Banner 9 SAML
Jorj Bauer
jorj at temple.edu
Fri Oct 27 16:01:36 EDT 2017
We have both CAS and Shib working with Banner 9 and Luminis 5. Ish. (We
actually have a hybrid of Banner 8 and 9 during conversion at the moment.)
The only real stumbling block is with the general use of iframes. If
you've followed modern security practice and turned on
Content-Security-Policy, X-Frame-Options, or other iframe defeating
technology, that's a problem. Whether iframes are normal to the native
Ellucian products, I can't say; I know that they're a core part of our
deployment.
The problem is mostly avoidable with CAS - if you set session times long
enough everywhere, then the ticket checks and handoffs via SSOManager
happen as GETs (except where the session is actually expired) and don't
fall afoul of X-Frame-Options (rightly or wrongly).
With SAML, every user action seems to wind up as a POST through an
iframe. (Some? Many? Most? All?) of the embedded sub-product handoffs
fail when the user is navigating through Banner and/or Luminis 5.
But my major concern with CAS is throughput. Our general CAS throughput
(via Shib) is something like 20% of the same actions via SAML,
end-to-end. Partly because of the extra round-trip to validate the CAS
ticket via the backchannel.
On a single Shib server, we get about 85 AuthNs per second using SAML;
but only about 15 per second end-to-end via CAS...
-- Jorj
On 10/27/17 3:16 PM, Craig Pluchinsky wrote:
> Has anyone out there been able to get Shib to work with Banner 9?
> Ellucian told us they only support their identity provider. It should
> be straight forward, just adapting the docs to use Shib, but I can't
> seem to get things to work.
>
>
> -------------------------------
> Craig Pluchinsky
> IT Services
> Indiana University of Pennsylvania
> 724-357-3327
>
More information about the users
mailing list