Blackboard Building Blocks

Authentication Overview

Tuesday, April 18, 2023

Tom Joyce, Product Manager, Platform Architecture & Database

Road Map

Authentication/Security OverviewRelease 6 Authentication OptionsCustom AuthenticationAuthentication DemosReview/Open Discussion

Authentication Concepts

Ensures that you are who you say you are!Most schemes require the user to present

a set of credentialsIn the form of a username/password, or

others Referred to as End User Authentication

(EUA)

EUA Options in Release 6

EUA Options in Release 6

Blackboard Learning and Community Portal System™ (Release 6) offers several options “out of the box” solutions

One option for all VlsSet in authentication.

Properties (file)

EUA Options

Blackboard Default (RDBMS)

LDAPWebserver

DelegationPassportCustom

Default Authentication (RDBMS)

Standard with Blackboard Learning System™(Release 6)

Form to enter in their user id and password

Default Authentication

Customization Options– Users can customize login page via UI– Direct Portal Entry

MD5 Passwords are stored in Bb Database

Uses a challenge/response mechanism for increased security

Challenge/Response Mechanism

Does not send the password over the network in “clear text” form

Prevents “sniffing” of passwords

Challenge/Response Mechanism

IDC

User Requests Login Page

Server sends login page with

Challenge

User Enters Credentials;Credentials are

submitted with Challenge and MD5 Encrypted

Server receives credentials, uses

challenge to compare the password with the MD5 password stored in the Bb5 database

EUA Option: LDAP

Can configure to go against an external LDAP directory

Standard Bb Login Screen UsedMatches against the user id in the

Blackboard databaseSSL enabling Blackboard strongly

encouraged

EUA Option:Webserver

Authenticates information based on the user passed via HTTP to the authentication module.

Checks for the existence of the “remote-user” variable.

User is reconciled with users already in the Bb Database (more on this later)

Windows—Automatically installs an ISAPI filter to add this information based on the Windows Domain (Windows Integrated)

UNIX—Add-ins for Apache are required

EUA Option: Passport

Requires users to login using a Microsoft Passport

Functionally similar to Webserver auth

User Reconciliation Options

User is received from external system

What to do if user is not found in system

In Release 6:– Webserver and

Passport

Reconciliation Process

The Auth module receives the external credential– Windows Auth: Windows Domain/User ID

(e.g. DC/tjoyce)– Passport: PUID (Passport Unique ID)

The User Registry is searched for the external credential

If found, then the user is authenticated

Reconciliation Process, Cont’d

If user is not found, depends on user_account setting:– Reconcile: Present the user with a form– Create: Create the user based on external ID– Deny: Do not authenticate the user

User Option: Reconcile

User is presented with a screen and prompted to enter in Bb Credentials

MUST exist in the Blackboard database!The external user is associated with that

Blackboard user

User Option: Create

User is automatically created in the Blackboard database based on the external credential– Webserver: webserver-user-xxxx– Passport: passport-user-xxxx

User or Admin can change personal info

User Option: Deny

User not in User Registry = No access

Reconciliation Option Pitfalls

Info is stored in the User RegistryNot accessible by Snapshot or UI.Non-Public methods exist to get the data

via the Java APIMay be addressed in 6.2

EUA Option: Custom

Authentication APIJavaAPI is part of B2 programB2 Developers should use this for custom

authentication modules

Authentication API (HttpAuthModule)

void init(ConfigurationService cfg) boolean isAuthenticated(HttpServletRequest request)

throws BbSecurityException; String doAuthenticate(HttpServletRequest request,

HttpServletResponse response) void doLogout(HttpServletRequest request,

HttpServletResponse response) void requestAuthenticate(HttpServletRequest request,

HttpServletResponse response) public String getAuthType(); public String[] getPropKeys(); public void setConfig( HttpAuthConfig config );

API Details

void init(ConfigurationService cfg)– Called upon Tomcat initialization

public String getAuthType();– Must return a String (i.e., “customauth”)

public String[] getPropKeys();– Return an array of properties for this authentication– At a minimum, “impl” should be returned here to

specify the class name of the custom module

API Details (cont’d)

public void setConfig( HttpAuthConfig config );– Handle to the configuration properties for the

autentication

void requestAuthenticate (HttpServletRequest request, HttpServletResponse response)– Called when Blackboard requires authentication– Can set this to a web page, login form, or do nothing.

API Details (cont’d)

String doAuthenticate (HttpServletRequest request, HttpServletResponse response)– Does the implementation-specific work of

authenticating the user– Return the user id if successful, null if not (can

also throw a BbSecurityException)

API Details (cont’d)

boolean isAuthenticated (HttpServletRequest request) throws BbSecurityException;– This is deprecated; can return true here

Caveat: As of 6.0.10, you MUST subclass BaseAuthenticationModule!– This has been identified as a bug and will

be fixed in a future release

Authentication Configuration

2 Files:– bb-config.properties– authentication.properties

Run PushConfigUpdates after changing any values

Load Balanced Systems

Config File: bb-config.properties

bbconfig.auth.type=– rdbms, ldap, webserver, passport, or “custom”

Config File: authentication.properties

Entries in the form:– auth.type.<auth type>.<property

name>=<property value>

Example:– auth.type.rdbms.use_challenge=true– auth.type.ldap.error_fallback_to_bb=false

Demo: Custom Auth

Code CustomAuthModule.java– Implement HttpAuthModule.java– MUST subclass BaseAuthenticationModule

(this is a bug)– Build jar, move jar to Tomcat lib/apps

(windows)– Edit authentication.properties, bb-

config.properties– Restart Tomcat

Summary

Several Different Authentication Options are available for Release 6

B2 Developers can develop Custom Authentication modules

Numerous Possibilities exist for custom authentication modules (SSO, Kerberos, etc.)

Q&A/Open Discussion

Tom Joyce, Product Manager, Platform, Architecture and Database

BBDN

Thank You

Demos to Follow >