Configure Service Providers For Ethos Identity 5.3

Ellucian Resources
November 27, 2018

Notices
Notices
© 2018 Ellucian.
Contains confidential and proprietary information of Ellucian and its subsidiaries. Use of these
materials is limited to Ellucian licensees, and is subject to the terms and conditions of one or more
written license agreements between Ellucian and the licensee in question.
In preparing and providing this publication, Ellucian is not rendering legal, accounting, or other
similar professional services. Ellucian makes no claims that an institution's use of this publication
or the software for which it is provided will guarantee compliance with applicable federal or state
laws, rules, or regulations. Each organization should seek legal, accounting, and other similar
professional services from competent providers of the organization's own choosing.
Ellucian
2003 Edmund Halley Drive
Reston, VA 20191
United States of America
©2018 Ellucian. Confidential and Proprietary. 2

Contents
Contents
Configure service providers for Ethos Identity. . . . . . . . . . . . . . . . . . . 4
Configure CAS service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
(Optional) Make a service provider visible to additional administrators. . . . . . . . . . 6
Add CAS configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Modify CAS context path (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example: Configure Banner 8 applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Example: Configure Banner 9.x applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configure SAML 2.0 service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure service provider certificate exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Optional) Make a service provider visible to additional administrators. . . . . . . . . 13
Add SAML configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Modify identity provider issuer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Example: Configure Colleague Self-Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Example: Configure Google Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure Google Apps to use Ellucian Ethos Identity as IDP. . . . . . . . . . . . . . . . 17
Configure WS-Federation service providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure service provider certificate exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configure claim mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Add a service provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Optional) Make a service provider visible to additional administrators. . . . . . . . . 20
Add Passive STS realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Modify STS timeout (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Modify STS issuer (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Example: Configure Ellucian Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configure service providers for Ethos Identity

Ellucian Ethos Identity requires each supported application to be created as a service provider and
configured for the appropriate protocol.
Service providers can require different configurations for application and protocol combinations.
These procedures describe configurations for CAS, SAML 2.0, and WS-Federation. For
information about other configuration options for service providers, refer to Configuring a Service
Provider on the WSO2 documentation site.
Configure CAS service providers

Central Authentication Service (CAS) is a ticket-based single sign-on protocol maintained by JA-
SIG. Ellucian Ethos Identity supports the CAS protocol specification, which is used by some
Ellucian products.
The following diagram shows the login and service ticket validation process for a CAS service
provider against Ellucian Ethos Identity.

Supported CAS protocols
The following CAS protocols are supported by Ellucian Ethos Identity.
Protocol Supports
Login /login
Supports TARGET and SAMLart arguments for

legacy SAML clients
Logout /logout
• Supports url parameter for redirect link

[CAS 1.0, 2.0]
• Supports service parameter for automatic
redirect [CAS 3.0]
Proxy Ticket /proxy [CAS 2.0]

Ticket Validation
• /validate [CAS 1.0]
• /serviceValidate [CAS 2.0] Supports user
attributes [CAS 3.0]
• /proxyValidate [CAS 2.0]
• /samlValidate [CAS 3.0]
CAS single logout
CAS single logout capability is not supported by all service provider applications, it is not set by
default, and it generates extraneous traffic.
If you want a service provider to use the CAS single logout capability, you must set the Enable
Single Logout option on the CAS configuration panel for that service provider in the Management
Console.
Configure claim mapping
A service provider might require specific user store attributes that must be passed to the service
provider. Ellucian Ethos Identity provides some default claims that map to user store attributes.
You might need to add claims, or change the existing mappings to point to a different attribute in
your directory server.
Procedure
1. In the Management Console, click the Main tab.
2. Under Claims, click List.
3. Click http://wso2.org/claims.

4. Review the existing claims to determine whether you need to add claims, or modify an
existing claim to point to a different attribute in your user store.
5. If you need to add a claim, follow the instructions in the WSO2 procedure for Adding Claim
Mapping.
For example, you might need to add one of the claims listed in the table below.
Claim Description
logonname Logon name claim mapping
Example value: sAMAccountName
upn User principal name claim mapping
Example value: userPrincipalName
objectguid Object GUID claim mapping
Example value: objectGUID
udcid Banner UDC Identifier claim mapping
Example value: udcid
personid Colleague Person Identifier claim mapping
Example value: employeeNumber
6. If you need to modify an existing claim, follow the instructions in the WSO2 procedure for
Editing Claim Mapping.
Add a service provider
Add a service provider definition in the Management Console.
Procedure
1. Log in to the Management Console.
Log in as a user who has access to all service providers. You can either always use the same
login to maintain service providers, or give multiple users access to each service provider
using the procedure in (Optional) Make a service provider visible to additional administrators.
2. Click the Main tab.
3. Go to Service Providers > Add.
4. In the Service Provider Name field, enter a name that uniquely identifies the application.
For example, MyApplication
5. Click Register.
(Optional) Make a service provider visible to additional

administrators
For a service provider to be visible to an administrator, that user must either have created that
service provider or be assigned the role associated with the service provider.

