SlideShare une entreprise Scribd logo

Code your Own: Authentication Provider for Blackboard Learn

Télécharger en tant que PPTX, PDF
Dan Rinzel
Dan Rinzel

The document discusses authentication in Blackboard Learn and provides an example of extending authentication capabilities by creating a custom filter. It begins by explaining the different types of authentication providers in Blackboard Learn, including remote, delegated credential, and fully delegated providers. It then discusses changes in Service Pack 8, supported providers, and how the framework is built for extension. The document concludes by walking through a sample implementation of a custom filter that limits login attempts to prevent password guessing.

Technologie
1  sur  27
Code Your Own Learn Authentication Plugin #Authcode Alex Varju Architect Blackboard Product Development Dan Rinzel Design Manager Blackboard Product Development
Q’s we will try to A • How does internal authentication work in Blackboard Learn™? • What’s a remote authentication provider? • What’s a delegated credential provider? • What’s a fully delegated or redirect provider? • What changed in Blackboard Learn 9.1 SP8? • What providers are supported? • How can I extend this framework?
Blackboard Learn Default Authentication • Standard Username & Password combination • Passwords transmitted and stored as encrypted hashes (MD5 or SHA) • Usernames & Passwords can be SOURCED externally, but must be stored in local Learn database
Remote Authentication Provider • In conjunction or instead, Blackboard Learn can be incorporated with authentication services hosted elsewhere. • Passwords are stored and managed remotely, according to policies enforced by the remote provider • Usernames are matched or at least correlated
Delegated Credential Provider • Users log in via a Blackboard Learn screen • Credentials are checked programmatically via the remote provider and results relayed back to the user via Blackboard Learn    Browser Blackboard Learn Credential Provider
Fully Delegated Provider • Users log in directly to the remote provider • The user is redirected to Blackboard Learn with a valid session, vouched for by the provider     Browser Credential Provider Blackboard Learn
What Changed in Service Pack 8? What didn’t change?
What Changed in Service Pack 8? What didn’t change?
What Changed in Service Pack 8?  Expanded customization capabilities for login page
What Changed in Service Pack 8?  Enhanced Logging for Authentication events
What Changed in Service Pack 8?  New command-line emergency login URL generator
Provider Support in Service Pack 8  Updated Shibboleth support to version 2 – including support for Apache 2  Official CAS Support for the first time Automatic update for existing LDAP configurations  Continued support for other custom configurations via Legacy provider
Built for Extension Core authentication classes: AuthenticationProviderHandler The entry point for all authentication providers. This provides us with the information needed to invoke your code at the right times. UsernamePasswordValidator For delegated credential providers, this is responsible for validating the username/password typed into the Blackboard Learn login box
Built for Extension AuthenticationListener For listening for authentication events. PostLoginUrlInterceptor To allow system to redirect through an alternate URL after login. UsernamePasswordAuthenticationProviderFilter To allow runtime checking of whether each authentication provider in the chain should be run. UsernamePasswordPreValidationCheck For pre-validation checks to be run before any authentication providers' validation has been invoked. UsernamePasswordPostValidationCheck For post-validation checks to be run on the User that is returned from validation.
Built for Extension AuthenticationManager Search for users, redirect them back to the main page after successful login. SessionManager Grant the user a session once you've confirmed their identity. AuthenticationProviderManager Manage authentication provider instances. Useful if you need to save per-provider settings. AuthenticationLogger Record custom events in the authentication logs. AuthenticationProvider An administrator-created authentication instance
