SSL, Single Sign On, and External Authentication

Presented By Jeff KelleyApril 12, 2005

Opening Slide

• Session Objectives:– Understand the Blackboard Academic Suite™

security and permissions architecture– Review options available

• Innovation– Discover opportunities

• Results/Outcomes– Improve service to users– Reduce support costs

Agenda

• Authorization• Session

Management• Authentication

– Configuration Options

– Single Log-in– Single Sign-on

Authorization

Session Management

AuthenticationUser Identity

Resources

Authorization• Self Contained in Blackboard®• GUI Configuration• Allows the user to perform sets of actions• Software driven

Authorization

BlackboardDatabase

BlackboardDatabase

User ID ???

Who are you?What do you want?

Permission to see it.Permission to do it.

System Privileges course.images.MODIFY

course.settings.MODIFY

course-catalog.CREATE

course-catalog.DELETE

course-catalog.MODIFY

course-catalog.settings.MODIFY

course-categories.VIEW

discussion-board.CREATE

discussion-board.DELETE

discussion-board.MODIFY

discussion-board.VIEW

email-all-instructors.EXECUTE

email-all-students.EXECUTE

email-all-users.EXECUTE

email-support.MODIFY

Authorization and Session Management

• Session Manager maintains ID

• Authorization requests ID

Authorization

Session Management

Who are you?

User ID

Blackboard Session Management

• Session Launch

• Session Cookie/Table

• Timeout

• Stateful Session Management

Cookie

Session ID

User ID

Blackboard

User ID

Sessions Across Servers• Session Affinity

• Cookie-based

• Session Cache

Load BalancerLoad Balancer

App1App1

FileServer

FileServer

App2App2 App3App3

DatabaseDatabase

User_ID

Authentication

• Who are you?– How do we get the user ID?

• Can we trust you?– How do we secure the process?

Session Management

Basic WorkflowUser Requesta Blackboard

Page

Valid Session?Authentication YesNo

Authorization

Is UserAuthorized?

AuthenticationSuccess?

Show Message

Launch Session

NoYes

Show Message

No

Yes

Deliver RequestedPage

Authorization

Session Management

Authentication

Authentication Options

• Default

• Single Log-in– LDAP

• Single Sign-On– Web Server Delegation

• Windows (IIS)• UNIX (Apache)• Shibboleth

– Custom• Pass-Through Authentication

Default Blackboard Authentication• Uses a Challenge/Response Mechanism• Does not send the password over the network

in “clear text” form• Does not store passwords in “clear text”• Authentication Properties = RDBMS

Challenge/Response Mechanism

IDC

User Requests Login Page

Server sends login page with

Challenge

User Enters Credentials;Credentials are submitted with

Challenge and MD5 Encrypted

Server receives credentials, uses

challenge to compare the password with the MD5 password stored

in the Bb database

Single Log-In

Application1Application1

Application3Application3

username & password Application2Application2

username & password

username & password

DirectoryService

DirectoryService

• One Username and Password pair for multiple Applications

Blackboard LDAP Authentication

• Configuration setting “plugs” Blackboard into existing infrastructure and enables Single Login

• Provides for multiple directories and fallback for Blackboard only users

• LDAP v2, but…

BlackboardBlackboard

DirectoryService

DirectoryService

HTTPS

LDAP(S)

username & password

username & password

YES or NO DirectoryService

DirectoryServiceDirectoryService

DirectoryService

LDAP Authentication

• Security

• Configuration

• Fallback

AuthenticationService/Gateway

AuthenticationService/Gateway

DirectoryService

DirectoryService

Single Sign-On

Application1Application1Application3Application3

username & password

Application2Application2

• One Username and Password submission for all applications

Web Server Delegation

• Types– Apache Mods– IIS/Active Directory– Custom

• Reconcile, Create or Deny• User Registry or Batch_UID

Web Server Delegation

BlackboardBlackboard

Web ServerUser ID

Session Management

Authentication

Remote_User

AuthenticationService/Gateway

AuthenticationService/Gateway

Institutional Single Sign-On

Application1Application1 Application3Application3Application2Application2

WebServer WebServer WebServer

• Web Initial Sign-On

Pass Through Authentication

Application 1Application 1

Authentication

Session Mngr

BlackboardBlackboard

Handler

Session MngrUser ID

Application 2Application 2

Handler

Session MngrContext

• Context– /webapps/blackboard/launch_external.jsp– Context Encryption

Log Out

• No workflow is complete without the LOG OUT procedures

• Review Use Cases!!

• Check sessions of all applications

Application1Application1Application3Application3

Application2Application2

Closing Slide

• Innovating Together in ‘05:– Authorization, Session Management, Authentication– Authentication methods

• Resources Available:– Blackboard Authentication Manual– Blackboard Administrators Manual– Web Initial Sign-on (http://middleware.internet2.edu/webiso/)

• Follow up Contact(s):– Jeff Kelley, Solutions Engineer jkelley@blackboard.com

• IF YOU ONLY REMEMBER 1 THING:– Don’t forget to log out!