1 / 33

Blackboard Building Blocks

Blackboard Building Blocks. Authentication Overview. Tom Joyce, Product Manager, Platform Architecture & Database. Saturday, June 7, 2014. Road Map. Authentication/Security Overview Release 6 Authentication Options Custom Authentication Authentication Demos Review/Open Discussion.

karah
Download Presentation

Blackboard Building Blocks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Blackboard Building Blocks Authentication Overview Tom Joyce, Product Manager, Platform Architecture & Database Saturday, June 7, 2014

  2. Road Map • Authentication/Security Overview • Release 6 Authentication Options • Custom Authentication • Authentication Demos • Review/Open Discussion

  3. Authentication Concepts • Ensures that you are who you say you are! • Most schemes require the user to present a set of credentials • In the form of a username/password, or others • Referred to as End User Authentication (EUA)

  4. EUA Options in Release 6

  5. EUA Options in Release 6 • Blackboard Learning and Community Portal System™ (Release 6) offers several options “out of the box” solutions • One option for all Vls • Set in authentication. Properties (file)

  6. EUA Options • Blackboard Default (RDBMS) • LDAP • Webserver Delegation • Passport • Custom

  7. Default Authentication (RDBMS) • Standard with Blackboard Learning System™(Release 6) • Form to enter in their user id and password

  8. Default Authentication • Customization Options • Users can customize login page via UI • Direct Portal Entry • MD5 Passwords are stored in Bb Database • Uses a challenge/response mechanism for increased security

  9. Challenge/Response Mechanism • Does not send the password over the network in “clear text” form • Prevents “sniffing” of passwords

  10. Challenge/Response Mechanism User Requests Login Page Server sends login page with Challenge Server receives credentials, uses challenge to compare the password with the MD5 password stored in the Bb5 database User Enters Credentials; Credentials are submitted with Challenge and MD5 Encrypted

  11. EUA Option: LDAP • Can configure to go against an external LDAP directory • Standard Bb Login Screen Used • Matches against the user id in the Blackboard database • SSL enabling Blackboard strongly encouraged

  12. EUA Option:Webserver • Authenticates information based on the user passed via HTTP to the authentication module. • Checks for the existence of the “remote-user” variable. • User is reconciled with users already in the Bb Database (more on this later) • Windows—Automatically installs an ISAPI filter to add this information based on the Windows Domain (Windows Integrated) • UNIX—Add-ins for Apache are required

  13. EUA Option: Passport • Requires users to login using a Microsoft Passport • Functionally similar to Webserver auth

  14. User Reconciliation Options • User is received from external system • What to do if user is not found in system • In Release 6: • Webserver and Passport

  15. Reconciliation Process • The Auth module receives the external credential • Windows Auth: Windows Domain/User ID (e.g. DC/tjoyce) • Passport: PUID (Passport Unique ID) • The User Registry is searched for the external credential • If found, then the user is authenticated

  16. Reconciliation Process, Cont’d • If user is not found, depends on user_account setting: • Reconcile: Present the user with a form • Create: Create the user based on external ID • Deny: Do not authenticate the user

  17. User Option: Reconcile • User is presented with a screen and prompted to enter in Bb Credentials • MUST exist in the Blackboard database! • The external user is associated with that Blackboard user

  18. User Option: Create • User is automatically created in the Blackboard database based on the external credential • Webserver: webserver-user-xxxx • Passport: passport-user-xxxx • User or Admin can change personal info

  19. User Option: Deny • User not in User Registry = No access

  20. Reconciliation Option Pitfalls • Info is stored in the User Registry • Not accessible by Snapshot or UI. • Non-Public methods exist to get the data via the Java API • May be addressed in 6.2

  21. EUA Option: Custom • Authentication API • Java • API is part of B2 program • B2 Developers should use this for custom authentication modules

  22. Authentication API (HttpAuthModule) • void init(ConfigurationService cfg) • boolean isAuthenticated(HttpServletRequest request) throws BbSecurityException; • String doAuthenticate(HttpServletRequest request, HttpServletResponse response) • void doLogout(HttpServletRequest request, HttpServletResponse response) • void requestAuthenticate(HttpServletRequest request, HttpServletResponse response) • public String getAuthType(); • public String[] getPropKeys(); • public void setConfig( HttpAuthConfig config );

  23. API Details • void init(ConfigurationService cfg) • Called upon Tomcat initialization • public String getAuthType(); • Must return a String (i.e., “customauth”) • public String[] getPropKeys(); • Return an array of properties for this authentication • At a minimum, “impl” should be returned here to specify the class name of the custom module

  24. API Details (cont’d) • public void setConfig( HttpAuthConfig config ); • Handle to the configuration properties for the autentication • void requestAuthenticate (HttpServletRequest request, HttpServletResponse response) • Called when Blackboard requires authentication • Can set this to a web page, login form, or do nothing.

  25. API Details (cont’d) • String doAuthenticate (HttpServletRequest request, HttpServletResponse response) • Does the implementation-specific work of authenticating the user • Return the user id if successful, null if not (can also throw a BbSecurityException)

  26. API Details (cont’d) • boolean isAuthenticated (HttpServletRequest request) throws BbSecurityException; • This is deprecated; can return true here • Caveat: As of 6.0.10, you MUST subclass BaseAuthenticationModule! • This has been identified as a bug and will be fixed in a future release

  27. Authentication Configuration • 2 Files: • bb-config.properties • authentication.properties • Run PushConfigUpdates after changing any values • Load Balanced Systems

  28. Config File: bb-config.properties • bbconfig.auth.type= • rdbms, ldap, webserver, passport, or “custom”

  29. Config File: authentication.properties • Entries in the form: • auth.type.<auth type>.<property name>=<property value> • Example: • auth.type.rdbms.use_challenge=true • auth.type.ldap.error_fallback_to_bb=false

  30. Demo: Custom Auth • Code CustomAuthModule.java • Implement HttpAuthModule.java • MUST subclass BaseAuthenticationModule (this is a bug) • Build jar, move jar to Tomcat lib/apps (windows) • Edit authentication.properties, bb-config.properties • Restart Tomcat

  31. Summary • Several Different Authentication Options are available for Release 6 • B2 Developers can develop Custom Authentication modules • Numerous Possibilities exist for custom authentication modules (SSO, Kerberos, etc.)

  32. Q&A/Open Discussion • Tom Joyce, Product Manager, Platform, Architecture and Database • BBDN

  33. Thank You Demos to Follow >

More Related