View
220
Download
2
Tags:
Embed Size (px)
Citation preview
Blackboard Building Blocks
Authentication Overview
Tuesday, April 18, 2023
Tom Joyce, Product Manager, Platform Architecture & Database
Road Map
Authentication/Security OverviewRelease 6 Authentication OptionsCustom AuthenticationAuthentication DemosReview/Open Discussion
Authentication Concepts
Ensures that you are who you say you are!Most schemes require the user to present
a set of credentialsIn the form of a username/password, or
others Referred to as End User Authentication
(EUA)
EUA Options in Release 6
EUA Options in Release 6
Blackboard Learning and Community Portal System™ (Release 6) offers several options “out of the box” solutions
One option for all VlsSet in authentication.
Properties (file)
EUA Options
Blackboard Default (RDBMS)
LDAPWebserver
DelegationPassportCustom
Default Authentication (RDBMS)
Standard with Blackboard Learning System™(Release 6)
Form to enter in their user id and password
Default Authentication
Customization Options– Users can customize login page via UI– Direct Portal Entry
MD5 Passwords are stored in Bb Database
Uses a challenge/response mechanism for increased security
Challenge/Response Mechanism
Does not send the password over the network in “clear text” form
Prevents “sniffing” of passwords
Challenge/Response Mechanism
IDC
User Requests Login Page
Server sends login page with
Challenge
User Enters Credentials;Credentials are
submitted with Challenge and MD5 Encrypted
Server receives credentials, uses
challenge to compare the password with the MD5 password stored in the Bb5 database
EUA Option: LDAP
Can configure to go against an external LDAP directory
Standard Bb Login Screen UsedMatches against the user id in the
Blackboard databaseSSL enabling Blackboard strongly
encouraged
EUA Option:Webserver
Authenticates information based on the user passed via HTTP to the authentication module.
Checks for the existence of the “remote-user” variable.
User is reconciled with users already in the Bb Database (more on this later)
Windows—Automatically installs an ISAPI filter to add this information based on the Windows Domain (Windows Integrated)
UNIX—Add-ins for Apache are required
EUA Option: Passport
Requires users to login using a Microsoft Passport
Functionally similar to Webserver auth
User Reconciliation Options
User is received from external system
What to do if user is not found in system
In Release 6:– Webserver and
Passport
Reconciliation Process
The Auth module receives the external credential– Windows Auth: Windows Domain/User ID
(e.g. DC/tjoyce)– Passport: PUID (Passport Unique ID)
The User Registry is searched for the external credential
If found, then the user is authenticated
Reconciliation Process, Cont’d
If user is not found, depends on user_account setting:– Reconcile: Present the user with a form– Create: Create the user based on external ID– Deny: Do not authenticate the user
User Option: Reconcile
User is presented with a screen and prompted to enter in Bb Credentials
MUST exist in the Blackboard database!The external user is associated with that
Blackboard user
User Option: Create
User is automatically created in the Blackboard database based on the external credential– Webserver: webserver-user-xxxx– Passport: passport-user-xxxx
User or Admin can change personal info
User Option: Deny
User not in User Registry = No access
Reconciliation Option Pitfalls
Info is stored in the User RegistryNot accessible by Snapshot or UI.Non-Public methods exist to get the data
via the Java APIMay be addressed in 6.2
EUA Option: Custom
Authentication APIJavaAPI is part of B2 programB2 Developers should use this for custom
authentication modules
Authentication API (HttpAuthModule)
void init(ConfigurationService cfg) boolean isAuthenticated(HttpServletRequest request)
throws BbSecurityException; String doAuthenticate(HttpServletRequest request,
HttpServletResponse response) void doLogout(HttpServletRequest request,
HttpServletResponse response) void requestAuthenticate(HttpServletRequest request,
HttpServletResponse response) public String getAuthType(); public String[] getPropKeys(); public void setConfig( HttpAuthConfig config );
API Details
void init(ConfigurationService cfg)– Called upon Tomcat initialization
public String getAuthType();– Must return a String (i.e., “customauth”)
public String[] getPropKeys();– Return an array of properties for this authentication– At a minimum, “impl” should be returned here to
specify the class name of the custom module
API Details (cont’d)
public void setConfig( HttpAuthConfig config );– Handle to the configuration properties for the
autentication
void requestAuthenticate (HttpServletRequest request, HttpServletResponse response)– Called when Blackboard requires authentication– Can set this to a web page, login form, or do nothing.
API Details (cont’d)
String doAuthenticate (HttpServletRequest request, HttpServletResponse response)– Does the implementation-specific work of
authenticating the user– Return the user id if successful, null if not (can
also throw a BbSecurityException)
API Details (cont’d)
boolean isAuthenticated (HttpServletRequest request) throws BbSecurityException;– This is deprecated; can return true here
Caveat: As of 6.0.10, you MUST subclass BaseAuthenticationModule!– This has been identified as a bug and will
be fixed in a future release
Authentication Configuration
2 Files:– bb-config.properties– authentication.properties
Run PushConfigUpdates after changing any values
Load Balanced Systems
Config File: bb-config.properties
bbconfig.auth.type=– rdbms, ldap, webserver, passport, or “custom”
Config File: authentication.properties
Entries in the form:– auth.type.<auth type>.<property
name>=<property value>
Example:– auth.type.rdbms.use_challenge=true– auth.type.ldap.error_fallback_to_bb=false
Demo: Custom Auth
Code CustomAuthModule.java– Implement HttpAuthModule.java– MUST subclass BaseAuthenticationModule
(this is a bug)– Build jar, move jar to Tomcat lib/apps
(windows)– Edit authentication.properties, bb-
config.properties– Restart Tomcat
Summary
Several Different Authentication Options are available for Release 6
B2 Developers can develop Custom Authentication modules
Numerous Possibilities exist for custom authentication modules (SSO, Kerberos, etc.)
Q&A/Open Discussion
Tom Joyce, Product Manager, Platform, Architecture and Database
BBDN
Thank You
Demos to Follow >