About this task

When you add a service provider, WSO2 Identity Server creates a role associated with that
service provider and assigns that role to the administrative user who added the service provider.
By default, other users do not see that service provider in the service provider list. As a result,
other users cannot maintain that service provider, and two users could create service providers
with a similar configuration which would create conflicts. This issue could arise, for example,
because a different user logged in to the Management Console or you switched to using email
address rather than username to log in.
To avoid these issues, do either of the following:
• Perform the procedure below to assign that role to other users, so that multiple users can view
and maintain the service provider.
• Always log in as the same user (for example, the administrator created by Ellucian Ethos
Identity) to add or maintain service providers.
Procedure
3. Go to Users and Roles > List.
4. On the User and Roles page, click Roles.
5. On the Roles page, search for the role associated with the service provider.
The role name is Application/<service_provider_name>. WSO2 Identity Server
created this role when you added the service provider.
6. Click Assign Users in that row.
7. On the User List of Role page, select the check boxes for any users who you want to be able
to view and maintain this service provider.
8. Click Finish.
Add CAS configuration
After mapping the identity claims, add the CAS Service URL for the integrating application.
Procedure
3. Go to Service Providers > List.
4. In the row for the service provider, click Edit.
5. Expand Inbound Authentication Configuration > CAS Configuration.
6. In the Service URL field, enter the URL of the target application deployment with a trailing
slash.
The table below shows the standard URL deployment patterns for CAS-enabled Ellucian
products.

Ellucian Product URL Pattern

Application Navigator http(s)://<host>:<port>/applicationNavigator/
Banner Document Manager AX Web Access http(s)://<host>:<port>/appxtender/
Banner Flexible Registration http(s)://<host>:<port>/flexibleregistration/
Banner SSO Manager http(s)://<host>:<port>/ssomanager/
Banner Travel and Expense Report http(s)://<host>:<port>/tvlexp/
Banner Workflow http(s)://<host>:<port>/workflow/
Banner XE Applications http(s)://<host>:<port>/
<deploymentContext>/
Luminis http(s)://<host>/
Luminis Admin http(s)://<host>:<port>/
7. In the Enable Single Logout field, enter true if you want to let this service provider
participate in single logout with other CAS service providers.
8. Click Update to save the settings.
Modify CAS context path (optional)
Modify the CAS context path if it is different from the default of /cas.
About this task
The CAS context path appears in the base URL for Ellucian Ethos Identity, for example https://
eis.server.edu:8443/cas. The default is /cas. You might have CAS-enabled applications
that require a different context path. For example, existing CAS-enabled applications can point
to /cas-web, which is provided by Luminis Portal 5 installation. If Ellucian Ethos Identity is
installed on the same server as the Luminis CAS deployment, then Ellucian Ethos Identity will be
able to service CAS requests without modifying application configurations that point to /cas-web.
Procedure
1. In an editor, open the eis_config.properties file located in the <IS_HOME>/config directory.
2. Set the following property to the appropriate value:
Property Description
eis.cas.ContextPath Desired CAS context path
Example value: /cas-web
3. Save the changes to the file.

4. Open a command prompt. (For Windows, right-click and run as administrator.)
5. Change directories (cd) to the <IS_HOME>/config directory.
6. Run the appropriate command below for your operating system to update the appropriate xml
file with the changes made to the eis_config.properties file.

