procedure below to assign that role to other users, so that multiple users can view
and maintain the service provider.
• Always log in as the same user (for example, the administrator created by Ellucian Ethos
Identity) to add or maintain service providers.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Users and Roles > List.
4. On the User and Roles page, click Roles.
5. On the Roles page, search for the role associated with the service provider.
The role name is Application/<service_provider_name>. WSO2 Identity Server
created this role when you added the service provider.
6. Click Assign Users in that row.
7. On the User List of Role page, select the check boxes for any users who you want to be able
to view and maintain this service provider.
8. Click Finish.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Service Providers > List.
4. In the row for the service provider, click Edit.
5. Expand Inbound Authentication Configuration > SAML2 Web SSO Configuration.
6. Click Configure to access the Register New Service Provider page.
Note: The remaining steps in this procedure are based on a manual
configuration, using the Manual Configuration option in the Select Mode
section of the page. You can use the Metadata File Configuration or URL
Configuration options if you have the required file or URL.
7. Enter the Issuer value that is configured in the service provider application. This value is
validated against the SAML Authentication Request issued by the service provider.
8. Enter a valid Assertion Consumer URL where the browser redirects the SAML Response after
authentication.
Note: The Assertion Consumer URL must use lowercase http or https to
conform to SAML protocol standards. For example: <samlp:AuthnRequest
AssertionConsumerServiceURL="https://webadvisor.school.edu/
WebAdvisor/WebAdvisor". Before Ellucian Ethos Identity 2.0, you could use
uppercase characters for the URL, but this is no longer supported.
9. Enter a valid NameID format supported by Ellucian Ethos Identity. You can use the following
values:
• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-format:transient
• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
• urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
• urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
• urn:oasis:names:tc:SAML:2.0:nameid-format:entity
10. Select Certificate Alias for the service provider’s public certificate. This certificate is used to
validate the signature of SAML 2.0 Requests and to generate encryption.
11. Select Enable Response Signing to sign the SAML 2.0 Responses returned after the
authentication process.
12. Select Enable Signature Validation in Authentication Requests and Logout Requests if
the identity provider must validate the signature of the SAML 2.0 Authentication and Logout
Requests that are sent by the service provider.
13. Select Enable Assertion Encryption to encrypt the assertions.
14. Select Enable Single Logout so that all sessions across all authenticated service providers
are terminated after the user signs out from one server. If the service provider supports a
different URL than the Assertion Consumer URL for logout, enter a SLO Request URL for
logging out.
15. Select Enable Attribute Profile to add a basic attribute profile where the identity provider can
include the user’s attributes in the SAML Assertions as part of the attribute statement. Select
Include Attributes in the Response Always if the identity provider should always include
the attribute values related to the selected claims in the SAML attribute statement.
16. Select Enable Audience Restriction to restrict the audience. Add audience members using
the Audience text box and click Add Audience.
17. Select Enable IdP Initiated SSO so that either the IdP or the service provider can initiate
single sign-on.
18. Click Register to save settings and return to the service provider configuration page.
19. Click Update to save all settings.
Change the Identity Provider Entity Id to the expected URI of the Issuer statement in SAML 2.0
Responses.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Under Identity Providers, click Resident.
4. Expand Inbound Authentication Configuration > SAML2 Web SSO Configuration.
5. In the Identity Provider Entity ID field, enter a valid identity provider name or URI that will be
used by all service providers.
6. Click Update to save the settings.
Colleague Self-Service is built on ASP.NET MVC technology and leverages SAML 2.0 SSO for
single sign-on.
Procedure
1. Create a service provider for Colleague Self-Service in the Management Console.
For more details on configuring Colleague Self-Service, refer to Colleague Self-Service in
Configure Ellucian Ethos Identity for Specific Products.
2. Create a new custom claim mapping for the service provider. For the claim mapping, select
the identity attribute configured in the Colleague Self-Service Admin interface. For this
example, the unique identifier name is colleague and the local claim sAMAccountName
contains the value.
3. Configure the SAML 2.0 SSO settings. Click the Configure link to open a new page.
4. Enter the Issuer and the Assertion Consumer URL and choose the appropriate options.
5. Click Register to save settings and return to the service provider configuration page.
6. Click Update to save all settings.
Google Apps for Work (formerly Google Apps for Business) is a suite of cloud computing
productivity and collaboration software tools and software offered on a subscription basis by
Google. It includes Google's web applications Gmail, Google Drive, Google Hangouts, Google
Calendar, and Google Docs.
Procedure
1. In the Management Console, create a service provider for Google Apps.
2. For the claim mapping, select NameID as the Service Provider Claim as shown in the
following table.
Allow Google Apps to use Ellucian Ethos Identity as its primary identity provider.
Procedure
1. Log in to Google Apps Admin Console as an Administrator by navigating to:
admin.google.com
2. Click Security.
3. Click Set up single sign-on (SSO).
4. Check the Setup SSO with third party identity provider option.
5. Enter your institution's Ellucian Ethos Identity SAMLSSO URL for Sign-in page URL.
Example: https://idp.school.edu/samlsso.
6. Enter your institution's Ellucian Ethos Identity SAMLSSO URL for Sign-out page URL. The
URL must end with ?slo=true.
Example: https://idp.school.edu/samlsso?slo=true.
7. If you have enabled Change Password within Ellucian Ethos Identity, enter your Ellucian
Ethos Identity Change Password URL under Change Password URL.
If you have another web application that performs password changes, then enter the URL for
that web application here.
Example: https://idp.school.edu/password/change.
