Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Code your Own: Authentication Provider for Blackboard Learn

32,392 views

Published on

Presentation from Blackboard Developers Conference 2012 on how to build your own Authentication plugin for Blackboard Learn 9.1 Service Pack 8 or later.

Published in: Technology
  • @dan2bit This is weird, I didn't receive a notification of your comment. Sorry, its's been a while.

    Your answer is most appreciated. Thanks for taking the time to respond; It clarified a lot my doubts. I'm thinking on creating a b2 to make things possible.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • From the Learn side, Shibboleth is a 'fully delegated provider' as described on slide #6 - that means the user leaves the Learn context to login in on a page on the Shibboleth provider. LDAP is a 'delegated credential provider' as described on slide #5 - that means the user's credentials are entered on the Learn login page and passed to the LDAP server for validation. So the only providers that can be 'chained' using the provider order tool are credential providers, since those are the only ones where the Learn user enters their credentials on the Learn page.

    A couple untested alternatives to explore:
    * You could configure your Shibboleth provider to fall back to your LDAP server itself - that configuration would be managed in your Shibboleth setup, and Learn would just send your users to the Shibboleth server
    * Alternatively, you could provide both a login/password form and a link to Shibboleth on your login page, and help users select which to use by means of some text on page customization of your login page, or some IP address segregation you configure in your provider setup - for example, allowing users on your school's subnet to log in via LDAP but requiring outsiders to use Shib. These customizations can be configured on the Learn side if needed.
    * It might be possible to build a custom B2 that queries Shibboleth as though it were a delegated credential provider, and then if that fails, queries the LDAP server, but that would require some kind of API or service on the Shibboleth side that has access to the nternals of how Shibboleth authenticates users, for the Learn B2 to call. I'm not familiar enough with Shibboleth to know if it has such an API or service.

    Hope this helps,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Dan,

    Would it be possible code a b2 which uses Shibboleth as main authentication provider and LDAP as fallback?

    I've seen the option 'Provider Order' but I couldn't include/mark Shibboleth. I assume that's the way it should work because the only auth providers available to order are LDAP and LearnInternal.

    Thanks,
    JM
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Code your Own: Authentication Provider for Blackboard Learn

