Using Banner as a auth store for Portalgard

Michael Ghens

One of the biggest questions question with PortalGuard is what to use for the authentication store. Easiest for me would have been either the Luminis OpenDJ or Microsoft Active Directory. One of the things to consider is the flow. At the college that I work at, Banner is considered the gold standard. What this means is that if there is any conflict, Banner wins.

In spite of efforts to keep data clean, it is difficult not to have many data stores. Just to name a few, we deal with Banner, Active Directory, Luminis 5 and Canvas. This is is not all-inclusive. Keeping them in sync is not always straightforward as one wants.

Also, one goal is to allow people to log in directly to Banner Self Service without single sign in. Currently, we are not using LDAP but the third party table GOBTPAC. The PIN is an SSHA1 hash, and the HASH value is also on the table. I used this kludgy python script to prove that the workings of the hash in Banner were what I thought it was.

#!/usr/bin/env python import hashlib import secrets import sys """ This method generates the sha1 hex of the password+salt. """ def gen_digested_password(pw,salt=secrets.token_hex(4).upper()): print (salt.encode()) print (len(salt.encode())) print (sys.getsizeof(salt.encode())) return (hashlib.sha1(pw.encode() + salt.encode()).hexdigest() + ':' + salt).upper() """ This method decodes a ssha-encoded password string, returning the digest and salt """ def decode_ssha_password(ssha_password): decoded = base64.b64decode(ssha_password.replace("{SSHA}","")) digest = decoded[0:40] salt = decoded[40:] return digest,salt print(gen_digested_password('helloworld','ZZDK05NS'))

I created a view that only had the gobtpac_pidm, gobtpac_external_user, gobtpac_pin, gobtpac_hash. This allowed me to authenticate against banner.

Changing the password is not too hard. Portalguard will permit you to connect to an Oracle stored procedure. Banner has an API to change passwords in the GOBTPAC third party table.

GRANT EXECUTE ON gb_third_party_access TO portalguard; / create or replace PROCEDURE GZP_UPDATE_PW ( USERNAME IN VARCHAR2 , PASSWD IN VARCHAR2 ) AS l_pidm NUMBER(8); BEGIN /* Procedure for portalguard to call to change password in banner. */ select gobtpac_pidm into l_pidm from gobtpac where gobtpac_external_user = USERNAME; --EXCEPTION WHEN NO_DATA_FOUND THEN RAISE; baninst1.gb_third_party_access.p_update(l_pidm,p_pin => PASSWD); END GZP_UPDATE_PW;

This post is not complete. I will update it Monday or Tuesday.

Comments