Linux/UNIX:
ANT_HOME=../apache-ant/
export ANT_HOME
../apache-ant/bin/ant config-all-xml
Windows:
..\apache-ant\bin\ant config-all-xml
7. Change directories (cd) to the <IS_HOME>/bin directory.
8. Stop and restart Ellucian Ethos Identity, using the appropriate commands for your operating
system:
Linux/UNIX:
sh wso2server.sh stop
sh wso2server.sh start
Windows:
wso2server.bat stop
wso2server.bat start
Example: Configure Banner 8 applications
Banner 8 applications implement single sign-on using Banner SSO Manager, a component of
Banner Enterprise Identity Services (BEIS). The following steps demonstrate how to configure a
Banner SSO Manager service provider in Ellucian Ethos Identity.
About this task

For details on configuring CAS for Banner SSO Manager, refer to the CAS Single Sign On
Handbook.
Procedure
1. Create a service provider for Banner SSO Manager in the Management Console.
2. Create a new custom claim mapping for the service provider.
For the claim mapping, select the identity attribute configured in the Banner SSO Manager
Admin interface. For this example, the unique identifier name is UDC_IDENTIFIER and the
LDAP attribute cn contains the value.
3. Enter the Service URL for Banner SSO Manager. Include a trailing slash.
Example: https://sso.server.edu:8443/ssomanager/
Example: Configure Banner 9.x applications
Banner 9.x applications are configured individually for SSO functionality, but follow similar steps
for Ellucian Ethos Identity configuration. The following steps demonstrate how to configure a
Banner Student Overall service provider in Ellucian Ethos Identity.
About this task

For details on configuring CAS for Banner 9.x applications, refer to the CAS Single Sign On
Handbook.

Procedure
1. Create a service provider for Banner 9.x Student Overall in the Management Console.
2. Create a new custom claim mapping for the service provider.
For the claim mapping, select the identity attribute configured in the Banner 9.x Student
Overall configuration. For this example, the unique identifier name is UDC_IDENTIFIER and
the LDAP attribute cn contains the value.
3. Enter the Service URL for Banner 9.x Student Overall. Include a trailing slash.
Example: https://banner.server.edu:8443/StudentOverall/
Configure SAML 2.0 service providers

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging
authentication and authorization data between security domains. Ellucian Ethos Identity supports
the SAML 2.0 Web Browser SSO Profile, which involves an identity provider, a service provider,
and a principal with an HTTP user agent.
The following diagram depicts the login and SAML Response validation process for a SAML 2.0
service provider against Ellucian Ethos Identity.

Configure service provider certificate exchange
Service providers often require information to be digitally signed or encrypted when

communicating with Ellucian Ethos Identity. To facilitate secure communication, both applications
exchange digital certificates.
About this task
Certificate exchange entails exporting the public certificate from the keystore of one application
and importing it into the keystore of the other application.
Procedure
1. Export the public certificate from the Ellucian Ethos Identity server keystore.

keytool -export -alias <use the same certificate alias> -keystore

<server keystore name>.jks -file <public certificate name>.pem
2. Import the public certificate for Ellucian Ethos Identity that you exported in step 1 into the
service provider (client) keystore.
You must import the public certificate for the Ellucian Ethos Identity server using the same
alias from the server keystore.
3. Export the public certificate from the service provider so that it can be used in Ellucian Ethos
Identity.
You must import the certificate into both the server and the client keystores, as described in
steps 4 and 5.
4. Import a public certificate into the client keystore <IS_HOME>/repository/resources/security/
client-truststore.jks using the following command.
keytool -import -alias <use the same certificate alias> -file <pub
lic certificate name>.pem -keystore client-truststore.jks -storepa
ss wso2carbon
Ellucian Ethos Identity uses a separate client keystore for backend and inter-system
communication.
5. Import a public certificate into the server keystore using the following command:
keytool -import -alias <certificate alias> -file <public certifica
te name>.pem -keystore <server keystore>.jks
The server keystore must contain public certificates for service providers to decrypt SAML and
validate digital signatures.
Procedure
Mapping.
Claim Description

Claim Description

administrators
About this task

Procedure

8. Click Finish.
Add SAML configuration
Add the SAML settings for the integrating application.
Procedure
5. Expand Inbound Authentication Configuration > SAML2 Web SSO Configuration.
6. Click Configure to access the Register New Service Provider page.
Note: The remaining steps in this procedure are based on a manual
configuration, using the Manual Configuration option in the Select Mode
section of the page. You can use the Metadata File Configuration or URL
Configuration options if you have the required file or URL.
7. Enter the Issuer value that is configured in the service provider application. This value is
validated against the SAML Authentication Request issued by the service provider.
8. Enter a valid Assertion Consumer URL where the browser redirects the SAML Response after
authentication.
Note: The Assertion Consumer URL must use lowercase http or https to
conform to SAML protocol standards. For example: <samlp:AuthnRequest
AssertionConsumerServiceURL="https://webadvisor.school.edu/
WebAdvisor/WebAdvisor". Before Ellucian Ethos Identity 2.0, you could use
uppercase characters for the URL, but this is no longer supported.
9. Enter a valid NameID format supported by Ellucian Ethos Identity. You can use the following
values:
• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-format:transient
• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
• urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
• urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
• urn:oasis:names:tc:SAML:2.0:nameid-format:entity
10. Select Certificate Alias for the service provider’s public certificate. This certificate is used to
validate the signature of SAML 2.0 Requests and to generate encryption.