Fully delegated provider
Delegated credential provider • User submits password from the login screen • See if a UsernamePasswordPreValidationCheck wants to stop the login • Load sorted list of AuthenticationProviders • For each provider: • Do any UsernamePasswordAuthenticationProviderFilter extensions this provider to be skipped? • Call this provider's UsernamePasswordValidator • Validator can return Yes, No, or I Don't Know. • If a provider accepted this login, see if any UsernamePasswordPostValidationCheck extensions want to stop the login
Working Example Today we’re going to walk through building a filter which limits prevents dictionary password guessing. Extension points we will make use of: • UsernamePasswordPreValidationCheck • UsernamePasswordPostValidationCheck
Working Example Basic design: • Intercept the login request before any password validation is performed. • If the same username has been seen too many times recently, block the login. • After a user has successfully logged in, reset the login counter so that they can log in and out multiple times.
Working Example public interface LoginAttemptCounter { /** * Determines whether to block the login attempt for this username. Also * records the login attempt for future use. * * @return true if the request should be blocked, false if it may proceed */ public boolean shouldBlock(String username); /** * Indicates that this user logged in successfully, and that any previous * records associated with them may be removed. */ public void successfulLogin(String username); /** * Indicates what time the account will be unlocked. * * @return Time in millis, or 0 if account is not locked */ public long lockedUntil(String username); }
Working Example public class BeforeLogin extends AbstractUsernamePasswordPreValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); private final AuthenticationLogger logger = AuthenticationLogger.Factory.getInstance(); @Override public ValidationResult preValidationChecks(String username, String password) { ValidationResult result = new ValidationResult(null); if (counter.shouldBlock(username)) { result.setStatus(ValidationStatus.UserDenied); long now = Calendar.getInstance().getTimeInMillis(); long lockedForMillis = counter.lockedUntil(username) - now; long lockedForSeconds = Math.round(lockedForMillis / 1000.0); result.setMessage(String.format("Account locked for %d seconds.", lockedForSeconds)); AuthenticationEvent event = buildAuthFailedEvent(username); logger.logAuthenticationEvent(event); } else { result.setStatus(ValidationStatus.Continue); } return result; } private AuthenticationEvent buildAuthFailedEvent(String username) { return new AuthenticationEvent(EventType.Error, new Date(), username, "Too many login attempts", null, null); } }
Working Example public class AfterLogin extends AbstractUsernamePasswordPostValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); @Override public ValidationResult postValidationChecks(User user) { counter.successfulLogin(user.getUserName()); ValidationResult result = new ValidationResult(null); result.setStatus(ValidationStatus.Continue); return result; } }
Working Example = = = <webapp-type value="javaext" /> = = = = = = <extension-defs> <definition namespace="blackboard.sample.auth.filter"> <extension id="beforeLogin” point="blackboard.platform.authUserPassPreValidation” class="blackboard.sample.auth.filter.BeforeLogin” singleton="true" /> <extension id="afterLogin” point="blackboard.platform.authUserPassPostValidation” class="blackboard.sample.auth.filter.AfterLogin” singleton="true" /> </definition> </extension-defs> = = =
Working Example
Working Example
Sample code LDAP delegated credential provider http://tinyurl.com/BbLearnLDAP Requires Behind the Blackboard credential Sample code - login rate limiter (github) http://tinyurl.com/BbSampleAuthFilter
Resources Blackboard Learn Help Center http://help.blackboard.com Shibboleth http://shibboleth.net/ CAS http://www.jasig.org/cas alex.varju@blackboard.com dan.rinzel@blackboard.com This presentation will be available via http://edugarage.com at some point after the 27 conference ends.

