blackboard as a shibboleth target: ready for production? dr malcolm murray learning technologies...
TRANSCRIPT
![Page 1: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/1.jpg)
Blackboard as a Shibboleth target:ready for production?
Dr Malcolm MurrayLearning Technologies Team Leader
IT Service
![Page 2: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/2.jpg)
Talk Outline
• Project driver: shared Bb course
• Authentication & Authorisation
• Blackboard’s Implementation
• Setting up Shibboleth
• Configuring Blackboard as a target
• Out the box functionality
• Further refinements
• Recommendations
![Page 3: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/3.jpg)
What we want
A shared Blackboard course
• Durham students authenticated by Durham• Newcastle Students authenticated by Newcastle
• If students leave/fail – handled at source• Library entitlements – reflect source institution
![Page 4: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/4.jpg)
Blackboard as a Target
Is the user authenticated ?• has a valid cookie been set ?
Is the user authorised for this service ?• request attribute data using the ticket
Show user their own profile• request persistent but anonymous user ID
Questions of the Target Request:
![Page 5: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/5.jpg)
Access Control
1. Authenticate• Pass• Fail
2. Authorisation• Based on some attribute
e.g. course membership, course role, institution role, etc.
![Page 6: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/6.jpg)
Authentication & Authorisation
Authentication• Knowing if someone is who they say they are
Authorisation• Knowing if someone is allowed to
use or do something
![Page 7: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/7.jpg)
Blackboard Authentication
![Page 8: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/8.jpg)
Blackboard Authentication
![Page 9: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/9.jpg)
Getting Blackboard Talking• Need SSL enabled
– Watch out or you will break your collaboration server
• Get your Shibboleth Origin setup• Get a Target set up for your Blackboard
server• Join a Federation• Change various files on Blackboard and
your Shibboleth target• Change Bb Authentication method via GUI
![Page 10: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/10.jpg)
Blackboard Authentication
Make these changes on your Shibboleth target to the file
/opt/shibboleth/etc/shibboleth/apache.config
<Location /secure> AuthType shibboleth ShibRequireSession On require valid-user</Location>
<Location /webapps>AuthType shibbolethShibRequireSession Onrequire affiliation ~ ^member@.+$# accept any valid principal name passed from the Origin.require user ~ ^.+$</Location>
ShibMapAttribute urn mace dir attribute-def eduPersonPrincipalName Shib-EP-BBUSER_NAME
![Page 11: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/11.jpg)
Blackboard Authentication
Make these changes on your Shibboleth target to the file
/opt/shibboleth/etc/shibboleth/shibboleth.ini
wayfURL = https://shib.dur.ac.uk/shibboleth/HS
Note that the Blackboard documentation directs you to point at your own Origin server!
Later we changed this to point at the SDSS WAYF to allow others to access bruno…
A few other changes, e.g. adding details of trusted certificates
![Page 12: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/12.jpg)
Blackboard AuthorisationOnly at simplest level – has this user an account?
Still largely the job of the Blackboard database, mapped to a user – not handled by ShibbolethBased on
• System Role• Institutional Roles• Account Availability
• Course & Community Enrolments• Course & Community Roles
![Page 13: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/13.jpg)
Impact on Your Blackboard Server
Goodbye Portal Direct Entry
Hello PubCookie
![Page 14: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/14.jpg)
Use the WAYF instead
With a bit of tweaking it can show this instead:
![Page 15: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/15.jpg)
Architecture
Development environment
Uses two servers:
1. Shibboleth Origin & PubCookie
2. Blackboard & Shibboleth Target
![Page 16: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/16.jpg)
Shibboleth Origin
2 x 2.8 GHz Xenon CPUs
2 GB Memory
Linux Red Hat AS
“hopelessly over-powered”
PubCookie
• WebISO
Shibboleth
• Origin
beagle
Active Directory
LDAP query
![Page 17: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/17.jpg)
Shibboleth Target
Shibboleth
• Target
Bb Academic Suite
• Web Server
• Collaboration Server
• Oracle database
2 x 1 GHz Pentium III CPUs
2 GB Memory
Linux Red Hat AS
“not suitable for production”
WAYF query
![Page 18: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/18.jpg)
Connecting it all together
WAYFbruno
beagle
Active Dir.F
I R
E W
A L
L
P R
O X
Y
S E
R V
E R
![Page 19: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/19.jpg)
How it works - Durham
Local user attempt to access the target (bruno) for the first time that day…
No cookie so redirected to the WAYF page…
![Page 20: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/20.jpg)
How it works - Durham
Chooses Durham Universityand is redirected to our PubCookie page to authenticate…
![Page 21: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/21.jpg)
How it works - Durham
Chooses Durham Universityand is redirected to our PubCookie page to authenticate…
If successful they are redirected…
to bruno…
![Page 22: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/22.jpg)
How it works - Newcastle
Chooses Newcastle Universityand is redirected to their PubCookie page to authenticate…
![Page 24: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/24.jpg)
If it can’t match the user…
![Page 25: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/25.jpg)
Problem• Users authenticating using an Origin Server outside
Durham are failing because the IP address of their request and the return don’t match.
• Outward Responses from Durham go via the web proxy server and so have the IP address of the proxy server, not the user or the origin server, so authentication fails
• Our authentication to external targets fails too
• We are working on this…
![Page 26: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/26.jpg)
What works
• Authentication uses the same host as other systems in Durham – Active Directory
• Bb Shibboleth Authentication works for local users
• If we resolve the proxy issue, external users should be able to access bruno too
• WebDav works for local users
![Page 27: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/27.jpg)
What doesn’t
• Lost portal Direct Entry• Lost the ability to log out• Most other services still want you to go
through some authentication process• One-time mapping of accounts is clumsy• Bb Documentation out of date• Not an easy/cheap option for Windows
users• Support issue – TSM or Global Services?
![Page 28: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/28.jpg)
Sys Admin Manual
![Page 29: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/29.jpg)
Windows Users
Blackboard does offer Shibboleth authentication beginning with version 6.1.5.1 also for Windows based clients, however all implementations of this special authentication method will need to be made via an engagement of Blackboards Global Services team.
Case ID 216005
![Page 30: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/30.jpg)
Breaking ThingsNote that many custom auth schemes (such as Shibboleth or CAS) are webserver-authentication-based and work by setting the environment variable $REMOTE_USER in the webserver. Such schemes cannot use portal direct entry, since webserver-authentication is only triggered by the main login page. Also note that custom authentication will for similar reasons not work with WebDAV (aka Web Folders) for Content System users.
Case ID 216005
![Page 31: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/31.jpg)
What next
• Look at modifying authentication classes– Not CustomAuthentication – breaks WebDAV
etc.– Instead extend the existing
LDAPAuthentication class (BB_OPEN-SRC project)
• Else we hope Shibboleth 2.0 fixes the logout problem
![Page 32: Blackboard as a Shibboleth target: ready for production? Dr Malcolm Murray Learning Technologies Team Leader IT Service](https://reader035.vdocument.in/reader035/viewer/2022062318/551ac682550346b2288b56af/html5/thumbnails/32.jpg)
Recommendations
• Worth playing with
• Blackboard is a very undemanding target – only wants authentication
• Not ready for production yet