Student System Project

Deployment & Support

Deliverable Specification

0118_882_UVa NetBadge Integration

Specification Name Functional Writer

0118_882_UVa NetBadge Integration Teresa Wimmer
Creation Date Requested By Technical Writer
04/29/2008 Teresa Wimmer Vinod
Moorjani

Date Needed in Production Primary Contact Reviewer

Teresa Wimmer Teresa Wimmer

/conversion/tmp/scratch/390310481.doc 1 of 20
Last Updated: 6/20/2018 03:02:00 PM
Contents

Document Control...................................................................................................................3

Functional Overview...............................................................................................................4
Intended Users/Roles......................................................................................................4
Frequency...........................................................................................................................4
Specific Operational Requirements...............................................................................5
Technical Overview.................................................................................................................6
Setup and/or Maintenance...........................................................................................14
Process Flow...........................................................................................................................15

Define PeopleSoft Objects.....................................................................................................16

Project...............................................................................................................................16
PeopleCode......................................................................................................................16
Approved Decision/Approach...........................................................................................17

Open and Closed Issues for this Deliverable....................................................................18

Open Issues......................................................................................................................18
Closed Issues...................................................................................................................18

/conversion/tmp/scratch/390310481.doc 2 of 20
Last Updated: 6/20/2018 03:02:00 PM
 Document Control

Change Record

Date Name PRISM Description of Change

Issue #
29-Apr-08 Teresa Wimmer Defined Functional Requirement:
Use Netbadge for user authentication and take advantage
of single sign-on. Use sha1 hashing to pass credentials
from NetBadge to PeopleSoft adauthentication.
30-Apr-08 Vinod Moorjani 882 Created the Deliverable specification and added the
Technical Section.
07-Apr-08 Teresa Wimmer Reviewed the document and made corrections.
09-May-08 Chris Doran Reviewed the document and made corrections.
XXX Steve Review …

/conversion/tmp/scratch/390310481.doc 3 of 20
Last Updated: 6/20/2018 03:02:00 PM
Functional Overview
Development Type Online (Page) Batch Process

Please shade/fill appropriate box or boxes Report Interface

with black
Conversion Other (View, Query,
XML)

General Functional Requirements/Approach

UVa uses NetBadge as a primary system for user authentication and single sign-on to other systems. NetBadge is a
system that was developed by ITC and is currently supported by ITC. SSP would like to use NetBadge for
authenticating the Self-Service Enterprise Portal (PeopleSoft) users. Once the Self-Service user is authenticated
against the NetBadge system, the user should be transferred to Enterprise Portal (PeopleSoft) seamlessly and
without being asked again for log-in credentials. We need to ensure that we use a secured method to pass security
credentials and to authenticate users.

Intended Users/Roles

This functionality will be used by all the self-service users including Applicants, Students and Faculty.

Frequency

The use of this functionality is on an everyday basis.

Specific Operational Requirements

Prerequisites:
Users logging-in must have a valid Username and Password in both the NetBadge and the Enterprise Portal
(PeopleSoft) systems. It is not required for the passwords to be the same. Infact the password for Enterprise Portal is
not used, as the primary system for authentication will be NetBadge.

There is a dependency on a UVa custom interface process that provides applicant information to WhoIS. The WhoIS
system creates the ComputingID and sends this back along with the University ID (Campus ID) to Enterprise Portal.
WhoIs shares the CompID with Netbadge or in other words NetBadge uses the same CompID created by WhoIS.

Requirements:
There are changes required on both the Peoplesoft and NetBadging system and they are described as below.

1. Enable Single-Signon between NetBadge and PopleSoft (changes on both systems).

2. Ensure that users are able to authenticate against NetBadge system and we pass credentials over the internet
via a secured method. (changes on both systems).
3. Create functionality to track the errors or login failures (changes on Enterprise Portal).
4. Disable Change Password feature in Enterprise Portal. We also need to modify the sign-out button to end
the user’s NetBadge session. (changes on Enterprise Portal)
5. Change the NetBadge log-in page to include that the system is used for Applicants, Students and Faculty as
well (changes on NetBadge).