Recommandé

National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
Vidushi Singh
 
Richard ramirez project
Richard ramirez projectRichard ramirez project
Richard ramirez project
PeterMaciasPer4
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Domestic Violence in India an Overview
Domestic Violence in India an OverviewDomestic Violence in India an Overview
Domestic Violence in India an Overview
Dasra
 
Domestic Violence Presentation
Domestic Violence PresentationDomestic Violence Presentation
Domestic Violence Presentation
Bauer
 
Violence against women
Violence against womenViolence against women
Violence against women
Janani Vassan
 
Feminist legal theories and types of it
Feminist legal theories and types of itFeminist legal theories and types of it
Feminist legal theories and types of it
FAROUQ
 
Nirbhaya Movement and Impact of Nirbhaya schemes
Nirbhaya Movement and Impact of Nirbhaya schemes Nirbhaya Movement and Impact of Nirbhaya schemes
Nirbhaya Movement and Impact of Nirbhaya schemes
hemurathore1
 

Recommandé

National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
Vidushi Singh
 
Richard ramirez project
Richard ramirez projectRichard ramirez project
Richard ramirez project
PeterMaciasPer4
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Domestic Violence in India an Overview
Domestic Violence in India an OverviewDomestic Violence in India an Overview
Domestic Violence in India an Overview
Dasra
 
Domestic Violence Presentation
Domestic Violence PresentationDomestic Violence Presentation
Domestic Violence Presentation
Bauer
 
Violence against women
Violence against womenViolence against women
Violence against women
Janani Vassan
 
Feminist legal theories and types of it
Feminist legal theories and types of itFeminist legal theories and types of it
Feminist legal theories and types of it
FAROUQ
 
Nirbhaya Movement and Impact of Nirbhaya schemes
Nirbhaya Movement and Impact of Nirbhaya schemes Nirbhaya Movement and Impact of Nirbhaya schemes
Nirbhaya Movement and Impact of Nirbhaya schemes
hemurathore1
 
Critical Legal Studies (CLS) Defined
Critical Legal Studies (CLS) DefinedCritical Legal Studies (CLS) Defined
Critical Legal Studies (CLS) Defined
Chandra Shekhar Khadka
 
2495_Assault and Battery.ppt
2495_Assault and Battery.ppt2495_Assault and Battery.ppt
2495_Assault and Battery.ppt
SantoshThorat31
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
TanviModi14
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH edition
Jorge Sebastiao
 
Cyber crimes
Cyber crimesCyber crimes
Cyber crimes
university of Gujrat, pakistan
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
Santosh Khadsare
 
Article 14 right to equality
Article 14 right to equalityArticle 14 right to equality
Article 14 right to equality
saket garg
 
Parole in india
Parole in indiaParole in india
Parole in india
gururaj lulkarni
 
Health law Unit 1.pptx
Health law Unit 1.pptxHealth law Unit 1.pptx
Health law Unit 1.pptx
harshKushwaha48
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Harendra Singh
 
Introduction to cyber security i
Introduction to cyber security iIntroduction to cyber security i
Introduction to cyber security i
Emmanuel Gbenga Dada (BSc, MSc, PhD)
 
Victimization of women and children
Victimization of women and childrenVictimization of women and children
Victimization of women and children
Shiva326087
 
Women and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnectWomen and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnect
Rachna Shanbog
 
Types of cyber crime
Types of cyber crimeTypes of cyber crime
Types of cyber crime
InshaLakhani
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
Harshil Barot
 
Cyber law
Cyber lawCyber law
Cyber law
GNIM,Mullana (Ambala)
 
Cyber Space
Cyber SpaceCyber Space
Cyber Space
Kashif Latif
 
application security.pdf
application security.pdfapplication security.pdf
application security.pdf
VSAM Technologies India Private Limited
 
Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
Dan Rinzel
 
REDIS caching explained
REDIS caching explained REDIS caching explained
REDIS caching explained
Dan Rinzel
 

Contenu connexe

Tendances

Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
Tam Nguyen
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
Article 14 right to equality
Article 14 right to equalityArticle 14 right to equality
Article 14 right to equality
saket garg
 
Women and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnectWomen and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnect
Rachna Shanbog
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
Harshil Barot
 

Tendances (20)

Critical Legal Studies (CLS) Defined
Critical Legal Studies (CLS) DefinedCritical Legal Studies (CLS) Defined
Critical Legal Studies (CLS) Defined
 
2495_Assault and Battery.ppt
2495_Assault and Battery.ppt2495_Assault and Battery.ppt
2495_Assault and Battery.ppt
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH edition
 
Cyber crimes
Cyber crimesCyber crimes
Cyber crimes
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
 
Article 14 right to equality
Article 14 right to equalityArticle 14 right to equality
Article 14 right to equality
 
Parole in india
Parole in indiaParole in india
Parole in india
 
Health law Unit 1.pptx
Health law Unit 1.pptxHealth law Unit 1.pptx
Health law Unit 1.pptx
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Introduction to cyber security i
Introduction to cyber security iIntroduction to cyber security i
Introduction to cyber security i
 
Victimization of women and children
Victimization of women and childrenVictimization of women and children
Victimization of women and children
 