  1. 1. Code Your Own Learn Authentication Plugin #AuthcodeAlex VarjuArchitectBlackboard Product DevelopmentDan RinzelDesign ManagerBlackboard Product Development
  2. 2. Q’s we will try to A• How does internal authentication work in Blackboard Learn™?• What’s a remote authentication provider?• What’s a delegated credential provider?• What’s a fully delegated or redirect provider?• What changed in Blackboard Learn 9.1 SP8?• What providers are supported?• How can I extend this framework?
  3. 3. Blackboard Learn Default Authentication• Standard Username & Password combination• Passwords transmitted and stored as encrypted hashes (MD5 or SHA)• Usernames & Passwords can be SOURCED externally, but must be stored in local Learn database
  4. 4. Remote Authentication Provider• In conjunction or instead, Blackboard Learn can be incorporated with authentication services hosted elsewhere.• Passwords are stored and managed remotely, according to policies enforced by the remote provider• Usernames are matched or at least correlated
  5. 5. Delegated Credential Provider• Users log in via a Blackboard Learn screen• Credentials are checked programmatically via the remote provider and results relayed back to the user via Blackboard Learn    Browser Blackboard Learn Credential Provider
  6. 6. Fully Delegated Provider• Users log in directly to the remote provider• The user is redirected to Blackboard Learn with a valid session, vouched for by the provider     Browser Credential Provider Blackboard Learn
  7. 7. What Changed in Service Pack 8?What didn’t change?
  8. 8. What Changed in Service Pack 8?What didn’t change?
  9. 9. What Changed in Service Pack 8? Expanded customization capabilities for login page
  10. 10. What Changed in Service Pack 8?  Enhanced Logging for Authentication events
  11. 11. What Changed in Service Pack 8? New command-line emergency login URL generator
  12. 12. Provider Support in Service Pack 8 Updated Shibbolethsupport to version 2 –including support forApache 2 Official CAS Supportfor the first timeAutomatic update forexisting LDAPconfigurations Continued supportfor other customconfigurations viaLegacy provider
  13. 13. Built for ExtensionCore authentication classes:AuthenticationProviderHandler The entry point for all authentication providers. This provides us with the information needed to invoke your code at the right times.UsernamePasswordValidator For delegated credential providers, this is responsible for validating the username/password typed into the Blackboard Learn login box
  14. 14. Built for ExtensionAuthenticationListener For listening for authentication events.PostLoginUrlInterceptor To allow system to redirect through an alternate URL after login.UsernamePasswordAuthenticationProviderFilter To allow runtime checking of whether each authentication provider in the chain should be run.UsernamePasswordPreValidationCheck For pre-validation checks to be run before any authentication providers validation has been invoked.UsernamePasswordPostValidationCheck For post-validation checks to be run on the User that is returned from validation.
  15. 15. Built for ExtensionAuthenticationManager Search for users, redirect them back to the main page after successful login.SessionManager Grant the user a session once youve confirmed their identity.AuthenticationProviderManager Manage authentication provider instances. Useful if you need to save per-provider settings.AuthenticationLogger Record custom events in the authentication logs.AuthenticationProvider An administrator-created authentication instance
  16. 16. Fully delegated provider
  17. 17. Delegated credential provider• User submits password from the login screen• See if a UsernamePasswordPreValidationCheck wants to stop the login• Load sorted list of AuthenticationProviders• For each provider: • Do any UsernamePasswordAuthenticationProviderFilter extensions this provider to be skipped? • Call this providers UsernamePasswordValidator • Validator can return Yes, No, or I Dont Know.• If a provider accepted this login, see if any UsernamePasswordPostValidationCheck extensions want to stop the login
  18. 18. Working ExampleToday we’re going to walk through building a filter whichlimits prevents dictionary password guessing.Extension points we will make use of:• UsernamePasswordPreValidationCheck• UsernamePasswordPostValidationCheck
  19. 19. Working ExampleBasic design:• Intercept the login request before any password validation is performed.• If the same username has been seen too many times recently, block the login.• After a user has successfully logged in, reset the login counter so that they can log in and out multiple times.
  20. 20. Working Examplepublic interface LoginAttemptCounter { /** * Determines whether to block the login attempt for this username. Also * records the login attempt for future use. * * @return true if the request should be blocked, false if it may proceed */ public boolean shouldBlock(String username); /** * Indicates that this user logged in successfully, and that any previous * records associated with them may be removed. */ public void successfulLogin(String username); /** * Indicates what time the account will be unlocked. * * @return Time in millis, or 0 if account is not locked */ public long lockedUntil(String username);}
  21. 21. Working Examplepublic class BeforeLogin extends AbstractUsernamePasswordPreValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); private final AuthenticationLogger logger = AuthenticationLogger.Factory.getInstance(); @Override public ValidationResult preValidationChecks(String username, String password) { ValidationResult result = new ValidationResult(null); if (counter.shouldBlock(username)) { result.setStatus(ValidationStatus.UserDenied); long now = Calendar.getInstance().getTimeInMillis(); long lockedForMillis = counter.lockedUntil(username) - now; long lockedForSeconds = Math.round(lockedForMillis / 1000.0); result.setMessage(String.format("Account locked for %d seconds.", lockedForSeconds)); AuthenticationEvent event = buildAuthFailedEvent(username); logger.logAuthenticationEvent(event); } else { result.setStatus(ValidationStatus.Continue); } return result; } private AuthenticationEvent buildAuthFailedEvent(String username) { return new AuthenticationEvent(EventType.Error, new Date(), username, "Too many login attempts", null, null); }}
  22. 22. Working Examplepublic class AfterLogin extends AbstractUsernamePasswordPostValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); @Override public ValidationResult postValidationChecks(User user) { counter.successfulLogin(user.getUserName()); ValidationResult result = new ValidationResult(null); result.setStatus(ValidationStatus.Continue); return result; }}
  23. 23. Working Example = = =<webapp-type value="javaext" /> = = = = = =<extension-defs> <definition namespace="blackboard.sample.auth.filter"> <extension id="beforeLogin” point="blackboard.platform.authUserPassPreValidation” class="blackboard.sample.auth.filter.BeforeLogin” singleton="true" /> <extension id="afterLogin” point="blackboard.platform.authUserPassPostValidation” class="blackboard.sample.auth.filter.AfterLogin” singleton="true" /> </definition></extension-defs> = = =
  24. 24. Working Example
  25. 25. Working Example
  26. 26. Sample codeLDAP delegated credential provider http://tinyurl.com/BbLearnLDAP Requires Behind the Blackboard credentialSample code - login rate limiter (github) http://tinyurl.com/BbSampleAuthFilter
  27. 27. ResourcesBlackboard Learn Help Center http://help.blackboard.comShibboleth http://shibboleth.net/CAS http://www.jasig.org/cas alex.varju@blackboard.com dan.rinzel@blackboard.com This presentation will be available via http://edugarage.com at some point after the 27 conference ends.

×