Banner 9 SAML

Jorj Bauer jorj at
Fri Oct 27 16:01:36 EDT 2017

We have both CAS and Shib working with Banner 9 and Luminis 5. Ish. (We 
actually have a hybrid of Banner 8 and 9 during conversion at the moment.)

The only real stumbling block is with the general use of iframes. If 
you've followed modern security practice and turned on 
Content-Security-Policy, X-Frame-Options, or other iframe defeating 
technology, that's a problem. Whether iframes are normal to the native 
Ellucian products, I can't say; I know that they're a core part of our 

The problem is mostly avoidable with CAS - if you set session times long 
enough everywhere, then the ticket checks and handoffs via SSOManager 
happen as GETs (except where the session is actually expired) and don't 
fall afoul of X-Frame-Options (rightly or wrongly).

With SAML, every user action seems to wind up as a POST through an 
iframe. (Some? Many? Most? All?) of the embedded sub-product handoffs 
fail when the user is navigating through Banner and/or Luminis 5.

But my major concern with CAS is throughput. Our general CAS throughput 
(via Shib) is something like 20% of the same actions via SAML, 
end-to-end. Partly because of the extra round-trip to validate the CAS 
ticket via the backchannel.

On a single Shib server, we get about 85 AuthNs per second using SAML; 
but only about 15 per second end-to-end via CAS...

-- Jorj

On 10/27/17 3:16 PM, Craig Pluchinsky wrote:
> Has anyone out there been able to get Shib to work with Banner 9?
> Ellucian told us they only support their identity provider.  It should
> be straight forward, just adapting the docs to use Shib, but I can't
> seem to get things to work.
> -------------------------------
> Craig Pluchinsky
> IT Services
> Indiana University of Pennsylvania
> 724-357-3327

More information about the users mailing list