Women and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnectWomen and their legal rights in India_WomenPowerConnect
Women and their legal rights in India_WomenPowerConnect
 
Types of cyber crime
Types of cyber crimeTypes of cyber crime
Types of cyber crime
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Cyber law
Cyber lawCyber law
Cyber law
 
Cyber Space
Cyber SpaceCyber Space
Cyber Space
 
application security.pdf
application security.pdfapplication security.pdf
application security.pdf
 

En vedette

LAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
LAK16 Practitioner Track presentation: Model Accuracy. Training vs RealityLAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
LAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
Dan Rinzel
 

En vedette (7)

Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
Code Your Own: Tool Integration using the Basic Learning Tools Interoperabili...
 
REDIS caching explained
REDIS caching explained REDIS caching explained
REDIS caching explained
 
Blackboard DevCon: Introducing IMS Learning Tools Interoperability
Blackboard DevCon: Introducing IMS Learning Tools InteroperabilityBlackboard DevCon: Introducing IMS Learning Tools Interoperability
Blackboard DevCon: Introducing IMS Learning Tools Interoperability
 
LAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
LAK16 Practitioner Track presentation: Model Accuracy. Training vs RealityLAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
LAK16 Practitioner Track presentation: Model Accuracy. Training vs Reality
 
Redis introduction
Redis introductionRedis introduction
Redis introduction
 
Credential provider
Credential providerCredential provider
Credential provider
 
Dynamics CRM 2011 Architecture Overview
Dynamics CRM 2011 Architecture OverviewDynamics CRM 2011 Architecture Overview
Dynamics CRM 2011 Architecture Overview
 

Similaire à Code your Own: Authentication Provider for Blackboard Learn

TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
Tieturi Oy
 
Authentication
AuthenticationAuthentication
Authentication
soon
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
Girish Kalamati
 
Twofactorauthentication 120625115723-phpapp01
Twofactorauthentication 120625115723-phpapp01Twofactorauthentication 120625115723-phpapp01
Twofactorauthentication 120625115723-phpapp01
Hai Nguyen
 
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
Amazon Web Services
 

Similaire à Code your Own: Authentication Provider for Blackboard Learn (20)

SPUnite17 Timer Jobs Event Handlers
SPUnite17 Timer Jobs Event HandlersSPUnite17 Timer Jobs Event Handlers
SPUnite17 Timer Jobs Event Handlers
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis JugoO365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
How to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication SystemHow to get started with the Pluggable Authentication System
How to get started with the Pluggable Authentication System
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
Authentication
AuthenticationAuthentication
Authentication
 
ASP.NET Lecture 5
ASP.NET Lecture 5ASP.NET Lecture 5
ASP.NET Lecture 5
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
Twofactorauthentication 120625115723-phpapp01
Twofactorauthentication 120625115723-phpapp01Twofactorauthentication 120625115723-phpapp01
Twofactorauthentication 120625115723-phpapp01
 
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
AWS re:Invent 2016: Enabling DevOps for an Enterprise with AWS Service Catalo...
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Code your Own: Authentication Provider for Blackboard Learn