/conversion/tmp/scratch/390310481.doc 4 of 20
Last Updated: 6/20/2018 03:02:00 PM
Technical Overview

The Enterprise Portal log-in page will contain a new button called ‘Login to Netbadge’ (subject to change) that will
take a user to a NetBadge authentication page. Upon a successful log-in attempt a NetBadge cookie will be assigned
by the Netbadge Login Application to the user browser and the browser will be re-directed to the Campus Solutions
default page as a GUEST user. A login entry as a GUEST allows the signon PeopleCode to be invoked and perform
the verification checks it needs to before handing over the session to the real user. If the verification checks are met
the session is handed over from the GUEST user to the real user (Computing ID). If the checks are not met the log-in
fails and an error is written to a custom table. The security managers will have access through a custom UVa page /
component to view the filed logins and the error message.

In Summary: The complete process entails authentication by NetBadge, sending of credentials through a form
mehod, a pass through entry into PeopleSoft as a Guest to invoke the Signon PeopleCode which does a seemless re-
authentication of the user credentials passed and a collection process for all the failed log-ins.

A step by step flow of these events have been explained in the Flow Chart section of this document.

Technical Requirement Details

Create a PeopleSoft user “GUEST”
navigation: PeopleTools  Security  User Profiles

This user ID only requires the permission to log into the Enterprise Portal / Campus Solutions application. It is
recommended to create a long and difficult to guess password.

Turn On Bypass / Pass Through Log-in Functionality

navigation: PeopleTools  Web Profile  Web Profile Configuration

Create a Web Profile or if one already exists (‘DEV’) ensure that “Allow Public Access” is checked with the user
(‘GUEST’) you just created. After NetBadge authenticates a user and redirects the user browser to a direct access
page (default page http://c2cd1.admin.virginia.edu:8240/psp/epdev/EMPLOYEE/EMPL/h/?
tab=DEFAULT) the GUEST user account is used. However the connection is only temporary to intitiate a secure
connection to the application server. The application server then determines the real user using the signon
Peoplecode.

/conversion/tmp/scratch/390310481.doc 5 of 20
Last Updated: 6/20/2018 03:02:00 PM
Create Algorithm Chain
navigation: PeopleTools  Security  Encryption  Algorithm Chain

Use the delivered sha1_generate Algorithm ID or Keyset (hashing / encryption method) in the algorithm chain. A
Hex encode is used right after sha1_generate to ensure that the digest (digital signature) created using this algorithm
chain will match what is sent over by NetBadge.

Create Encryption Profile

navigation: PeopleTools  Security  Encryption  Encryption Profile

Use the Algorithm Chain you created in the previous step. The Encryption Profile created here will be used in the
PeopleCode to create a digest / digital signature.

/conversion/tmp/scratch/390310481.doc 6 of 20
Last Updated: 6/20/2018 03:02:00 PM
Develop UV NetBadge specific Signon PeopleCode
navigation: Through App Designer open FUNCLIB_LDAP.LDAPAUTH.FieldDefault PeopleCode and add a new
UVa function as described on the next page. The code is documented (in green) to explain what it does.

Signon PeopleCode executes whenever a user signs onto Peoplesoft. However when the user signs-on through the
NetBadging system the Signon PeopleCode invokes a different function of the Signon PeopleCode which does
verification checks to ensure that the credentials passed over the internet and received via a form method is not
tampered in any way. The verification process checks for the various parameters (COMPID, TIMESTAMP,
RANDOM and DIGEST) passed in the form. It ensures that a User Profile exist in Campus Solutions to that
matching with the COMPID, the credentials are not older by 10 seconds and the DIGEST generated by the sha1
encryption (hashing) in Campus Solutions matches that with the DIGEST sent by the NetBadge. The Digest created
using the sha1 encryption (hashing) uses the following algorithm:

myDigest = sha1(COMPID + TIMESTAMP + SECRET + RANDOM). The Secret is something that is not sent over
but is known by both the Campus Solutions and the NetBadge system.

/conversion/tmp/scratch/390310481.doc 7 of 20
Last Updated: 6/20/2018 03:02:00 PM
/conversion/tmp/scratch/390310481.doc 8 of 20
Last Updated: 6/20/2018 03:02:00 PM
Activate UV NetBadge specific Signon PeopleCode
navigation: PeopleTools  Security  Security Object  Signon Peoplecode

On the Signon PeopleCode page, set the following parameters:

- Set the Invoke as User ID and Password fields with the PeopleSoft User ID and password of a user who has
permission to execute PeopleSoft sign in code. The “VP1” User ID is used in the following example.
- Create a new line by clicking on the ‘+’ button to the far right. Use the same parameters as the record for
‘FUNCLIB_LDAP’ except for the ‘Function Name’ column, which should be set to the new PeopleCode
function name. In the sample code described above, the PeopleCode function name is ‘UV_NetBadge’.
- Enable this new line by checking the Enable box.
- The Exec Auth Fail checkbox must not be checked.
- Click Save.

