CASifying Banner Self Serve

Description

These instructions explain how to make Banner Self Service 8.x use CAS for authentication. It uses the Yale PL/SQL CAS Client, a custom WebTailor package, and a small mod to twbkwbis. It maps the username from CAS to the GOBTPAC_EXTERNAL_USER field. Keeping the GOBTPAC_EXTERNAL_USER field in sync with your LDAP directory, or whatever authentication source your CAS instance uses, is up to your institution.

Requirements

Yale PL/SQL CAS Client
A new WebTailor package called twzkcasl (header and body)
Modify twbkwbi1.sql (patch file provided for version 8.2.0.1)

Step 1: Install the Yale PL/SQL CAS Client

The Yale PL/SQL CAS Client needs to be installed in the WTAILOR schema.

Step 2: Install the package TWZKCASL

This package was create by James Gutholm from The Evergreen State College. James released it under the GPL license and I added one tiny improvement. The most important function in here is the f_cas_get_banner_login which essentially takes a successful CAS login and maps it to the Banner student ID and PIN from GOBTPAC. The CAS username must match the GOBTPAC_EXTERNAL_USER field.

There are a couple of modifications you will need to make to twzkcas1.sql. Find the following two lines (133 and 134) and add your CAS urls.

twzkxas1.sql

YUAPPS_CAS.set_login_url('https://login.yourschool.edu/cas/login');
YUAPPS_CAS.set_validate_url('https://login.yourschool.edu/cas/serviceValidate');

This package also needs to be installed in the WTAILOR schema.

Registering this package in WebTailor

At the bottom of the file twzkcasl.sql the WebTailor setup is done for you.

Step 3: Modify the Banner baseline package TWBKWBIS

It is only necessary to modify the package body. I have provided a patch file for version 8.2.0.1 (the latest at the time of this writing) of TWBKWBIS. If that isn't the version of Banner that you are currently running, I recommend getting version 8.2.0.1, applying this patch and then merging it into whatever version of TWBKWBIS you are using.

Step 4: Setup WebTailor Parameters

Insert WebTailor Parameters

-- change these to wtailor parameters CAS_ENABLED=Y CAS_FORCE_RENEWAL=Y
delete from twgbparm where twgbparm_param_name like 'CAS_%';

insert into TWGBPARM 
  (TWGBPARM_PARAM_NAME, TWGBPARM_PARAM_VALUE, TWGBPARM_ACTIVITY_DATE)
    values
  ('CAS_ENABLED', 'Y', SYSDATE);
insert into TWGBPARM 
  (TWGBPARM_PARAM_NAME, TWGBPARM_PARAM_VALUE, TWGBPARM_ACTIVITY_DATE)
    values
  ('CAS_FORCE_RENEWAL', 'N', SYSDATE);
insert into TWGBPARM 
  (TWGBPARM_PARAM_NAME, TWGBPARM_PARAM_VALUE, TWGBPARM_ACTIVITY_DATE)
    values
  ('CAS_RANDOMIZE_PIN', 'N', SYSDATE);
insert into TWGBPARM 
  (TWGBPARM_PARAM_NAME, TWGBPARM_PARAM_VALUE, TWGBPARM_ACTIVITY_DATE)
    values
  ('CAS_SERVICE_URL', 'https%253A%252F%252Fbanner.yourschool.edu%252Fpls%252Fproddad%252Ftwzkcasl.P_Service_Ticket?target=', SYSDATE);         
commit;

WebTailor Parameters

You can control several things via the WebTailor parameters.

CAS_ENABLED	A Y/N value, Y meaning CAS authentication is enabled, N meaning it is disabled. Even when you set this to Y, users can still log into Banner Self Serve by hitting the default login page directly.
CAS_FORCE_RENEWAL	A Y/N value, Y meaning users will be forced to re-enter their credentials.
CAS_RANDOMIZE_PIN	When set to Y, it will randomize the GOBTPAC_PIN every time the user logs in. Set to N by default.
CAS_SERVICE_URL	Instead of hard coding the service url into the package TWZKCASL you can set it as a parameter here. This makes cloning from production to pre-production or dev easier because you don't have to re-compile TWZKCASL, you can just change this parameter.

General Notes

Even when you have CAS_ENABLED set to "Y", you can still login to Banner Self Serve by hitting the login page directly for example, https://banner.yourschool.edu/pls/proddad/twbkwbis.P_WWWLogin. Hitting any other page will use CAS to authenticate for example, https://banner.yourschool.edu/pls/proddad/twbkwbis.P_GenMenu?name=bmenu.P_MainMnu will use CAS.

A Note about SSL
You may need to setup an Oracle wallet on your Banner database server, where TWBKWBIS is installed, if you don't already have one. It is used for outgoing SSL, to CAS, only so you don't need to import any certificates, the Oracle wallet just needs to exist.