11. Select Enable Response Signing to sign the SAML 2.0 Responses returned after the
authentication process.
12. Select Enable Signature Validation in Authentication Requests and Logout Requests if
the identity provider must validate the signature of the SAML 2.0 Authentication and Logout
Requests that are sent by the service provider.
13. Select Enable Assertion Encryption to encrypt the assertions.
14. Select Enable Single Logout so that all sessions across all authenticated service providers
are terminated after the user signs out from one server. If the service provider supports a
different URL than the Assertion Consumer URL for logout, enter a SLO Request URL for
logging out.
15. Select Enable Attribute Profile to add a basic attribute profile where the identity provider can
include the user’s attributes in the SAML Assertions as part of the attribute statement. Select
Include Attributes in the Response Always if the identity provider should always include
the attribute values related to the selected claims in the SAML attribute statement.
16. Select Enable Audience Restriction to restrict the audience. Add audience members using
the Audience text box and click Add Audience.
17. Select Enable IdP Initiated SSO so that either the IdP or the service provider can initiate
single sign-on.
18. Click Register to save settings and return to the service provider configuration page.
19. Click Update to save all settings.
Modify identity provider issuer
Change the Identity Provider Entity Id to the expected URI of the Issuer statement in SAML 2.0
Responses.
About this task

The identity provider issuer was established when you ran the update-resident-idp
command during initial configuration. If you need to update the identity provider issuer, perform the
following procedure.
Procedure
3. Under Identity Providers, click Resident.
4. Expand Inbound Authentication Configuration > SAML2 Web SSO Configuration.
5. In the Identity Provider Entity ID field, enter a valid identity provider name or URI that will be
used by all service providers.

Example: Configure Colleague Self-Service
Colleague Self-Service is built on ASP.NET MVC technology and leverages SAML 2.0 SSO for
single sign-on.
Procedure
1. Create a service provider for Colleague Self-Service in the Management Console.
For more details on configuring Colleague Self-Service, refer to Colleague Self-Service in
Configure Ellucian Ethos Identity for Specific Products.
2. Create a new custom claim mapping for the service provider. For the claim mapping, select
the identity attribute configured in the Colleague Self-Service Admin interface. For this
example, the unique identifier name is colleague and the local claim sAMAccountName
contains the value.
3. Configure the SAML 2.0 SSO settings. Click the Configure link to open a new page.
4. Enter the Issuer and the Assertion Consumer URL and choose the appropriate options.
5. Click Register to save settings and return to the service provider configuration page.
6. Click Update to save all settings.
Example: Configure Google Apps
Google Apps for Work (formerly Google Apps for Business) is a suite of cloud computing
productivity and collaboration software tools and software offered on a subscription basis by
Google. It includes Google's web applications Gmail, Google Drive, Google Hangouts, Google
Calendar, and Google Docs.
Procedure
1. In the Management Console, create a service provider for Google Apps.
2. For the claim mapping, select NameID as the Service Provider Claim as shown in the
following table.
Service Provider Claim Local Claim Requested Claim

NameID http://wso2.org/claims/ ✓
emailaddress
3. Configure the SAML 2.0 SSO settings:

a) Click the Inbound Authentication link.
b) Click the SAML2 Web SSO Configuration link to expand the SAML configuration.
c) Click Configure.
4. Enter google.com/a/domain_name for the issuer, replacing domain_name with your
institution's Google Apps domain.
5. Enter https://www.google.com/a/domain_name/acs for the Assertion Consumer URL
replacing domain_name with your institution's Google Apps Domain.
6. Under Certificate Alias, select your Ellucian Ethos Identity Signing Certificate.

