Sunday, April 17, 2016

DegreeWorks is running, now let's use the data!



  • Purpose
    • Share some ways to use the audit data from DW to improve our process
  • Will upload more information












































Posted by at
Location: Colorado Convention Center, 700 14th St, Denver, CO 80202, USA

Security Changes in DegreeWorks 4.1.5


  • Introduction
    • Significant changes were made to the security layer of the DegreeWorks application for 4.1.5
    • Incorporates standardized libraries to ensure higher quality implementations
    • Moves all authentication to the Jaa application layer
    • Adds support for SAML2
    • Requires reconfiguring security
  • Agenda
    • Overview
    • Authentication
    • Authorization
    • Update Considerations
  • Overview
    • What's new in DW 4.1.5
      • Configuration done in Shep settings, not UCX
      • Support SAML authentication
      • SHP User Attributes
    • What's not new in DW 4.1.5
      • Security still based on services and keys
      • Shp user record still basically the same
      • SHPCFG (with some changes)
  • Authentication: Who are you?
    • DegreeWorks Native Login
    • CAS
    • SAML
    • External Authentication Manager
    • Special Cases
  • Authentication Filters
    • Must present credentials to gain access to controlled resources:
      • Java Session ID (JSESSIONID)
      • SHP Passport
      • CAS token
      • SAML ticket
      • External Access Manager token
  • Authentication Entry Point
    • No Credentials? Directed to an authentication entry point
      • Native DegreeWorks Login Screen
      • CAS Server
      • SAML Server
  • Native Authentication Providers
    • Shep User Record (SHP_USER_MST)
      • core.security.shp.authentication.enabled=true
    • LDAP (external server - e.g. Luminis, OpenLDAP)
      • core.security.ldap.enabled=true
    • Both can be used
  • Native Login - Shep Authentication
    • core.security.passwordEncoding.enabled
    • core.security.passwordCheck.sha1.enabled
    • core.security.passwordCheck.clearText.enabled
    • core.security.shp.maxLoginAttempts
    • core.security.shp.failLoginResetMinutes
    • Separate settings for how we should encode password
  • Native Login - LDAP Authentication
    • Configure server location
      • core.security.ldap.serverUrl
        • E.g. ldaps://ldap.myschool.edu:636/ou=users,dc=myschool,dc=edu
    • Must supply admin user credentials
      • core.security.ldap.adminDn
      • core.security.ldap.adminPassword
    • Specify search path
      • core.security.ldap.userDnPattern (e.g. "loginId={0}" )
      • core.securit.ldap.userSearchBase
      • core.securitt.ldap.userSearchFilter (e.g. "(*(objectClass=user)(cn={0}))"
      • Uses {0} to place the user lign ID
    • Ned to fina dn attrubote to link to the shop_user_mst access ID or 
      • Missed this.  Should have taken a picture.  Guess once they are posted, I can get these notes.
  • CAS
    • CAS configured services URL
      • core.securit.cass.callbackUrl
      • core.security.authenticationType="CAS"
      • (eliminated core.security.cas.enable)
    • URL for ticket validation
      • core.security.cas.serverUrlPrefix (Was in cgi_settings.pm as $CAS_URL)
    • URL for login

  • SAML


  • External Authentication Mangers
    • We won't use this.  It turns off security for DW and abdicates it to another manager.
  • Special Cases
    • Stuck in the past
      • Self Service Banner (SSB)
      • PeopleSoft portal
      • Transit
  • Authorization
    • Services, keys, users and groups
    • SHPCFG
    • Shp Passport
  • Services, keys, users and groups
    • Nothing changed
  • SHPCFG



  • SHP Passport
  • Miscellaneous

  • Summary - Update Considerations
    • Must reconfigure security complete.  Lots of new Shep settings
    • Must review SHPCFG file
      • Check EVERYBODY is enabled
        • Missed some of this.  Get slides




Posted by at
Location: Colorado Convention Center, 700 14th St, Denver, CO 80202, USA
Subscribe to: Posts (Atom)