  • 1. Code Your Own Learn Authentication Plugin #Authcode Alex Varju Architect Blackboard Product Development Dan Rinzel Design Manager Blackboard Product Development
  • 2. Q’s we will try to A • How does internal authentication work in Blackboard Learn™? • What’s a remote authentication provider? • What’s a delegated credential provider? • What’s a fully delegated or redirect provider? • What changed in Blackboard Learn 9.1 SP8? • What providers are supported? • How can I extend this framework?
  • 3. Blackboard Learn Default Authentication • Standard Username & Password combination • Passwords transmitted and stored as encrypted hashes (MD5 or SHA) • Usernames & Passwords can be SOURCED externally, but must be stored in local Learn database
  • 4. Remote Authentication Provider • In conjunction or instead, Blackboard Learn can be incorporated with authentication services hosted elsewhere. • Passwords are stored and managed remotely, according to policies enforced by the remote provider • Usernames are matched or at least correlated
  • 5. Delegated Credential Provider • Users log in via a Blackboard Learn screen • Credentials are checked programmatically via the remote provider and results relayed back to the user via Blackboard Learn    Browser Blackboard Learn Credential Provider
  • 6. Fully Delegated Provider • Users log in directly to the remote provider • The user is redirected to Blackboard Learn with a valid session, vouched for by the provider     Browser Credential Provider Blackboard Learn
  • 7. What Changed in Service Pack 8? What didn’t change?
  • 8. What Changed in Service Pack 8? What didn’t change?
  • 9. What Changed in Service Pack 8?  Expanded customization capabilities for login page
  • 10. What Changed in Service Pack 8?  Enhanced Logging for Authentication events
  • 11. What Changed in Service Pack 8?  New command-line emergency login URL generator
  • 12. Provider Support in Service Pack 8  Updated Shibboleth support to version 2 – including support for Apache 2  Official CAS Support for the first time Automatic update for existing LDAP configurations  Continued support for other custom configurations via Legacy provider
  • 13. Built for Extension Core authentication classes: AuthenticationProviderHandler The entry point for all authentication providers. This provides us with the information needed to invoke your code at the right times. UsernamePasswordValidator For delegated credential providers, this is responsible for validating the username/password typed into the Blackboard Learn login box
  • 14. Built for Extension AuthenticationListener For listening for authentication events. PostLoginUrlInterceptor To allow system to redirect through an alternate URL after login. UsernamePasswordAuthenticationProviderFilter To allow runtime checking of whether each authentication provider in the chain should be run. UsernamePasswordPreValidationCheck For pre-validation checks to be run before any authentication providers' validation has been invoked. UsernamePasswordPostValidationCheck For post-validation checks to be run on the User that is returned from validation.
  • 15. Built for Extension AuthenticationManager Search for users, redirect them back to the main page after successful login. SessionManager Grant the user a session once you've confirmed their identity. AuthenticationProviderManager Manage authentication provider instances. Useful if you need to save per-provider settings. AuthenticationLogger Record custom events in the authentication logs. AuthenticationProvider An administrator-created authentication instance
  • 17. Delegated credential provider • User submits password from the login screen • See if a UsernamePasswordPreValidationCheck wants to stop the login • Load sorted list of AuthenticationProviders • For each provider: • Do any UsernamePasswordAuthenticationProviderFilter extensions this provider to be skipped? • Call this provider's UsernamePasswordValidator • Validator can return Yes, No, or I Don't Know. • If a provider accepted this login, see if any UsernamePasswordPostValidationCheck extensions want to stop the login