7. Check the Enable Response Signing option.

8. Check the Enable Single Logout option.
9. Enter https://www.google.com/a/domain_name/acs for the SLO Response URL replacing
domain_name with your institution's domain name.
10. Enter https://www.google.com/a/domain_name/acs for the SLO Request URL replacing
domain_name with your institution's domain name.
11. Check the Enable Attribute Profile option.
12. Check the Enable Idp Initiated SSO option.
13. Click Update to save SAML configuration.
14. Click Update to save all configurations.
Configure Google Apps to use Ellucian Ethos Identity as IDP
Allow Google Apps to use Ellucian Ethos Identity as its primary identity provider.
Procedure
1. Log in to Google Apps Admin Console as an Administrator by navigating to:
admin.google.com
2. Click Security.
3. Click Set up single sign-on (SSO).
4. Check the Setup SSO with third party identity provider option.
5. Enter your institution's Ellucian Ethos Identity SAMLSSO URL for Sign-in page URL.
Example: https://idp.school.edu/samlsso.
6. Enter your institution's Ellucian Ethos Identity SAMLSSO URL for Sign-out page URL. The
URL must end with ?slo=true.
Example: https://idp.school.edu/samlsso?slo=true.
7. If you have enabled Change Password within Ellucian Ethos Identity, enter your Ellucian
Ethos Identity Change Password URL under Change Password URL.
If you have another web application that performs password changes, then enter the URL for
that web application here.
Example: https://idp.school.edu/password/change.
8. Select your Ellucian Ethos Identity Token Signing certificate for the Verification Certificate.
Configure WS-Federation service providers

WS-Federation is a federation protocol that allows different security realms to provide authorized
access to resources managed in other realms. This protocol builds on the WS-Security, WS-Trust,
and WS-* specifications. Ellucian Ethos Identity supports WS-Federation Passive Requestor
Profile, where the web browser is a passive requestor.
The following diagram depicts the login and requestor token validation process for a WS-
Federation service provider against Ellucian Ethos Identity.

Configure service provider certificate exchange
Service providers often require information to be digitally signed or encrypted when

communicating with Ellucian Ethos Identity. To facilitate secure communication, both applications
exchange digital certificates.
About this task
Certificate exchange entails exporting the public certificate from the keystore of one application
and importing it into the keystore of the other application.
Procedure
1. Export the public certificate from the Ellucian Ethos Identity server keystore.
keytool -export -alias <use the same certificate alias> -keystore
<server keystore name>.jks -file <public certificate name>.pem

2. Import the public certificate for Ellucian Ethos Identity that you exported in step 1 into the
service provider (client) keystore.
You must import the public certificate for the Ellucian Ethos Identity server using the same
alias from the server keystore.
3. Export the public certificate from the service provider so that it can be used in Ellucian Ethos
Identity.
You must import the certificate into both the server and the client keystores, as described in
steps 4 and 5.
4. Import a public certificate into the client keystore <IS_HOME>/repository/resources/security/
client-truststore.jks using the following command.
keytool -import -alias <use the same certificate alias> -file <pub
lic certificate name>.pem -keystore client-truststore.jks -storepa
ss wso2carbon
Ellucian Ethos Identity uses a separate client keystore for backend and inter-system
communication.
5. Import a public certificate into the server keystore using the following command:
keytool -import -alias <certificate alias> -file <public certifica
te name>.pem -keystore <server keystore>.jks
The server keystore must contain public certificates for service providers to decrypt SAML and
validate digital signatures.
Procedure
Mapping.
Claim Description

Claim Description

administrators
About this task

Procedure
8. Click Finish.

Add Passive STS realm
Add the Passive STS realm for the integrating application.
Procedure
5. Expand Inbound Authentication Configuration > WS-Federation (Passive)
Configuration.
6. In the Passive STS Realm field, enter the URI or URL of the target application deployment.
7. In the Passive STS WReply URL field, enter the URI or URL of the federation recipient.
8. Click Update.
Modify STS timeout (optional)
The security token service (STS) timeout determines how long the session token is valid. If this
value is too low, SharePoint service providers can request tokens more frequently and experience
degraded performance.
Procedure
1. In an editor, open the eis_config.properties file located in the <IS_HOME>/config directory.
2. Set the STS timeout property to the appropriate value:
Property Description
eis.sts.TimeToLive WS-Federation token timeout in milliseconds.
The default is 1800000 milliseconds (30
minutes).
3. Save the changes to the file.

