ssl, single sign on, and external authentication presented by jeff kelley april 12, 2005
TRANSCRIPT
SSL, Single Sign On, and External Authentication
Presented By Jeff KelleyApril 12, 2005
Opening Slide
• Session Objectives:– Understand the Blackboard Academic Suite™
security and permissions architecture– Review options available
• Innovation– Discover opportunities
• Results/Outcomes– Improve service to users– Reduce support costs
Agenda
• Authorization• Session
Management• Authentication
– Configuration Options
– Single Log-in– Single Sign-on
Authorization
Session Management
AuthenticationUser Identity
Resources
Authorization• Self Contained in Blackboard®• GUI Configuration• Allows the user to perform sets of actions• Software driven
Authorization
BlackboardDatabase
BlackboardDatabase
User ID ???
Who are you?What do you want?
Permission to see it.Permission to do it.
System Privileges course.images.MODIFY
course.settings.MODIFY
course-catalog.CREATE
course-catalog.DELETE
course-catalog.MODIFY
course-catalog.settings.MODIFY
course-categories.VIEW
discussion-board.CREATE
discussion-board.DELETE
discussion-board.MODIFY
discussion-board.VIEW
email-all-instructors.EXECUTE
email-all-students.EXECUTE
email-all-users.EXECUTE
email-support.MODIFY
Authorization and Session Management
• Session Manager maintains ID
• Authorization requests ID
Authorization
Session Management
Who are you?
User ID
Blackboard Session Management
• Session Launch
• Session Cookie/Table
• Timeout
• Stateful Session Management
Cookie
Session ID
User ID
Blackboard
User ID
Sessions Across Servers• Session Affinity
• Cookie-based
• Session Cache
Load BalancerLoad Balancer
App1App1
FileServer
FileServer
App2App2 App3App3
DatabaseDatabase
User_ID
Authentication
• Who are you?– How do we get the user ID?
• Can we trust you?– How do we secure the process?
Session Management
Basic WorkflowUser Requesta Blackboard
Page
Valid Session?Authentication YesNo
Authorization
Is UserAuthorized?
AuthenticationSuccess?
Show Message
Launch Session
NoYes
Show Message
No
Yes
Deliver RequestedPage
Authorization
Session Management
Authentication
Authentication Options
• Default
• Single Log-in– LDAP
• Single Sign-On– Web Server Delegation
• Windows (IIS)• UNIX (Apache)• Shibboleth
– Custom• Pass-Through Authentication
Default Blackboard Authentication• Uses a Challenge/Response Mechanism• Does not send the password over the network
in “clear text” form• Does not store passwords in “clear text”• Authentication Properties = RDBMS
Challenge/Response Mechanism
IDC
User Requests Login Page
Server sends login page with
Challenge
User Enters Credentials;Credentials are submitted with
Challenge and MD5 Encrypted
Server receives credentials, uses
challenge to compare the password with the MD5 password stored
in the Bb database
Single Log-In
Application1Application1
Application3Application3
username & password Application2Application2
username & password
username & password
DirectoryService
DirectoryService
• One Username and Password pair for multiple Applications
Blackboard LDAP Authentication
• Configuration setting “plugs” Blackboard into existing infrastructure and enables Single Login
• Provides for multiple directories and fallback for Blackboard only users
• LDAP v2, but…
BlackboardBlackboard
DirectoryService
DirectoryService
HTTPS
LDAP(S)
username & password
username & password
YES or NO DirectoryService
DirectoryServiceDirectoryService
DirectoryService
LDAP Authentication
• Security
• Configuration
• Fallback
AuthenticationService/Gateway
AuthenticationService/Gateway
DirectoryService
DirectoryService
Single Sign-On
Application1Application1Application3Application3
username & password
Application2Application2
• One Username and Password submission for all applications
Web Server Delegation
• Types– Apache Mods– IIS/Active Directory– Custom
• Reconcile, Create or Deny• User Registry or Batch_UID
Web Server Delegation
BlackboardBlackboard
Web ServerUser ID
Session Management
Authentication
Remote_User
AuthenticationService/Gateway
AuthenticationService/Gateway
Institutional Single Sign-On
Application1Application1 Application3Application3Application2Application2
WebServer WebServer WebServer
• Web Initial Sign-On
Pass Through Authentication
Application 1Application 1
Authentication
Session Mngr
BlackboardBlackboard
Handler
Session MngrUser ID
Application 2Application 2
Handler
Session MngrContext
• Context– /webapps/blackboard/launch_external.jsp– Context Encryption
Log Out
• No workflow is complete without the LOG OUT procedures
• Review Use Cases!!
• Check sessions of all applications
Application1Application1Application3Application3
Application2Application2
Closing Slide
• Innovating Together in ‘05:– Authorization, Session Management, Authentication– Authentication methods
• Resources Available:– Blackboard Authentication Manual– Blackboard Administrators Manual– Web Initial Sign-on (http://middleware.internet2.edu/webiso/)
• Follow up Contact(s):– Jeff Kelley, Solutions Engineer [email protected]
• IF YOU ONLY REMEMBER 1 THING:– Don’t forget to log out!