External Patron Authentication

1
External Patron Authentication

• Intro to Central Authentication Services
• WebVoyage Setup
• Yale Patron Authentication Adapter
• Enduser2004 - Session 35 Friday, April 16th 1
  pm
• Jeff Barnett, Gail Barnett, Kalee Sprague

2
Objectives

• Describe environment and requirements for central
  authentication at Yale
• Describe background specifications
• Describe WebVoyage configuration details,
  stumbling blocks and pit falls
• Describe nuts and bolts of one Authentication
  Adapter implementation using CAS central
  authentication

3
External Patron Authentication

• Background - Central Authentication Services at
  Yale

4
NetIDs

• Unique network identification for each current
  member of the Yale Community students, faculty,
  staff
• At first for Email and dialup access
• Now for many (nearly all) campus systems
• Banner, Classes, uPortal, Eportal, eTravel,
  Printing, Yale Windows Domain, HR online info
• Library proxy server, locally developed software
  for Voyager reports

5
NetIDs

• Implemented in central ITS Kerberos server
• Available to validate user access to network
  applications using a high degree of
  cryptographic security
• ITS also provides web services to activate,
  change, check NetID passwords and User
  Accounts

6
The CAS Why?

• To provide Web services offered by organizations,
  other than ITS, a way to authenticate users
  without needing access to their NetID passwords
• To facilitate single sign-on
• To simplify procedures needed to perform NetID
  authentication - Much easier interface for Web
  apps developers than Kerberos
• To localize authentication to a single server for
  easier maintainability

7
The CAS What?

• What advantages and features does CAS provide
  users of campus Web apps?
• Confidence in secure and safe handling of their
  passwords
• Convenience of Web single sign-on
• Familiar, recognized, trusted login screen

8
(No Transcript)
9
CAS in a Nutshell
CAS
Authenticates via password (once, if cookie)
Determines validity of users claimed authenticat
ion
CASified Web Application
Browser
Authenticates without sending password
10
The CAS How?

• Designed as a standalone web application
• Implemented as several java servlets
• Runs through an HTTPS server
• Accessed through three URLS
• Login URL
• Validation URL
• Logout URL

11
CAS Implementation
2. Authentication (sends ServiceID)
1. Initial request
12
CAS Implementation
2. Authentication (sends ServiceID)
4. Validation (sends NetID)
3. Ticket Transfer (sends ticket)
1. Initial request
13
CAS - More Information

• More general and technical information is
  available at http//www.yale.edu/tp/auth/cas10.ht
  ml plus
• How to use CAS in a web app
• Link to download CAS
• Link to download client libraries
• Description of CAS 2.0

14
Library Applications and CAS

• Why Use the CAS for Library applications?
• For reasons already mentioned
• password security
• single sign-on
• Familiar, trusted login screen
• But also
• No need to administer Patron PIN's in Voyager and
  userids/passwords
• Identification NOT based any part of on SSN's
• Easier programming

15
Specification background

• Central authentication was part of Yales 2000 /
  2001 ILMS upgrade specification
• Requirements and interfaces negotiated with
  Endeavor
• Test installation and feedback early 2003

16
WebVoyage Patron Authentication Adaptor Feature

• New in 2001.2
• Allows WebVoyage to communicate with any external
  patron authentication system
• To use the feature, you need to
• Configure WebVoyage
• Populate patron records with external ID
• Develop a patron authentication adapter (locally
  written program, in any language)
• See Voyager 2001.2 Technical Users Guide,
  Appendix D

17
External Patron Authentication - Voyager setup

• Load Patron Records
• OPAC.INI changes
• Stumbling Blocks
• Login page problems
• Request form problems

18
Load the Central Auth ID into your Patron Records

• A Patron record must exist
• The CAS id must be loaded into the Institution
  ID field
• Each Institution ID must be unique

19
Load the Central Auth ID into your Patron Records
20
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp?
• ExtAuthButtonMethodGET

21
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp?
• ExtAuthButtonMethodGET

22
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp
• ExtAuthButtonMethodGET

