Integrated database password management and authorization failovers

Some Finalsite installations are "integrated" with another database holding account information that's used not only for logging users into the website, but also for keeping track of class schedules, grades, biographical information, and other data for students, faculty members, and others associated with the school. These databases are called "Student Information Systems" (SIS), and integrating them with the website installation means that IT administrators need only maintain a single database, and that users need only one account to access all of the school's online resources. This can be very efficient for users and site admins, but it does require a somewhat more complex network system. 

A key component of this network is the connection between the website and the SIS that allows them to pass data back and forth. Ordinarily, usernames and passwords (collectively called "credentials") are stored in the SIS database. When a user logs into the site, Finalsite takes the credentials that user types in and checks them against the SIS database to ensure that they match. This process is called "remote authentication," because Finalsite checks a "remote" system (the SIS) to "authenticate" the supplied data. An interruption in the connection between the website and the SIS would mean that user credentials could not be authenticated against the remote system, leaving users unable to login.

As a backup to that sort of interruption, SIS-integrated Finalsite installations can use a procedure called a "failover" to ensure that site users would still be able to log in if there were any difficulty with the connection between the SIS database and the website. Essentially, the Finalsite database maintains its own separate, secure cache of credentials that can be used if the connection to the SIS is unavailable. (This is exactly how Finalsite works for schools that do not have an SIS integration; the site itself maintains the record of usernames and passwords.) If there is ever a disconnect between the website and the database, a site admin can set the website to "fail over" from using the SIS to check user credentials to using its own internal repository of usernames and passwords to authenticate users.

There are two aspects involved in configuring the remote authentication failover process: setting up password caching, and establishing the methods of authentication for constituent roles. Password caching simply means that the Finalsite installation maintains a separate record (or "cache") of user login information. The method of authentication describes which record the website looks to when authenticating a site user: the SIS record or the website record. 

Enabling password caching

To set up the failover functionality, password caching must be enabled in the Authorization settings in Integrated Services Manager.

To check if password caching has been configured, open Integrated Services Manager and click the "Authentication" tab at the top of the window.

Screen Shot 2018-12-19 at 15.10.16.png

You'll see the available methods of authentication appear in the left-hand menu; one of them will be "finalsite," the other(s) will be your school's SIS (in this example, LDAP; other examples might be SeniorSystems, VeraCross, PCR, or something else entirely).

Click on the name of your school's SIS (not "finalsite") to display the settings. Make sure the checkbox marked "Enable Cached Passwords" is selected.

Annotation on 2018-11-3.png 

If the checkbox is not selected, contact Finalsite Support to enable it. With this checkbox enabled, your Finalsite installation is set up to maintain a separate record of user credentials that can be used in case the network connection to the SIS database is unavailable. Password caching is optional, but it is the only way Finalsite can ensure continued login ability in the event of a connection problem.

 

Note: Users must have logged into the website at least once in order to take advantage of this failover setup. Users who have never used their credentials to log into the site would not be able to take advantage of the failover in the event of a disrupted network connection to the database.

When the SIS database is not available

If users are experiencing difficulty logging in with the SIS authentication process, it may be necessary to enable the failover and authenticate against the cached passwords.

Testing the SIS connection

Before you switch from authenticating against the SIS database to authenticating against the Finalsite database, it's a good idea to test the network connection to the SIS to ensure that the problem really lies with that connection.

  1. Open Integrated Services Manager and select the "Authorization" tab.

  2. Click on the name of your school's integration database (not "finalsite").

  3. Select the "Test Authentication" button, and enter a valid username and password in the appropriate fields.

    Screen Shot 2018-12-19 at 15.09.04.png

  4. If you encounter an error saying that the authorization failed, then you know that there is an issue with the connection to the SIS database. At this point, you can switch to using failover authentication by following the steps below.

    Note: It is recommended that multiple user credentials are tested to rule out a problem with any particular account in the system that is authenticating the user. Typically, when the network connection to the third-party system is down, all users authenticated through that system will not be able to log in. If only a few users cannot log in, it is most likely an issue with their account in the third party system, rather than with the network connection.

Enabling failover authentication

Once you have tested the SIS authentication and established there's a problem, you'll need to turn off that authentication and turn on the "finalsite" authentication. 

  1. On the Authentications tab, select whichever authentication is failing.

  2. Select "Role Settings" in the upper-right corner.

    Annotation on 2018-11-3.png

    You'll be presented with a list of roles that use that authentication.

    Screen Shot 2018-12-19 at 14.52.06.png

  3. Click the green checkbox next to the role to disable the authentication and route the users through Finalsite. 

    Screen Shot 2018-12-19 at 15.23.49.png

  4. When the issue with the SIS is resolved, go back through the same steps and click the black "X," which should turn to a green checkmark. Everything will be routed back through the enabled authentication.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please Sign in to leave a comment if you don't see the comment box below.