  • 18. Working Example Today we’re going to walk through building a filter which limits prevents dictionary password guessing. Extension points we will make use of: • UsernamePasswordPreValidationCheck • UsernamePasswordPostValidationCheck
  • 19. Working Example Basic design: • Intercept the login request before any password validation is performed. • If the same username has been seen too many times recently, block the login. • After a user has successfully logged in, reset the login counter so that they can log in and out multiple times.
  • 20. Working Example public interface LoginAttemptCounter { /** * Determines whether to block the login attempt for this username. Also * records the login attempt for future use. * * @return true if the request should be blocked, false if it may proceed */ public boolean shouldBlock(String username); /** * Indicates that this user logged in successfully, and that any previous * records associated with them may be removed. */ public void successfulLogin(String username); /** * Indicates what time the account will be unlocked. * * @return Time in millis, or 0 if account is not locked */ public long lockedUntil(String username); }
  • 21. Working Example public class BeforeLogin extends AbstractUsernamePasswordPreValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); private final AuthenticationLogger logger = AuthenticationLogger.Factory.getInstance(); @Override public ValidationResult preValidationChecks(String username, String password) { ValidationResult result = new ValidationResult(null); if (counter.shouldBlock(username)) { result.setStatus(ValidationStatus.UserDenied); long now = Calendar.getInstance().getTimeInMillis(); long lockedForMillis = counter.lockedUntil(username) - now; long lockedForSeconds = Math.round(lockedForMillis / 1000.0); result.setMessage(String.format("Account locked for %d seconds.", lockedForSeconds)); AuthenticationEvent event = buildAuthFailedEvent(username); logger.logAuthenticationEvent(event); } else { result.setStatus(ValidationStatus.Continue); } return result; } private AuthenticationEvent buildAuthFailedEvent(String username) { return new AuthenticationEvent(EventType.Error, new Date(), username, "Too many login attempts", null, null); } }
  • 22. Working Example public class AfterLogin extends AbstractUsernamePasswordPostValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); @Override public ValidationResult postValidationChecks(User user) { counter.successfulLogin(user.getUserName()); ValidationResult result = new ValidationResult(null); result.setStatus(ValidationStatus.Continue); return result; } }
  • 23. Working Example = = = <webapp-type value="javaext" /> = = = = = = <extension-defs> <definition namespace="blackboard.sample.auth.filter"> <extension id="beforeLogin” point="blackboard.platform.authUserPassPreValidation” class="blackboard.sample.auth.filter.BeforeLogin” singleton="true" /> <extension id="afterLogin” point="blackboard.platform.authUserPassPostValidation” class="blackboard.sample.auth.filter.AfterLogin” singleton="true" /> </definition> </extension-defs> = = =
  • 26. Sample code LDAP delegated credential provider http://tinyurl.com/BbLearnLDAP Requires Behind the Blackboard credential Sample code - login rate limiter (github) http://tinyurl.com/BbSampleAuthFilter
  • 27. Resources Blackboard Learn Help Center http://help.blackboard.com Shibboleth http://shibboleth.net/ CAS http://www.jasig.org/cas alex.varju@blackboard.com dan.rinzel@blackboard.com This presentation will be available via http://edugarage.com at some point after the 27 conference ends.

