CAS SSO | Subprojects

Western Illinois University |

CAS SSO Project
  • About
  • Requirements
  • CAS SSO Subprojects
  • cas-client
  • cas-weblogic
  • cas-blackboard
  • Download
  • License
  • Dependencies
  • Availability
  • Documentation
  • Installation
  • Java API

  • Western Illinois University
  • About WIU
  • WIU Web Site
  • About CAIT
  • CAIT Web Site
  • cas-client (The minimal-3rd-party-independent CAS client library)

    This subproject is independent of the other two (cas-weblogic and cas-blackboard). It is a minimal-3rd-party-independent CAS client library, and can be used by itself for handling the validation of CAS Service Tickets with a CAS Server Validation Service.

    cas-weblogic (For implementing a Nulled Trust Manager in the Oracle/Bea WebLogic Server)

    The classes in this subproject extend classes from the cas-client subproject to implement WebLogic specific methods, and to extended classes from the WebLogic library necessary for implementing a Nulled Trust Manager.

    The Oracle/Bea WebLogic Server implements its own version of certain SSL libraries, overriding the associated classes in the Oracle/Sun JDK. In order to implement a Nulled Trust Manager within the Java runtime environment of a Oracle/Bea WebLogic server, the WebLogic specific SSL classes must be extended and implemented.

    Since Blackboard 8 runs on Oracle/Bea WebLogic Server 9.2, the cas-weblogic subproject becomes a necessary library in order for the Blackboard CAS SSO Custom Authentication Module to utilize a Nulled Trust Manager.

    The cas-client subproject has native JDK implementations for a Nulled Trust Manager. The cas-weblogic library is only necessary to be used within a Oracle/Bea WebLogic Server for utilizing a Nulled Trust Manager.

    Why use a Nulled Trust Manager?

    If a CAS Server utilizes a self-signed SSL Certificate, or a certificate signed by a non-trusted CA (an organization might have its own internal CA), the CA (Certificate Authority) certificate chain must be added to the database of Known Root Certificate Authorities within the Oracle/Bea WebLogic server.

    Adding a CA Certificate Chain to this Known Root CA database is not a simple process. Blackboard does not provide any Graphical User Interface to help the administrator do this. It must be completed through command line tools distributed with the JDK, and also requires you to export and import the CA Chain in specific formats.

    Since the Blackboard CAS SSO Custom Authentication module is configured to connect to one SSL server, that is the CAS Server, it is likely that the SSL Certificate of the server is already trusted by the administrator. So instead of going through the process of importing the CA Chain, the administrator can just configure the module to use a Trust Manager that does not require the CA Chain to be known.

    This routine of using a Nulled Trust Manager is what Mozilla Firefox, Google Chrome, and Internet Explorer do when they receive a certificate that is not in their KeyStore, and you click the button to make the browser to accept the untrusted SSL Certificate and proceed to the web site any way. The only difference is that this code does not ask you to accept it, you configure ahead of time with this library to just have this turned off.

    The SSL connection is securely encrypted with a Nulled Trust Manager just as much as with a typical Trust Manager.

    cas-blackboard (WIU's Blackboard 8+ CAS SSO Custom Authentication Module)

    Blackboard produces a Learning Management Platform. During the first decade of the 21st century, Blackboard bought out a rival company WebCT. The WebCT Learning Management Platform retained its name through version 4, and another version named Campus Edition version 6, or CE6. These were the predominate versions through 2007.

    During this era, CAS (Central Authentication Service) was widely used for Single Sign On (SSO) within educational institutions. A WebCT employee had produced a Custom Authentication Module for WebCT which authenticated WebCT users with a CAS Server.

    After Blackboard bought out WebCT in the later part of that decade, no new releases to the WebCT CAS Authentication Module were produced. The WebCT web site which the module resided on disapeared, and the module was moved to another community site by community members.

    Though new releases of the module were no longer forth coming, the CAS project was very active. It produced newer versions of the software, and the protocol. The WebCT 4 CAS SSO Custom Authentication Module only supported CAS protocol version 1.0, where as the CAS project was nearing version 3.0 in 2010.

    With the jump from WebCT 4 and WebCT CE6 to Blackboard 8, the documentation for the WebCT 4 CAS SSO Custom Authentication Module was no longer fully accurate. Additionally, the WebCT 4 CAS SSO Custom Authentication Module was coded in a way that provided for minimal satisfactory operation.

    Western Illinois University's role

    WIU (Western Illinois University) had CAS Single Sign On services implemented in its enterprise, but was utilizing CAS protocol version 2.0. Additionally, the documentation of the WebCT 4 CAS SSO Custom Authentication Module did not account for the Institutional Administrative level introduced in Blackboard 8.0. The module had to be configured on the that level, and would not work if only configured on the Domain Administration level as the documentation said. The tech administrators also found it difficult to debug the module's activity. And finally, there was nothing in place to audit the authorization activity of the module. The audit measures were necessary to monitor activity, and to assist users having trouble gaining access to Blackboard via the module.

    CAIT (Center for the Application of Information Technologies) is a special organization on WIU's campus, under the uTech (University Technology) division. Specifically, CAIT actively participates in the online and distance learning development initiatives of the University. When the challenges were presented in an update meeting, employees from CAIT and uTech worked together to produce a solution. The result of that solution is this project, WIU's Blackboard 8+ CAS SSO Custom Authentication Module. The fruit of the solution produced three specific projects: cas-client, cas-weblogic, and cas-blackboard. The later is this subproject which encompases the specific authentication module.

    Features and Benefits

    These are the specific features and benefits of WIU's Blackboard 8+ CAS SSO Custom Authentication Module that make it advantageous.

    These features are configurable on the module's configuration page within the Blackboard 8 Institutional Administration settings.

    • Supports both version 2.0 and 1.0 CAS protocols.
      By looking at the specifications, the CAS protocol version 3.0 should be compatible with the module's parser for the 2.0 protocol version, without the support for proxy authentication. However, this is untested.
    • Supports both a normal SSL Trust Manager and a Nulled SSL Trust Manager.
      Using a Nulled Trust Manager saves the administrator from importing a CA chain in to the WebLogic JDK keystore for self-signed certificates.
    These features are configurable in Blackboard's Log4j configuration.
    • Has more debugging output, and throws a lot more (and more informing) errors when something does not go right.
    • Supports audit logging. The module can output to an audit log information about a user's attempted authorization. Whether the attempt was successful or not.
      The audit output looks like this: [Tue Feb 15 15:50:50 CST 2011] ticket="ST-723-qPQ1tsbg79x0HazgeINi-cas" auth="success" userid="jsmith" timems="834"
    • Audit logging to a database or remote logging server. Log4j can be configured to log the audit log data to a remote database or logging server. This is ideal in a multi-node Blackboard installation.
    Here are some additional benefits.
    • The source code is freely available under the GPL license
    • The cas-blackboard libraries can be compiled without WebLogic library dependencies, and used in Blackboard (without the Null Trust Manager though).
      The installation documentation describes how to obtain a WebLogic Server library for compiling the cas-weblogic subproject. If you have a Oracle/Bea WebLogic server, then you have the library. However, with changes to a few lines of code, you can compile the cas-blackboard library without the cas-weblogic dependency.
    • The cas-client subproject is a minimal CAS client library that can be used in any Java application to help with managing validation with a CAS server.