Create a custom Page to track the log-in failures.

A new record, page and component need to be created to collect information on failed logins. The page could be
used by Secuirty Administrators as a means to track unsecured or unauthorized attempts to connect into the system
and to view the reason for the log-in failure.

The comments field on the page will indicate the nature of the problem and why the user was not able to log-in.

/conversion/tmp/scratch/390310481.doc 9 of 20
Last Updated: 6/20/2018 03:02:00 PM
Create a link on the Enterprise Portal Log-In page to redirect a user to NetBadge Log-In page.

Modify the Enterprise Portal page

\\c2cd1\u01\psoft\psenv\EPDEV\webserv\epdev\applications\peoplesoft\PORTAL\WEB-
INF\psoftdocs\epdev\signin.html to include the button ‘Login to NetBadge’. The button should redirect self-service
users to the NetBadge log-in page. The URL for NetBadge is: https://www.virginia.edu/ssp/login/login.sucgi

<!-- Begin add for netBadge ras 2008-04-21 -->

<FORM name=”netBadgeForm” action=" https://www.virginia.edu/ssp/login/login.sucgi?env=<%=psHome%>"
method="post">
<P><INPUT name=”submit” type="submit" value="Student System Login"></P>
</FORM>
<!-- End add for netBadge ras 2008-04-21 -->

Modify the NetBadge Page

1. To include information about the self-service users who can use the NetBadge log-in to connect to Enterprise
Portal
2. To redirect a user to a Enterprise Portal default page after a successful log-in. The URL to be redirected is:
http://c2cd1.admin.virginia.edu:8240/psp/epdev/EMPLOYEE/EMPL/h/?tab=DEFAULT
The redirect to Enterprise Portal site should be based on the environment the request is coming from. So if
the request comes from EPDEV the redirect should be to EPDEV site and if the request comes from EPPRD
then the redirect should be to EPPRD. This is made workable by sending the “env” value (env=<%=psHome
%>) in the query string to NetBadge and by NetBadge reading the query and re-directing to the appropriate
site.

/conversion/tmp/scratch/390310481.doc 10 of 20
Last Updated: 6/20/2018 03:02:00 PM
Setup and/or Maintenance
Impact on   Low  Medium  Significant
Upgrade: None (e.g., Translate ) (e.g., Reports, Bolt-on ) (e.g., mod to PS delivered
(check one) objects)

For obvious reasons, we have to ensure that the Signon PeopleCode on the LDAP does not get overwritten by the
new OnExecute PeopleCode if it gets delivered in a Patch/Fix or a Bundle. If PeopleSoft delivers a new version of
this code it can be merged with the existing one or UVA changes could be applied again on the PeopleCode.

/conversion/tmp/scratch/390310481.doc 11 of 20
Last Updated: 6/20/2018 03:02:00 PM
Process Flow

4 CMS

Browser
User clicks on the NetBadge
Login Authentication Unix - Blue
NetBadge log-in
button on the 1 Application 2 Username + Password
Enterprise Portal
home page. eServices

5
3
eServices

Servlet
PS servlet receives the HTTP request,
which includes the UserID in a form Explain 1, 2, 3, 4, 5
and connects to the Application For Steve to describe.
Server using the Guest user.

Application Server
Authenticates the GUEST connection
from the webserver and executes the
SignOn PeopleCode

SignOn Peoplecode
Performs verification checks. If the
checks are met it handovers the
session to the real user or else signs
out the Guest session.

No Collect Log-in Failures Guest is

If the Insert into signed out
checks are PS_UV_FAILED_LOGIN table
met ?

Yes

Guest handovers the

session to the real
user. The User
Role/Permission List
controls all the
navigational links
displayed at the
launch page.