8. Select your Ellucian Ethos Identity Token Signing certificate for the Verification Certificate.
The following diagram depicts the login and requestor token validation process for a WS-
Federation service provider against Ellucian Ethos Identity.
Certificate exchange entails exporting the public certificate from the keystore of one application
and importing it into the keystore of the other application.
Procedure
1. Export the public certificate from the Ellucian Ethos Identity server keystore.
keytool -export -alias <use the same certificate alias> -keystore
<server keystore name>.jks -file <public certificate name>.pem
2. Import the public certificate for Ellucian Ethos Identity that you exported in step 1 into the
service provider (client) keystore.
You must import the public certificate for the Ellucian Ethos Identity server using the same
alias from the server keystore.
3. Export the public certificate from the service provider so that it can be used in Ellucian Ethos
Identity.
You must import the certificate into both the server and the client keystores, as described in
steps 4 and 5.
4. Import a public certificate into the client keystore <IS_HOME>/repository/resources/security/
client-truststore.jks using the following command.
keytool -import -alias <use the same certificate alias> -file <pub
lic certificate name>.pem -keystore client-truststore.jks -storepa
ss wso2carbon
Ellucian Ethos Identity uses a separate client keystore for backend and inter-system
communication.
5. Import a public certificate into the server keystore using the following command:
keytool -import -alias <certificate alias> -file <public certifica
te name>.pem -keystore <server keystore>.jks
The server keystore must contain public certificates for service providers to decrypt SAML and
validate digital signatures.
A service provider might require specific user store attributes that must be passed to the service
provider. Ellucian Ethos Identity provides some default claims that map to user store attributes.
You might need to add claims, or change the existing mappings to point to a different attribute in
your directory server.
Procedure
1. In the Management Console, click the Main tab.
2. Under Claims, click List.
3. Click http://wso2.org/claims.
4. Review the existing claims to determine whether you need to add claims, or modify an
existing claim to point to a different attribute in your user store.
5. If you need to add a claim, follow the instructions in the WSO2 procedure for Adding Claim
Mapping.
For example, you might need to add one of the claims listed in the table below.
Claim Description
logonname Logon name claim mapping
Example value: sAMAccountName
upn User principal name claim mapping
Example value: userPrincipalName
objectguid Object GUID claim mapping
Example value: objectGUID
Claim Description
udcid Banner UDC Identifier claim mapping
Example value: udcid
personid Colleague Person Identifier claim mapping
Example value: employeeNumber
6. If you need to modify an existing claim, follow the instructions in the WSO2 procedure for
Editing Claim Mapping.
For a service provider to be visible to an administrator, that user must either have created that
service provider or be assigned the role associated with the service provider.
• Perform the procedure below to assign that role to other users, so that multiple users can view
and maintain the service provider.
• Always log in as the same user (for example, the administrator created by Ellucian Ethos
Identity) to add or maintain service providers.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Users and Roles > List.
4. On the User and Roles page, click Roles.
5. On the Roles page, search for the role associated with the service provider.
The role name is Application/<service_provider_name>. WSO2 Identity Server
created this role when you added the service provider.
6. Click Assign Users in that row.
7. On the User List of Role page, select the check boxes for any users who you want to be able
to view and maintain this service provider.
8. Click Finish.
Procedure
1. Log in to the Management Console.
2. Click the Main tab.
3. Go to Service Providers > List.
4. In the row for the service provider, click Edit.
5. Expand Inbound Authentication Configuration > WS-Federation (Passive)
Configuration.
6. In the Passive STS Realm field, enter the URI or URL of the target application deployment.
7. In the Passive STS WReply URL field, enter the URI or URL of the federation recipient.
8. Click Update.
The security token service (STS) timeout determines how long the session token is valid. If this
value is too low, SharePoint service providers can request tokens more frequently and experience
degraded performance.
Procedure
1. In an editor, open the eis_config.properties file located in the <IS_HOME>/config directory.
2. Set the STS timeout property to the appropriate value:
Property Description
eis.sts.TimeToLive WS-Federation token timeout in milliseconds.
The default is 1800000 milliseconds (30
minutes).
8. Stop and restart Ellucian Ethos Identity, using the appropriate commands for your operating
system:
Linux/UNIX:
sh wso2server.sh stop
sh wso2server.sh start
Windows:
wso2server.bat stop
wso2server.bat start
If the service provider requires a URI for the issuer of the WS-Federation response, set the issuer
to the base URL of the Ellucian Ethos Identity instance.
Procedure
1. In the Management Console, click the Main tab.
2. Under Identity Providers, click Resident.
3. Expand Inbound Authentication Configuration > WS-Federation (Passive)
Configuration.
4. In the Identity Provider Entity Id field, enter the base URL of your Ellucian Ethos Identity
instance.
Example: https://eis.school.edu:8443
5. Click Update.
Ellucian Portal is built on Microsoft SharePoint, which uses WS-Federation for single sign-on.
Procedure
1. Create a service provider for Ellucian Portal in the Management Console.
2. Create new custom claim mappings for the service provider. SharePoint requires logonname
and role global claim mappings. The Subject Claim URI must be set to the logonname claim
and the Role Claim URI must be set to the role claim.
3. Enter the Passive STS Realm configured in SharePoint. This must be a URI or URL of the
SharePoint site for Ellucian Portal.
Example: https://portal.server.edu
4. Click Update to save the settings.
For more details on configuring Ellucian Portal, refer to Ellucian Portal in Configure Ellucian
Ethos Identity for Specific Products.