openness and extending blackboard software asbed bedrossian otto khera usc
TRANSCRIPT
Blackboard @ USC
Blackboard has been at USC since 1997.
In the Fall 2009 Semester USC will teach courses on Blackboard version 9.0.
3,600+ Courses
2,400+ Instructors
1,250+ TAs
29,000+ Students
2.5 TB of content, 140GB Oracle 10g database
Originally worked with Database authentication, then LDAP authentication,
and since January 2008, Shibboleth based Single Sign-On (SSO)
authentication.
Current and Potential Benefits of Shibboleth
Single Signon across applications – including potentially Web 2.0 /
cloud apps that are part of the standard.
Authentication (that you are you) and Authorization (that you may
access specific resources) designed to meet the educational
institutional needs.
Data for assessment, accreditation, evaluation.
Institutional equivalent of market open standards identity
management (OpenID, Oauth, AuthD) and therefore NOT
proprietary.
Long-Term Prospect: Provides an identity management solution for
the institution that can transition users (aka ‘lifelong learners’) to an
individual identity management solution.
Shibboleth @ USC
USC has been a member of the InCommonFederation(.org) since its early
testbed days as InQueue.
USC technologists have been involved with the Shibboleth project for many
years.
Some of our Shibboleth project friends may be online with us right now:
Steven Carmody, IT Architect, Brown university, Internet2 Shibboleth project manager
John Krienke, InCommonFederation Operations Manager
USC has run Shibboleth for campus-wide SSO since 2003.
USC was the earliest adopter of Shibboleth 2.0 and integrated it with
Google Apps @ USC in January 2008 and Blackboard in May 2008.
USC’s SSO umbrella has 80+ Applications
What’s Important about SSO and LMS?
Integrates different Learner-centric spaces into a seamless space
Blackboard
Google Apps
Blogs (Movable Type)
Wikis (Confluence)
Campus Portal (uPortal)
Video Streaming (mediabase)
Library & Electronic Resources (EZ Proxy)
Grading and Roster Systems
Digital Measures
Other LMS (Sakai, Moodle, etc)
Removes the chore or multiple logins
Consolidates the user’s identity and profile
Blackboard and Shibboleth
The InCommonFederation has 114 Higher Ed and Government institutions,
and 41 sponsored corporations as participants.
Blackboard is not a sponsored partner of the InCommon Federation.
USC and many other institutions would like to see Blackboard join the
InCommon Federation and officially support Shibboleth as an enterprise-
wide Authentication and Authorization method for Blackboard.
WebCT and Shibboleth
Blackboard has a WebCT manual describing how to integrate WebCT with
campus SSO systems.
https://behind.blackboard.com/s/faculty/refcenter/docs/details.Bb?
DocumentID=2767&pid=12000&rid=5686&dt=
Title page in manual references a “Blackboard Learning System”
Vista Enterprise and Blackboard Learning System, CE Enterprise
Automatic Signon Protocol
Vista (Release 4) and CE (Release 6)
WebCT 8.x supports the same interface
There's a bug in the PHP code included in the appendix
Working version of code, plus additional info, will soon be posted
to:https://spaces.internet2.edu/display/SHIB2/ShibEnabled
Blackboard Shib Resources
Blackboard’s documentation on Shibboleth Integration.
Visit the Shibboleth site
http://shibboleth.internet2.edu/
Visit the Shibboleth Wiki at Internet2
https://spaces.internet2.edu/display/SHIB2/Home
Blackboard-specific page on the wiki:
https://spaces.internet2.edu/display/SHIB2/BlackboardShibProposal
Special Interest Group (SIG) mailing list: InC-Blackboard
Send email to [email protected]
In the body of the email say: sub inc-blackboard FirstName LastName
Colleagues around the country!
Join the community:
Sign the sheet going around
Join the Inc-Blackboard mailing list
Tell Blackboard Inc. that you are interested in integrating your LMS with Shibboleth SSO, that
there is business value in fully supporting Shibboleth as an AuthX method.
Setting up Shibboleth
Find the 500 page "Administrator Manual" for your release of Blackboard
Go to the "Shibboleth Integration" Section and follow those instructions
You need a Shibboleth IDP (not in the scope of this presentation)
Generate a shibboleth*.xml according to your IDP specs
We use https://shibboleth.usc.edu/docs/sp/install/#configure
Add a shibboleth account as admin to Blackboard before restarting
Shibboleth Configuration
apache.conf that Blackboard recommends:
<Location /webapps>
AuthType shibboleth
require affiliation ~ ^member@.+$
require user ~ ^.+$
</Location>
[[[Second Column, preferably]]]
USC uses:
<Location /webapps>
AuthType shibboleth
ShibRequireSession Off
Require shibboleth
</Location>
<Location /webapps/login>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
shibboleth2.xml: <Host name="blackboard.usc.edu">
<Path name="webapps"
applicationId="blackboard"
authType="shibboleth"
*requireSession="false" *
exportAssertion="false" />
</Host>
Timeouts and Sessions
Heavily flawed in Blackboard with or without Shibboleth.
Force Completion checkbox in tests is evil.
shibboleth*.xml:<Sessions... lifetime="4294967295" timeout="10800" ... />
Logout
By default, logging out of Blackboard doesn't work.
Don't set Persistent Cookies in the Blackboard System Admin
Panel.
Provisioning and Administration
Anyone not in your Shibboleth database can't login to Blackboard
There is no fail-to-RDBMS option
Add-ons that don't know your IDP format can't login to Blackboard
Much less of a problem if you protect only /webapps/login (mentioned earlier)
Possible Solution: LDAP Admin Server
Run an extra app server with a secret URL or IP whitelist
Configure it for LDAP or RDBMS auth
Use it for test accounts, building block registration, WebDAV, etc.
Q & A
Asbed Bedrossian <[email protected]>
Director, Enterprise Applications and Operations
Otto Khera <[email protected]>
Director, Center for Scholarly Technology
Eric Hattemer <[email protected]>
Blackboard Administrator