23
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp
• ExtAuthButtonMethodGET

24
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp
• ExtAuthButtonMethodGET

25
OPAC.INI parameter changes

• ExtAuthenticationSystem
• ExtAuthSystemEnabledY
• ExtAuthBypassLoginScreenN
• ExtAuthSubmitTextLogin using NetID and Password
• ExtAuthSystemURLhttp//traindb.library.yale.edu8
  085/VoyAuth/voyauth/voyAuthAdpt.jsp
• ExtAuthButtonMethodGET

26
External Auth Login Button
27
HTML Source of Login button

• ltPgtltform method"GET
• action"http//traindb.library.yale.edu8085/VoyAu
  th/voyauth/voyAuthAdpt.jsp?"gt
• ltINPUT TYPEHIDDEN NAMEPAGE VALUEpbPatrongtltINPUT
  TYPEHIDDEN NAMEPID VALUE"13922"gt
• ltINPUT TYPEHIDDEN NAMESEQ VALUE"20040401105534"
  gt
• ltdiv align"center"gt
• ltinput typesubmit value"Login using NetID
  and Password" name"submit"gt
• lt/divgt
• lt/formgt

28
Offering a selection of Logins

• Set ExtAuthBypassLoginScreenN
• Use LoginTypes stanza to set up traditional
  Login
• Login Types
• BCVisitor Barcode

29
Offering a selection of Logins
30
Stumbling Blocks - Login Page

• Position of the button on the page cant be
  changed

31
Stumbling Blocks - Login Page

• No ability to use a local image for the external
  authentication button on the traditional Voyager
  page

Vs.
32
Error Messages

• If Authentication fails, the patronextmsg.htm
  file will display

33
Stumbling Block - Requests

• Patron Requests dont work the same
• Patron ID verification in the Request Form is
  turned off
• Possibility of requesting material for wrong
  patron

34
Stumbling Block - Requests

• Normal request screen

35
Stumbling Blocks Requests

• External Authentication Request Form does not
  contain a secondary login field

36
Bridging Voyager and CAS
37
Patron Authentication Adapter Workflow

• User selects WebVoyage function requiring login
• WebVoyage gives control of browser to the adapter
• Adapter authenticates the patron using CAS
  functions
• Adapter inserts information in Voyager database
  and returns positive status to WebVoyage
• Using information just placed in the database,
  WebVoyage locates the corresponding patron record
  and logs in

38
Voyager Adapter Rules

• Save the PID that WebVoyage sends in an HTTP
  request to invoke the Adaptor. This field
  contains the WebVoyage process id that enables
  the Adapter to communicate with the WebVoyage
  instance that invoked it.
• Collect whatever credentials it needs to
  determine a users identity using CAS
• If the authentication is successful, retrieve a
  unique patron key, referred to as the netid in
  this document, from the server.

39
Voyager Adapter Rules

• Using an SQL programming interface to insert a
  record into the Voyager database that contains 2
  fields, one for the WebVoyage process id
  obtained in step 1 and the other for the patron
  netid.
• Create a redirect URL to WebVoyage that combines
  the PID it received from WebVoyage and a field
  that indicates whether patron authentication was
  successful
• Return control to WebVoyage using this redirect
  URL.

40
Programming Mechanics

• Tomcat Servlet Container
• CAS taglib
• voyAuthAdpt.jsp
• Capture Voyager PID
• Invoke CAS
• voyauth servlet
• Get patron id from netid
• Return Y/N decision to Voyager

41
Programming Nuts and bolts

• See how its done

42
Programming Lessons

• Use properties to isolate site specific
  parameters
• Use JDBC connection to minimize SQL overhead
• Use Tomcat Servlet Container to isolate
  deployment, logging, and management

43
Programming Collaboration

• Sample code available by request
• jeffrey.barnett_at_yale.edu
• http//www.library.yale.edu/jbarnett/EndUser2004
• .war file to be submitted to support web
• Open Source distribution under consideration

44
QA

• The Environment?
• The Configuration?
• The Implementation?
• Other