SAProfile_WebTrac_Single_Sign_On_WebTrac_Single_Sign_On_Help
The WebTrac Single Sign On profile establishes connection parameters for WebTrac Single Sign On (SSO), a process by which patrons can sign into a secure web site using their credentials and then sign into WebTrac without having to re-authenticate. For example: Penny Lane is a student at State University. The State University has RecTrac and WebTrac. Their secure student web site has a link to WebTrac. When Penny Lane logs into the State University student web site, she can click the link to WebTrac and be logged in automatically without needing to re-enter login credentials.
See Also: Topic Doc - Single Sign On.
Making changes to a profile is an Audited Event. Additionally, Linking, Removing, Purging, and Cloning profiles are also Audited Events.
See Also: Topic Doc - RecTrac Profile Assignments Screen, Hierarchy Guide, and Profile Listing.
SAProfile_WebTrac_Single_Sign_On_WebTrac_Single_Sign_On_Tab1
SSO Method (SAProfileDetails_SSOMethod)
Select your Single Sign On Method:
- CAS - Central Authentication Service. You will be using a CAS server, which is where your WebTrac patrons log in. If the login is valid and if their login credentials are found in the SAXREF table, they are granted access to WebTrac.
- Trusted Redirect - This is a method by which a cookie and an encrypted string is sent to WebTrac. WebTrac is given seconds to recreate the string and match it against the original. If a match is made, the user is logged into WebTrac.
- Unencrypted Cookie - This is a method by which the external portal creates a cookie to pass patron login credentials to WebTrac, thus allowing the patron to bypass the WebTrac login screen.
-
Shibboleth - This method utilizes an Identity Server (IdP) to act as the login point.
Note: See Also: Topic Doc - Single Sign On
Start URL (SAProfileDetails_SSOStartURL)
Enter the URL to which patrons will be redirected after a successful login when using Single Sign on.
Note: If using the CAS SSO Method leave this field blank as it is not used. When using CAS patrons are redirected to the Member Start Page.
Fail URL (SAProfileDetails_SSOFailURL)
Enter the URL to which patrons will be redirected in the event of a failed login when using Single Sign On.
Note: If using the CAS SSO Method leave this field blank as it is not used. When using CAS patrons are redirected to the CAS login URL in the event of a failure.
HH/FM Not Found Option (SAProfileDetails_SSONotFoundOption)
Select your Household/Family Member not found option. If a patron is authenticated as part of the SSO process but subsequently not found in WebTrac, determine how you wish the patron to be re-directed:
- Add via WebTrac - If the member is not found in WebTrac, the member will be directed to the New Household screen, where the member can add himself/herself as a household in your RecTrac database.
- WebTrac Guest Login - If the member is not found in WebTrac, the member will be directed to your WebTrac Guest login page.
- Custom URL - If the member is not found in WebTrac, the member will be directed to the URL you enter in the Custom URL field below.
Custom URL (SAProfileDetails_SSONotFoundCustomURL)
This field is applicable only if your HH/FM Not Found Option is "Custom URL"
Enter the URL that you want members to be directed upon successful SSO authentication but when the member is not found in WebTrac.
DeletePublic Interface Parameter (SAProfileDetails_SSOPublicInterfaceParameter)
Enter the WebTrac Interface Parameter associated with the public population. This is the WebTrac Parameter that establishes the WebTrac "guest" page you wish your public population to see when accessing WebTrac. Enter the parameter code in this field. For exmple WebTracParameterPublic.
WebTrac Interface Parameter are maintained in Interface Parameters Management.
DeleteSSO Interface Parameter (SAProfileDetails_SSOPrivateInterfaceParameter)
Enter the WebTrac Interface Parameter associated with the private population. This is the WebTrac Parameter that establishes the login page you wish your private population to see when accessing WebTrac. Enter the parameter code in this field. For example WebTracParameterPrivate.
WebTrac Interface Parameter are maintained in Interface Parameters Management.
DeleteCAS Ticket Validation Response Type (SAProfileDetails_SSOCASVersion)
Select your CAS Ticket Validation Response Type response parsing from the options provided.
Further information regarding these options can be found here: https://github.com/apereo/cas/blob/master/cas-server-documentation/protocol/CAS-Protocol.md.
DeleteCAS Response XREF Attribute (Default: serviceResponse.authenticationSuccess.user) (SAProfileDetails_SSOCASXREFAttribute)
This field is applicable only if your CAS Ticket Validation Response Type is a 3.0 option.
Enter the default Response XREF as listed in the field label or enter your own value in this field if desired.
Further information regarding these options can be found here: https://github.com/apereo/cas/blob/master/cas-server-documentation/protocol/CAS-Protocol.md.
DeleteCAS Login URL (SAProfileDetails_SSOCASLoginURL)
This field is applicable only if your SSO Method is "CAS."
Enter the URL of the CAS login page. This must include at least the name of the first name-value pair.
DeleteCAS Validate URL (SAProfileDetails_SSOCASValidateURL)
This field is applicable only if your SSO Method is "CAS."
Enter the name of the CAS service ticket name-value pair. When a CAS login is successful the CAS server sends a name-value pair to WebTrac which contains a service ticket. Enter this value here.