/conversion/tmp/scratch/390310481.doc 12 of 20
Last Updated: 6/20/2018 03:02:00 PM
Define PeopleSoft Objects

Project
P ROJECT
P ROJECT N AME P ROJECT DESCPITON
UV_CC_118_882_DIGITAL_SIGN UVa Single Signon/Digital Signature

Fields
F IELDS
F IELD N AME T YPE L EN F ORMAT S HORT N AME L ONG N AME
(L ABEL N AME)
UV_COMPID Char 30 Mixed UVA Comp ID UVa Computer ID
UV_DIGITAL_SIGN Char 254 Mixed UVa Digital Sign UVa Digital Signature
UV_NB_DIGITAL_SIGN Char 254 Mixed NB Digital Sign NetBadge Digital Signature
UV_NB_TIMESTAMP Char 18 Mixed NB Time Stamp NetBadge Time Stamp
UV_RANDOM Char 254 Mixed UVa Random UVa Random
UV_TIMESTAMP Char 18 Mixed UVa Time Stamp UVa Time Stamp

Database Records
UV_FAILED_LOGIN: UV A F AILED N ETBADGE L OGINS (N EW)
T ABLE TYPE T ABLE
Table Purpose Used for collecting failed log-in information and failed login paramaters send by NetBadge.
Parent Table None
Query Security None
Audit Table None

A/C F IELD N AME K EY L IST A UD D EF RE E DIT / E DIT / P ROMPT

B OX Q
V AL X LAT
Refer to page shots

Field Display

/conversion/tmp/scratch/390310481.doc 13 of 20
Last Updated: 6/20/2018 03:02:00 PM
Use Display

Edits Display

PeopleCode Display

/conversion/tmp/scratch/390310481.doc 14 of 20
Last Updated: 6/20/2018 03:02:00 PM
Pages

UV_FAILED_LOGIN: UV A F AILED L OGINS (N EW)

P AGE TYPE PAGE
Page Purpose <text>

S CREEN I MAGE

F IELDNAME O BJECT S OURCE T ABLE S OURCE F IELD NOTES

T YPE
DTTM_STAMP DtTm UV_FAILED_LOGIN
UV_COMPID Char UV_FAILED_LOGIN
UV_NB_TIMESTAMP Char UV_FAILED_LOGIN
UV_TIMESTAMP Char UV_FAILED_LOGIN
UV_FAILED_LOGIN Char UV_FAILED_LOGIN
UV_DIGITAL_SIGN Char UV_FAILED_LOGIN
COMMENTS254 Char UV_FAILED_LOGIN

/conversion/tmp/scratch/390310481.doc 15 of 20
Last Updated: 6/20/2018 03:02:00 PM
Components
UV_FAILED_LOGIN: (N EW)
S EARCH R ECORD <R ECORD N AME>
Add Search Record UV_FAILED_LOGIN
Detail Page UV_FAILED_LOGIN
Actions Update-Display
Default Search Action Update-Display
Default Lookup Type Basic
Toolbar Actions Return to List / Next in List / Previous in List
Other Properties Defaults

P H D
O P AGE N AME I TEM N AME I TEM L ABEL F OLDER TAB L ABEL I E

S D F
UV_FAILED_LOGIN UV_DIGITAL_SIGN UVa Failed Logins UVa Failed Logins

Menus
MAINTAIN_SECURITY: (M ODIFY )
B AR N AME I TEM N AME M ENU L ABEL T YPE C OMPONENT L OCATION
Use UV_FAILED_LOGIN UVa Login Failures UV_FAILED_LOGIN

P ORTAL R EGISTRY S TRUCTURE / DEFINITION

P ORTAL N AME T YPE O BJECT N AME D ESCRIPTION /N OTES

EMPLOYEE Folder PT_SECURITY
EMPLOYEE Folder PT_SECURITY

EMPLOYEE Content Ref. UV_FAILED_LOGIN_GBL

PeopleCode
FUNCLIB_LDAP / LDAPAUTH / F IELDD EFAULT
P URPOSE
Enable Single Signon with Netbadge and authenticate using sha1 hashing

/conversion/tmp/scratch/390310481.doc 16 of 20
Last Updated: 6/20/2018 03:02:00 PM
FUNCLIB_LDAP / LDAPAUTH / F IELDD EFAULT
P URPOSE
/************************************************************************************/
/* Delv ID: 118 Issue: 882 04/30/2008 CompID: vm3m */
/* Enable Single Signon with Netbadge and authenticate using sha1 encryption */
/************************************************************************************/
/* Begin - UVa code */

