Learning Management Systems

Learning Management SystemsCamp June 2004

Barry R Ribbeck

UT HSC Houston

Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Copyright Barry Ribbeck 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Learning Management Systems

Define courses to be offered and with whom. Work with provider access group(s) to define

requirements for:1. Administrative and legal issues2. Policy3. Security4. Monetary reimbursement considerations5. Document retention6. Technical implementation and user support7. Document any implementation issues and

readdress with access group(s)

Things are moving Fast

Burton Group Quote from Vantage Security Magazine Spring 2004

“The Burton Group estimates that about 100 federation projects have been launched throughout the corporate world, with thousands of other actively investigating it for their firms.”

Learning Management SystemsCurrent Processes for Identity Provider

Join a Federation common to the Resource Provider!Work out any bi-lateral agreements as needed.ASSUMES 1-6 in previous slide is done!Test support mechanisms.Supply a list of EPPNs to Resource Provider for

Population into BB course (can be done in bulk) or activate auto provisioning.

Agree on assertion exchange for authZ and provision in local directory.

COURSE BEGINSAgree on de-provisioning method and data management

after the course is completed.

Learning Management SystemsCurrent Process for Resource Provider

Join a Federation common to Authentication Provider. Work out any bi-lateral agreements as needed. ASSUMES 1-6 in previous slide is done! Test support mechanisms Define the AAP for Identity Provider access using agreed

upon attribute assertion(s). Provision the Bb database COURSE BEGINS Provide Identity Provider with post course data as required Complete records retention as defined

Blackboard Learning Management System

Requirements• Shib 1.0 or greater*• Blackboard 6.0.11 or higher

Support• Shibboleth will be fully supported as a custom

authentication option in Bb (currently in a limited Alpha release)

Disclaimer• Limited support, tested only on Red Hat Linux and Sun

Solaris implementations

Connection DetailsUTHSC Implementation

User connecting to {shib(Bb)} is redirected to Wayf as expected Resource requires eppn and eduPersonEntitlement If AA assertions are accepted, Bb remote user is populated with

eppn• BbShibbolethAuthModule gets the remote user and creates the

user object in BbLS– Can be extended via “Bb Advanced Data and Authentication Manual”– See next slide

Bb can create user account in DB on login (User Account Generation on Gateway: Enable) or it can be created a priori

Currently, course admin must add user to respective courses manually or in batch process *

* This assumes a particular database management model

Yet to be done?Updated

Standardization on value to populate remote user

•DONE! EPPN

A way to mix local and shib users by redirection at portal by user choice or failover to Shib

•DONE! http://bb.uth.tmc.edu

Ongoing Work

Standardized Course attributes in LDAP (see Mace Course ID work)

Shibboleth protected Portals (EZ Proxy coming soon)

Non-Web based shibboleth protected resources (Pen State LionShare, Napster, ShibIM).

RBAC (see Mace Dir Grouper).Just-in-time provisioning using asserted courseid attributes from identity provider and edupersonEntitlement discussions.

Shibboleth and BlackboardHome University

Attribute Authority

Authentication System (ISO/SSO/Cert)

Handle Service

Service Provider

ACS

AR

Attribute Acceptance Policy

Sites.xml

Resource Manager

Browser

FederationWAYF SERVICE

(IN COMMON)

1. I would like access?

3. Where are you from?

4. I am from HU, logged in?

Identity Provider Resource Provider

5. Authenticate me to HU

2. Can you authenticate via my Wayf ?

7. Need eppn & eduPersonEntitlemnt for X?

6. AuthN ok send handle X to Resource Provider

8. Link Handle X to user and Lookup attributes

RBAC Authorization System -

LDAP (eduperson)

9. Attributes found and Released

10. If ARP allows, attributes are sent to Resource. If attributes are sufficient, access is granted by Resource Manager on Resource Provider

Bb remoteuser=eppn auto acct generation = on

11 Logged onto Bb

Shib Software =

The Ever Risky Live Demo

http://bb.uth.tmc.edu