SSL, Single Sign On, and External Authentication

1
SSL, Single Sign On, and External Authentication

• Presented By Jeff Kelley

April 12, 2005
2
Opening Slide

• Session Objectives
• Understand the Blackboard Academic Suite
  security and permissions architecture
• Review options available
• Innovation
• Discover opportunities
• Results/Outcomes
• Improve service to users
• Reduce support costs

3
Agenda

• Authorization
• Session Management
• Authentication
• Configuration Options
• Single Log-in
• Single Sign-on

4
Authorization

• Self Contained in Blackboard
• GUI Configuration
• Allows the user to perform sets of actions
• Software driven

5
System Privileges
6
Authorization and Session Management

• Session Manager maintains ID
• Authorization requests ID

7
Blackboard Session Management

• Session Launch
• Session Cookie/Table
• Timeout
• Stateful

8
Sessions Across Servers

• Session Affinity
• Cookie-based
• Session Cache

9
Authentication

• Who are you?
• How do we get the user ID?
• Can we trust you?
• How do we secure the process?

Session Management
10
Basic Workflow
Authentication
Session Management
Authorization
11
Authentication Options

• Default
• Single Log-in
• LDAP
• Single Sign-On
• Web Server Delegation
• Windows (IIS)
• UNIX (Apache)
• Shibboleth
• Custom
• Pass-Through Authentication

12
Default Blackboard Authentication

• Uses a Challenge/Response Mechanism
• Does not send the password over the network in
  clear text form
• Does not store passwords in clear text
• Authentication Properties RDBMS

13
Challenge/Response Mechanism
User Requests Login Page
Server sends login page with Challenge
Server receives credentials, uses challenge to
compare the password with the MD5 password stored
in the Bb database
User Enters Credentials Credentials are
submitted with Challenge and MD5 Encrypted
14
Single Log-In

• One Username and Password pair for multiple
  Applications

Application1
username password
Application2
username password
Application3
username password
15
Blackboard LDAP Authentication

• Configuration setting plugs Blackboard into
  existing infrastructure and enables Single Login
• Provides for multiple directories and fallback
  for Blackboard only users
• LDAP v2, but

16
LDAP Authentication
username password
Blackboard
HTTPS

• Security
• Configuration
• Fallback

username password
DirectoryService
LDAP(S)
DirectoryService
DirectoryService
YES or NO
17
Single Sign-On

• One Username and Password submission for all
  applications

DirectoryService
Authentication Service/Gateway
username password
Application1
Application3
Application2
18
Web Server Delegation

• Types
• Apache Mods
• IIS/Active Directory
• Custom
• Reconcile, Create or Deny
• User Registry or Batch_UID

19
Web Server Delegation
Remote_User
Authentication
Blackboard
Web Server
User ID
Session Management
20
Institutional Single Sign-On
Authentication Service/Gateway
Application1
Application3
Application2
WebServer
WebServer
WebServer

• Web Initial Sign-On

21
Pass Through Authentication
Application 1
Authentication
Blackboard
Handler
Application 2
Handler
Context
User ID
Session Mngr
Session Mngr
Session Mngr

• Context
• /webapps/blackboard/launch_external.jsp
• Context Encryption

22
Log Out

• No workflow is complete without the LOG OUT
  procedures
• Review Use Cases!!
• Check sessions of all applications

Application1
Application3
Application2
23
Closing Slide

• Innovating Together in 05
• Authorization, Session Management, Authentication
• Authentication methods
• Resources Available
• Blackboard Authentication Manual
• Blackboard Administrators Manual
• Web Initial Sign-on (http//middleware.internet2.e
  du/webiso/)
• Follow up Contact(s)
• Jeff Kelley, Solutions Engineer
  jkelley_at_blackboard.com
• IF YOU ONLY REMEMBER 1 THING
• Dont forget to log out!