Function UV_NetBadge()

/* Get the parameters that are passed in the form */

&NetBadgeCompID = %Request.GetParameter("compid");
&NetBadgeRandom = %Request.GetParameter("random");
&NetBadgeTime = %Request.GetParameter("time");
&NetBadgeDigitalSignature = Upper(%Request.GetParameter("sha1"));

/* Ensure that all the parameters are in the form and then execute else do not do anything */
If All(&NetBadgeCompID) And
All(&NetBadgeRandom) And
All(&NetBadgeTime) And
All(&NetBadgeDigitalSignature) Then

/* Calcualte the epoch time in GMT */

&UVaTime = String(DateTimeToTimeZone(%Datetime, %ServerTimeZone, "GMT") - DateTime6(1970, 1, 1, 0, 0, 0));

/* Another Method (less reliable in case the servers are moved to a different time zone) */
rem &UVaTime = String(%Datetime - DateTime6(1970, 1, 1, 0, 0, 0) + 14400);

/* If time difference is less that 10 seconds then perform further edits */

If ABS(Value(&NetBadgeTime) - Value(&UVaTime)) < 10 Then

SQLExec("select 'Y' from PSOPRDEFN where oprid = :1", &NetBadgeCompID, &UserIDPresent);

/* Ensure that UserID or the CompID passed by NetBadge exists in the system */
If &UserIDPresent = "Y" Then

/* Invoke Encryption. UV_SHA1 is the Encryption Profile defined. UpdateData passes the text that needs
to be encrypted to create the Digital Signature or the Digest to the Encrytion Key */
&UVaCrypt = CreateObject("Crypt");
&UVaCrypt.Open("UV_SHA1");
&UVaCrypt.UpdateData(&NetBadgeCompID | &NetBadgeTime | "This is the SSP shared secret." | &NetBadgeRandom);
&UVaDigitalSignature = Upper(&UVaCrypt.Result);

/* If the Digital Signatures match then authenticate the UserID or CompID */

If &NetBadgeDigitalSignature = &UVaDigitalSignature Then
&userID = &NetBadgeCompID;
SetAuthenticationResult( True, &userID, "", False);
&authMethod = "UV";

Else
&UVaComments = "Digital Signature does not match";
End-If;

Else
&UVaComments = "Operator ID not present in Enterprise Portal : " | &NetBadgeCompID;
End-If;

Else
&UVaComments = "Credentials supplied are older than 10 seconds: " | String(Value(&NetBadgeTime) - Value(&UVaTime));
End-If;

End-If;

/* If the previous checks were not met then do nothing or in other words do noty authenticate the user and report
the Log-In failures*/
If All(&UVaComments) Then
SQLExec("insert into PS_UV_FAILED_LOGIN values (sysdate, :1, :2, :3, :4, :5, :6, :7)", &NetBadgeCompID, &NetBadgeRandom,
&NetBadgeTime, &UVaTime, &NetBadgeDigitalSignature, &UVaDigitalSignature, &UVaComments);
End-If;

/conversion/tmp/scratch/390310481.doc 17 of 20
Last Updated: 6/20/2018 03:02:00 PM
Security

MAINTAIN_SECURITY menu was updated to include the new component.

P ERMISSION L IST /R OLES

P ERMISSION L IST /R OLES D ESCRIPTION /N OTES
PTPT1100 Permission List was updated through registering the Component

Update the PTPT1100 manually to include the component / page security.

/conversion/tmp/scratch/390310481.doc 18 of 20
Last Updated: 6/20/2018 03:02:00 PM
Approved Decision/Approach
There were two options we considered:

1. Use the standard delivered method and authenticate users against PeopleSoft.

2. Use NetBadge for authentication and allow single signon.

We chose the second method over the first for the following reasons:

- University policy / security standards.

- Convenience for users not having to log-in to multiple applications.

/conversion/tmp/scratch/390310481.doc 19 of 20
Last Updated: 6/20/2018 03:02:00 PM
Open and Closed Issues for this Deliverable

Open Issues
PRISM
Issue Description
Issue #

Closed Issues
PRISM
Issue Description
Issue #

PeopleSoft Hoax Mumbai Bombay Bomb Arrest

/conversion/tmp/scratch/390310481.doc 20 of 20
Last Updated: 6/20/2018 03:02:00 PM