DeleteCAS Ticket Name (SAProfileDetails_SSOCASTicketName)
This field is applicable only if your SSO Method is "CAS."
Enter the name of the CAS service ticket name-value pair. When a CAS login is successful the CAS server sends a name-value pair to WebTrac which contains a service ticket. Enter this value here.
DeleteAppend Service to URLs? (SAProfileDetails_SSOCASAppendService)
This field is applicable only if your SSO Method is "CAS."
Determine whether you want to append service to your URLs.
DeleteTrusted Redirect Cookie Name (SAProfileDetails_SSOTrustedRedirectCookieName)
This field is applicable only if your SSO Method is "Trusted Redirect"
Enter the cookie name that WebTrac will look for during the Single Sign On process. Trusted Redirect requires custom coding from Vermont Systems so the cookie name will be determined by you and Vermont Systems.
DeleteTrusted Redirect Cookie Value Type (SAProfileDetails_SSOTrustedRedirectCookieValue)
This field is applicable only if your SSO Method is "Trusted Redirect"
Select your custom Trusted Redirect Cookie Value Type.
- Boston University - Trusted Redirect Cookie Value Type for Boston University.
- Member ID - This links directly to a SAPerson record which MUST be a single family member in a single household (i.e. a family member cannot exist in multiple households).
- XREF - This links to an XREF Number linked to the family member. As above this MUST be a single family member in a single household.
- Username | Passowrd - This the member's unencrypted username and password. As these fields are NOT encrypted this is NOT the preferred option.
- Household ID - This links directly to a SAHousehold record.
- Household Number This links directly to a unique household number.
Trusted Redirect Time (in secs) (SAProfileDetails_SSOTrustedRedirectTime)
This field is applicable only if your SSO Method is Trusted Redirect
Enter a value1-999999999. This is the amount of time in seconds WebTrac will have to validate the Family Member XRef and encrypted string passed when a user attempts to sign on using the Trusted Redirect SSO Method.
Generally speaking this value should be no more than 60.
DeleteTrusted Redirect Secrect Word (SAProfileDetails_SSOTrustedRedirectWord)
This field is applicable only if your SSO Method is "Trusted Redirect" and your Trusted Redirect Value Type is "Boston University."
Enter a secret word or phrase in this field. This word is used when creating the hash. The hash is used to test the validity of the authentication cookie value.
This field accepts alpha-numeric characters special characters and spaces.
DeleteTrusted Redirect Encryption Method (SAProfileDetails_SSOTrustedRedirectEncryptionMethod)
This field is applicable only if your SSO Method is "Trusted Redirect" and your Trusted Redirect Value Type is other than "Boston University."
Select your Trusted Redirect Encryption Method from the options provided.
THEN
Click Generate Key to create your encryption key.
Trusted Redirect Encryption Key (SAProfileDetails_SSOTrustedRedirectEncryptionKey)
This field is applicable only if your SSO Method is "Trusted Redirect" and your Trusted Redirect Value Type is other than "Boston University."
Select your Trusted Redirect Encryption Method from the options provided.
THEN
Click Generate Key to create your encryption key.
Unencrypted Cookie Name (Always prepended with an _") (SAProfileDetails_SSOUnencryptedCookieName)"
This field is applicable only if your SSO Method is "Unencrypted Cookie."
Enter the cookie name that WebTrac will look for during the Single Sign On process. Typically you will enter vsibyp. The system will prepend "_" automatically.
DeleteUnencrypted Cookie Value Type (SAProfileDetails_SSOUnencryptedCookieValue)
This field is applicable only if your SSO Method is Unencrypted Cookie."
Select your Cookie Value Type.
- Member ID - This links directly to a SAPerson record which MUST be a single Family Member in a single Household (i.e. a Family Member cannot exist in multiple households).
- XREF - This links to an XREF Number linked to the Family Member. As above this MUST be a single Family Member in a single Household.
- User Name | Password - This the member's unencrypted username and password. As these fields are NOT encrypted this is NOT the preferred option.
Shibboleth CGI Attribute? (SAProfileDetails_SSOShibbolethCGIAttribute)
This field is applicable only if your SSO Method is Shibboleth
Enter the Shibboleth CGI Attribute according to the Attribute the Service Provider will give WebTrac during login.
- By default this is HTTP_EPPN.
- If you are not sure what this is you can enable Output CGI Values to log and as long as WebSpeed debugging is on it will output all of the values during login to the log file so you can find the proper CGI name. WebSpeed debugging is enabled/disabled on your Static Parameters profile •Logging/Debug Settings group .
See Also: Topic Doc - Single Sign On.
DeleteOutput CGI Values to Log? (Must have WebSpeed Debugging On) (SAProfileDetails_SSOShibbolethDebug)
This field is applicable only if your SSO Method is Shibboleth
If you are not sure of your Shibboleth CGI Attribute value you can enable this option to have the system output all of the values during login. Values will be written to the WebSpeed Debug log and should allow you to find the proper CGI name. WebSpeed debugging must be enabled on your Static Parameters profile •Logging/Debug Settings group .
See Also: Topic Doc - Single Sign On.
Delete