Blackboard Building Blocks
Tom Joyce, Product Manager, Platform
Architecture & Database
Saturday, October 03, 2015
Road Map
Authentication/Security Overview
Release 6 Authentication Options
Custom Authentication
Authentication Demos
Review/Open Discussion
Authentication Concepts
Ensures that you are who you say you are!
Most schemes require the user to present
a set of credentials
In the form of a username/password, or
Referred to as End User Authentication
EUA Options in Release 6
EUA Options in Release 6
 Blackboard Learning
and Community
Portal System™
(Release 6) offers
several options “out of
the box” solutions
 One option for all Vls
 Set in authentication.
Properties (file)
EUA Options
 Blackboard Default
 Webserver
 Passport
 Custom
Default Authentication (RDBMS)
Standard with Blackboard Learning
System™(Release 6)
Form to enter in their user id and
Default Authentication
Customization Options
– Users can customize login page via UI
– Direct Portal Entry
MD5 Passwords are stored in Bb
Uses a challenge/response mechanism for
increased security
Challenge/Response Mechanism
Does not send the password over the
network in “clear text” form
Prevents “sniffing” of passwords
Challenge/Response Mechanism
User Requests
Login Page
Server sends
login page with
User Enters Credentials;
Credentials are
submitted with Challenge
and MD5 Encrypted
Server receives
credentials, uses
challenge to compare
the password with the
MD5 password stored
in the Bb5 database
EUA Option: LDAP
Can configure to go against an external
LDAP directory
Standard Bb Login Screen Used
Matches against the user id in the
Blackboard database
SSL enabling Blackboard strongly
EUA Option:Webserver
 Authenticates information based on the user
passed via HTTP to the authentication module.
 Checks for the existence of the “remote-user”
 User is reconciled with users already in the Bb
Database (more on this later)
 Windows—Automatically installs an ISAPI filter
to add this information based on the Windows
Domain (Windows Integrated)
 UNIX—Add-ins for Apache are required
EUA Option: Passport
Requires users to login using a Microsoft
Functionally similar to Webserver auth
User Reconciliation Options
 User is received from
external system
 What to do if user is
not found in system
 In Release 6:
– Webserver and
Reconciliation Process
The Auth module receives the external
– Windows Auth: Windows Domain/User ID
(e.g. DC/tjoyce)
– Passport: PUID (Passport Unique ID)
The User Registry is searched for the
external credential
If found, then the user is authenticated
Reconciliation Process, Cont’d
If user is not found, depends on
user_account setting:
– Reconcile: Present the user with a form
– Create: Create the user based on external ID
– Deny: Do not authenticate the user
User Option: Reconcile
 User is presented with a screen and
prompted to enter in Bb Credentials
 MUST exist in the Blackboard database!
 The external user is associated with that
Blackboard user
User Option: Create
 User is automatically created in the
Blackboard database based on the
external credential
– Webserver: webserver-user-xxxx
– Passport: passport-user-xxxx
 User or Admin can change personal info
User Option: Deny
User not in User Registry = No access
Reconciliation Option Pitfalls
Info is stored in the User Registry
Not accessible by Snapshot or UI.
Non-Public methods exist to get the data
via the Java API
May be addressed in 6.2
EUA Option: Custom
Authentication API
API is part of B2 program
B2 Developers should use this for custom
authentication modules
Authentication API
 void init(ConfigurationService cfg)
 boolean isAuthenticated(HttpServletRequest request)
throws BbSecurityException;
 String doAuthenticate(HttpServletRequest request,
HttpServletResponse response)
 void doLogout(HttpServletRequest request,
HttpServletResponse response)
 void requestAuthenticate(HttpServletRequest request,
HttpServletResponse response)
 public String getAuthType();
 public String[] getPropKeys();
 public void setConfig( HttpAuthConfig config );
API Details
 void init(ConfigurationService cfg)
– Called upon Tomcat initialization
 public String getAuthType();
– Must return a String (i.e., “customauth”)
 public String[] getPropKeys();
– Return an array of properties for this authentication
– At a minimum, “impl” should be returned here to
specify the class name of the custom module
API Details (cont’d)
 public void setConfig( HttpAuthConfig config );
– Handle to the configuration properties for the
 void requestAuthenticate (HttpServletRequest
request, HttpServletResponse response)
– Called when Blackboard requires authentication
– Can set this to a web page, login form, or do nothing.
API Details (cont’d)
String doAuthenticate
(HttpServletRequest request,
HttpServletResponse response)
– Does the implementation-specific work of
authenticating the user
– Return the user id if successful, null if not (can
also throw a BbSecurityException)
API Details (cont’d)
boolean isAuthenticated
(HttpServletRequest request) throws
– This is deprecated; can return true here
Caveat: As of 6.0.10, you MUST
subclass BaseAuthenticationModule!
– This has been identified as a bug and will
be fixed in a future release
Authentication Configuration
2 Files:
Run PushConfigUpdates after changing
any values
Load Balanced Systems
Config File:
– rdbms, ldap, webserver, passport, or “custom”
Config File:
Entries in the form:
– auth.type.<auth type>.<property
name>=<property value>
– auth.type.rdbms.use_challenge=true
– auth.type.ldap.error_fallback_to_bb=false
Demo: Custom Auth
– Implement
– MUST subclass BaseAuthenticationModule
(this is a bug)
– Build jar, move jar to Tomcat lib/apps
– Edit,
– Restart Tomcat
Several Different Authentication Options
are available for Release 6
B2 Developers can develop Custom
Authentication modules
Numerous Possibilities exist for custom
authentication modules (SSO, Kerberos,
Q&A/Open Discussion
Tom Joyce, Product Manager, Platform,
Architecture and Database
Thank You
Demos to Follow >

Authentication - Blackboard Inc.