Notes de l'éditeur

  1. Agenda for the presentation.
  2. Password transmission is hashed regardless of SSL encryption of the whole HTTP requestGetting the user credentials INTO Learn can be accomplished in a number of ways – go check out Jim Riecken’s presentation after this one
  3. This is your LDAP/Active Directory/Atlassian Crowd modelThe “thumbs up” is received by Learn from the credential provider and the user is granted access (or not)
  4. This is your CAS, Shibboleth or OpenID modelAs with the prior model, the remote server vouches for the user
  5. Went from back end config file incantation with service restart prior to verification, to GUI-enabled real-time configuration, testing, enabling and chainingSimilar in many ways to the transition from banging on an old IBM typewriter, busting out the whiteout or starting completely over when you found a typo.To our modern word processor experience where you can move and make corrections with (relative) ease.You still have to get the writing right – you still have to successfully connect and properly configure, and your user data still has to be useful in both Learn and in the provider
  6. Went from back end config file incantation with service restart prior to verification, to GUI-enabled real-time configuration, testing, enabling and chainingSimilar in many ways to the transition from banging on an old IBM typewriter, busting out the whiteout or starting completely over when you found a typo.To our modern word processor experience where you can move and make corrections with (relative) ease.You still have to get the writing right – you still have to successfully connect and properly configure, and your user data still has to be useful in both Learn and in the provider
  7. Multiple fully delegated providers can be “lined up” on one login pageDelegated or credential providers can be restricted to only particular login hostnamesDifferent custom login pages can be built for different hostnames (requires Community license)
  8. All login attempts, successful logins, logouts and session expirations are recorded in a dedicated log file in the logs directory of the application server, as well as in a database table that supports the searching &amp; filtering UI shown here. The database table is purged periodically by a database job, and can also be purged manually from this UI.
  9. Because so many configuration options are available now from the User Interface, we needed to design a fallback mechanism to allow an administrator to access the system regardless of it’s current configuration state – the solution is the command-line emergency login URL generator.It requires back-end access (or a Managed Hosting ticket), and generates a one-time-use URL with an expiration time, allowing access to the system to revert any broken configuration.
  10. Apache 2 is supported, but doesn’t ship inside the SP8 installer. Once Learn is installed, you can configure your instance to point to an Apache 2 serverCentral Authentication Service – originally built by Yale and supported by Jasig (Java in Administration Special Interest Group) since 2004LDAP – lightweight directory access protocol – used by Microsoft’s Active Directory product among others
  11. The new framework is built using extension points, allowing Building Blocks to interact with the platform. If you are writing a custom authentication plugin, these are the two classes you will be working with.
  12. These are some more extension points that the platform exposes, allowing you to intercept and modify the behaviour of the core system.AuthenticationListener receives notification whenever anything interesting happens related to authentication. Sample events include Login, Logout, SessionExpiry, and Failed Login.PostLoginUrlInterceptor could be used to alter the standard destination after a user logs in. For example, you could use this to send the user to the change password page when they log in for the very first time.UsernamePasswordAuthenticationProviderFilter allows you to disable individual authentication providers based on the current request context. We use this internally to implement the restricted hostnames feature, only allowing a provider to be used if the request was sent to a specific hostname.UsernamePasswordPreValidationCheck and UsernamePasswordPostValidationCheck allow you to abort a login request either before or after the password validation has occurred. We’ll be using these today to implement a filter that temporarily locks an account if too many bad login attempts are received in a short period of time.
  13. In addition to the interfaces that you can implement within your Building Block, the new authentication framework includesa number of helper classes that you can call.Worth highlighting here is AuthenticationProvider. Building Blocks can supply AuthenticationProviderHandler implementations, telling the framework how to do your type of authentication. AuthenticationProvider represents a deployed instance of your handler. Administrators can deploy multiple instances of a single handler, each with their own properties. Each instance of fully delegated providers shows up as another link on the login screen, and each delegated credential provider gets called until one approves or denies the password-based login request.
  14. This sequence diagram shows what happens during a fully delegated login. When the user logs in:Your handler provides the URL where you want the user to be sent to start the authentication processThe user is then sent to this URL and you can do whatever is necessary to confirm that the user is authentic. For example, with the CAS handler we bounce the user over to the CAS server, have them log in there, and then they get bounced back to our Building Block where we can validate the CAS responseOnce we know the user is authentic, we figure out which Blackboard Learn account to connect them with (either by username or batch_uid), and activate their session.
  15. Delegated credential authentication is driven by Learn. Within this process, there are a number of places you can inject extensions to alter the system behaviour.
  16. This is the interface for our helper class that we’ll use to keep track of login attempts.shouldBlock will be called before each login attemptsuccessfulLogin will be called after a login succeedslockedUntil provides information when reporting errorsI won’t go into the implementation of this class during today’s presentation. The essence of the implementation is a HashMap keyed by username storing all recent login attempts.Note: Some of the code shown here has been tweaked slightly to make the slides easier to read. The full code will be made available afterwards.
  17. This is our first extension point.If the login counter indicates there have been too many attempts for this username, return UserDenied along with an informative error that will be shown to the end user
  18. This is our second extension point. Since we know that the user entered a valid password, we’ll clear any previous login attempts. This ensures that users with valid credentials can log in and out as many times as they want.
  19. Now it’s time to wire up our extension implementations. Most of this is boilerplate. A few things to notice, though:I’ve included a webapp-type element. This tells the platform that your Building Block includes extension implementations.The extension-defs element is where we register our specific extensions.First, we define our own namespace. This helps ensure that our extension IDs don’t collide with extensions from other Building Blocks.Next, we list the extensions themselves. Each extension has:A unique identifier.The identifier of the extension point being implemented. The fully qualified name of our implementation classA singleton flag, indicating that the platform may reuse the same instance of our extension each time
  20. Here you can see the result after too many bad login attempts.
  21. And here is what the administrator sees. The Error event is our custom event, which contains our “Too many login attempts” warning. Above this is the failed Login Attempt event that the framework logged because an extension point aborted the login, which includes the IP address of the attacker.
  22. There are lots of things that you can do with the new authentication framework. To help you get started, we’ve released the source code for the LDAP provider which ships with the latest version of Blackboard Learn. We will also be making the full source code from today’s presentation available.The LDAP code is a compilable, runnable version of the shipping LDAP B2, in a separate namespace, so that they can be run in parallelThe sample code can be pulled from github, it is not intended to be run in production! It has several shortcuts and limitations as described in the readme file.
  23. You can learn more about how the base features of the framework operate from the Learn Help CenterYou can learn more about Shibboleth and CAS from their own sites