4. Open a command prompt. (For Windows, right-click and run as administrator.)
5. Change directories (cd) to the <IS_HOME>/config directory.
6. Run the command below for your operating system to update the appropriate xml file with the
change made to the eis_config.properties file.
Linux/UNIX:
ANT_HOME=../apache-ant/
export ANT_HOME
../apache-ant/bin/ant config-all-xml
Windows:
..\apache-ant\bin\ant config-all-xml
7. Change directories (cd) to the <IS_HOME>/bin directory.

8. Stop and restart Ellucian Ethos Identity, using the appropriate commands for your operating
system:
Linux/UNIX:
sh wso2server.sh stop
sh wso2server.sh start
Windows:
wso2server.bat stop
wso2server.bat start
Modify STS issuer (optional)
If the service provider requires a URI for the issuer of the WS-Federation response, set the issuer
to the base URL of the Ellucian Ethos Identity instance.
Procedure
2. Under Identity Providers, click Resident.
3. Expand Inbound Authentication Configuration > WS-Federation (Passive)
Configuration.
4. In the Identity Provider Entity Id field, enter the base URL of your Ellucian Ethos Identity
instance.
Example: https://eis.school.edu:8443
5. Click Update.
Example: Configure Ellucian Portal
Ellucian Portal is built on Microsoft SharePoint, which uses WS-Federation for single sign-on.
Procedure
1. Create a service provider for Ellucian Portal in the Management Console.
2. Create new custom claim mappings for the service provider. SharePoint requires logonname
and role global claim mappings. The Subject Claim URI must be set to the logonname claim
and the Role Claim URI must be set to the role claim.
3. Enter the Passive STS Realm configured in SharePoint. This must be a URI or URL of the
SharePoint site for Ellucian Portal.
Example: https://portal.server.edu
For more details on configuring Ellucian Portal, refer to Ellucian Portal in Configure Ellucian
Ethos Identity for Specific Products.

Configure Service Providers For Ethos Identity 5.3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure Service Providers For Ethos Identity 5.3

Uploaded by

Copyright:

Available Formats

Ellucian Resources

November 27, 2018

©2018 Ellucian. Confidential and Proprietary. 2

©2018 Ellucian. Confidential and Proprietary. 3

Configure service providers for Ethos Identity

Configure CAS service providers

©2018 Ellucian. Confidential and Proprietary. 4

Supported CAS protocols

The following CAS protocols are supported by Ellucian Ethos Identity.

Supports TARGET and SAMLart arguments for

• Supports url parameter for redirect link

Proxy Ticket /proxy [CAS 2.0]

CAS single logout

Configure claim mapping

©2018 Ellucian. Confidential and Proprietary. 5

Add a service provider

Add a service provider definition in the Management Console.

(Optional) Make a service provider visible to additional

©2018 Ellucian. Confidential and Proprietary. 6

About this task

Add CAS configuration

©2018 Ellucian. Confidential and Proprietary. 7

Ellucian Product URL Pattern

Modify CAS context path (optional)

About this task

3. Save the changes to the file.

©2018 Ellucian. Confidential and Proprietary. 8

Example: Configure Banner 8 applications

About this task

Example: Configure Banner 9.x applications

About this task

©2018 Ellucian. Confidential and Proprietary. 9

Configure SAML 2.0 service providers

©2018 Ellucian. Confidential and Proprietary. 10

Configure service provider certificate exchange

Service providers often require information to be digitally signed or encrypted when

About this task

©2018 Ellucian. Confidential and Proprietary. 11

keytool -export -alias <use the same certificate alias> -keystore

Configure claim mapping

©2018 Ellucian. Confidential and Proprietary. 12

(Optional) Make a service provider visible to additional

About this task

©2018 Ellucian. Confidential and Proprietary. 13

Add SAML configuration

Add the SAML settings for the integrating application.

©2018 Ellucian. Confidential and Proprietary. 14

Modify identity provider issuer

About this task

©2018 Ellucian. Confidential and Proprietary. 15

Example: Configure Colleague Self-Service

Example: Configure Google Apps

Service Provider Claim Local Claim Requested Claim

3. Configure the SAML 2.0 SSO settings:

©2018 Ellucian. Confidential and Proprietary. 16

7. Check the Enable Response Signing option.

Configure Google Apps to use Ellucian Ethos Identity as IDP

Configure WS-Federation service providers

©2018 Ellucian. Confidential and Proprietary. 17

Configure service provider certificate exchange

Service providers often require information to be digitally signed or encrypted when

About this task

©2018 Ellucian. Confidential and Proprietary. 18