Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck,...
-
Upload
lorin-bryan -
Category
Documents
-
view
214 -
download
0
Transcript of Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck,...
Learning Management Systems
Learning Management SystemsCamp June 2004
Barry R Ribbeck
UT HSC Houston
Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Copyright Barry Ribbeck 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Learning Management Systems
Define courses to be offered and with whom. Work with provider access group(s) to define
requirements for:1. Administrative and legal issues2. Policy3. Security4. Monetary reimbursement considerations5. Document retention6. Technical implementation and user support7. Document any implementation issues and
readdress with access group(s)
Things are moving Fast
Burton Group Quote from Vantage Security Magazine Spring 2004
“The Burton Group estimates that about 100 federation projects have been launched throughout the corporate world, with thousands of other actively investigating it for their firms.”
Learning Management SystemsCurrent Processes for Identity Provider
Join a Federation common to the Resource Provider!Work out any bi-lateral agreements as needed.ASSUMES 1-6 in previous slide is done!Test support mechanisms.Supply a list of EPPNs to Resource Provider for
Population into BB course (can be done in bulk) or activate auto provisioning.
Agree on assertion exchange for authZ and provision in local directory.
COURSE BEGINSAgree on de-provisioning method and data management
after the course is completed.
Learning Management SystemsCurrent Process for Resource Provider
Join a Federation common to Authentication Provider. Work out any bi-lateral agreements as needed. ASSUMES 1-6 in previous slide is done! Test support mechanisms Define the AAP for Identity Provider access using agreed
upon attribute assertion(s). Provision the Bb database COURSE BEGINS Provide Identity Provider with post course data as required Complete records retention as defined
Blackboard Learning Management System
Requirements• Shib 1.0 or greater*• Blackboard 6.0.11 or higher
Support• Shibboleth will be fully supported as a custom
authentication option in Bb (currently in a limited Alpha release)
Disclaimer• Limited support, tested only on Red Hat Linux and Sun
Solaris implementations
Connection DetailsUTHSC Implementation
User connecting to {shib(Bb)} is redirected to Wayf as expected Resource requires eppn and eduPersonEntitlement If AA assertions are accepted, Bb remote user is populated with
eppn• BbShibbolethAuthModule gets the remote user and creates the
user object in BbLS– Can be extended via “Bb Advanced Data and Authentication Manual”– See next slide
Bb can create user account in DB on login (User Account Generation on Gateway: Enable) or it can be created a priori
Currently, course admin must add user to respective courses manually or in batch process *
* This assumes a particular database management model
Yet to be done?Updated
Standardization on value to populate remote user
•DONE! EPPN
A way to mix local and shib users by redirection at portal by user choice or failover to Shib
•DONE! http://bb.uth.tmc.edu
Ongoing Work
Standardized Course attributes in LDAP (see Mace Course ID work)
Shibboleth protected Portals (EZ Proxy coming soon)
Non-Web based shibboleth protected resources (Pen State LionShare, Napster, ShibIM).
RBAC (see Mace Dir Grouper).Just-in-time provisioning using asserted courseid attributes from identity provider and edupersonEntitlement discussions.
Shibboleth and BlackboardHome University
Attribute Authority
Authentication System (ISO/SSO/Cert)
Handle Service
Service Provider
ACS
AR
Attribute Acceptance Policy
Sites.xml
Resource Manager
Browser
FederationWAYF SERVICE
(IN COMMON)
1. I would like access?
3. Where are you from?
4. I am from HU, logged in?
Identity Provider Resource Provider
5. Authenticate me to HU
2. Can you authenticate via my Wayf ?
7. Need eppn & eduPersonEntitlemnt for X?
6. AuthN ok send handle X to Resource Provider
8. Link Handle X to user and Lookup attributes
RBAC Authorization System -
LDAP (eduperson)
9. Attributes found and Released
10. If ARP allows, attributes are sent to Resource. If attributes are sufficient, access is granted by Resource Manager on Resource Provider
Bb remoteuser=eppn auto acct generation = on
11 Logged onto Bb
Shib Software =