Code Your OwnLearn Authentication Plugin

#Authcode

Alex VarjuArchitectBlackboard Product Development

Dan RinzelDesign ManagerBlackboard Product Development

Q’s we will try to A

• How does internal authentication work in Blackboard Learn™?

• What’s a remote authentication provider?

• What’s a delegated credential provider?

• What’s a fully delegated or redirect provider?

• What changed in Blackboard Learn 9.1 SP8?

• What providers are supported?

• How can I extend this framework?

Blackboard Learn Default Authentication

• Standard Username & Password combination

• Passwords transmitted and stored as encrypted hashes (MD5 or SHA)

• Usernames & Passwords can be SOURCED externally, but must be stored in local Learn database

Remote Authentication Provider

• In conjunction or instead, Blackboard Learn can be incorporated with authentication services hosted elsewhere.

• Passwords are stored and managed remotely, according to policies enforced by the remote provider

• Usernames are matched or at least correlated

Delegated Credential Provider

• Users log in via a Blackboard Learn screen

• Credentials are checked programmatically via the remote provider and results relayed back to the user via Blackboard Learn

Browser Blackboard Learn Credential Provider

Fully Delegated Provider

• Users log in directly to the remote provider

• The user is redirected to Blackboard Learn with a valid session, vouched for by the provider

Browser Credential Provider Blackboard Learn

What didn’t change?

What Changed in Service Pack 8?

What didn’t change?

What Changed in Service Pack 8?

What Changed in Service Pack 8?

Expanded customization capabilities for login page

What Changed in Service Pack 8?

Enhanced Logging for Authentication events

What Changed in Service Pack 8?

New command-line emergency login URL generator

Provider Support in Service Pack 8

Updated Shibboleth support to version 2 –including support for Apache 2 Official CAS Support for the first timeAutomatic update for existing LDAP configurations Continued support for other custom configurations via Legacy provider

Built for Extension

Core authentication classes:

AuthenticationProviderHandlerThe entry point for all authentication providers. This provides us with the information needed to invoke your code at the right times.

UsernamePasswordValidatorFor delegated credential providers, this is responsible for validating the username/password typed into the Blackboard Learn login box

Built for Extension

AuthenticationListenerFor listening for authentication events.

PostLoginUrlInterceptorTo allow system to redirect through an alternate URL after login.

UsernamePasswordAuthenticationProviderFilterTo allow runtime checking of whether each authentication provider in the chain should be run.

UsernamePasswordPreValidationCheckFor pre-validation checks to be run before any authentication providers' validation has been invoked.

UsernamePasswordPostValidationCheckFor post-validation checks to be run on the User that is returned from validation.

Built for Extension

AuthenticationManagerSearch for users, redirect them back to the main page after successful login.

SessionManagerGrant the user a session once you've confirmed their identity.

AuthenticationProviderManagerManage authentication provider instances. Useful if you need to save per-provider settings.

AuthenticationLoggerRecord custom events in the authentication logs.

AuthenticationProviderAn administrator-created authentication instance

Fully delegated provider

Delegated credential provider

• User submits password from the login screen

• See if a UsernamePasswordPreValidationCheck wants to stop the login

• Load sorted list of AuthenticationProviders

• For each provider:• Do any UsernamePasswordAuthenticationProviderFilter

extensions this provider to be skipped?

• Call this provider's UsernamePasswordValidator• Validator can return Yes, No, or I Don't Know.

• If a provider accepted this login, see if any UsernamePasswordPostValidationCheck extensions want to stop the login

Working Example

Today we’re going to walk through building a filter which limits prevents dictionary password guessing.

Extension points we will make use of:

• UsernamePasswordPreValidationCheck

• UsernamePasswordPostValidationCheck

Working Example

Basic design:

• Intercept the login request before any password validation is performed.

• If the same username has been seen too many times recently, block the login.

• After a user has successfully logged in, reset the login counter so that they can log in and out multiple times.

Working Example

public interface LoginAttemptCounter { /** * Determines whether to block the login attempt for this username. Also * records the login attempt for future use. * * @return true if the request should be blocked, false if it may proceed */ public boolean shouldBlock(String username);

/** * Indicates that this user logged in successfully, and that any previous * records associated with them may be removed. */ public void successfulLogin(String username);

/** * Indicates what time the account will be unlocked. * * @return Time in millis, or 0 if account is not locked */ public long lockedUntil(String username);}

Working Examplepublic class BeforeLogin extends AbstractUsernamePasswordPreValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance(); private final AuthenticationLogger logger = AuthenticationLogger.Factory.getInstance();

@Override public ValidationResult preValidationChecks(String username, String password) { ValidationResult result = new ValidationResult(null);

if (counter.shouldBlock(username)) { result.setStatus(ValidationStatus.UserDenied);

long now = Calendar.getInstance().getTimeInMillis(); long lockedForMillis = counter.lockedUntil(username) - now; long lockedForSeconds = Math.round(lockedForMillis / 1000.0); result.setMessage(String.format("Account locked for %d seconds.", lockedForSeconds));

AuthenticationEvent event = buildAuthFailedEvent(username); logger.logAuthenticationEvent(event); } else { result.setStatus(ValidationStatus.Continue); }

return result; }

private AuthenticationEvent buildAuthFailedEvent(String username) { return new AuthenticationEvent(EventType.Error, new Date(), username, "Too many login attempts", null, null); }}

Working Example

public class AfterLogin extends AbstractUsernamePasswordPostValidationCheck { private final LoginAttemptCounter counter = LoginAttemptCounter.Factory.getInstance();

@Override public ValidationResult postValidationChecks(User user) { counter.successfulLogin(user.getUserName());

ValidationResult result = new ValidationResult(null); result.setStatus(ValidationStatus.Continue); return result; }}

Working Example<plugin> <name value="Sample authentication filter" /> <handle value="sample-auth-filter" /> <description value="Sample authentication filter demonstrating throttling of login attempts" /> <webapp-type value="javaext" />

<version value="1.0.0" /> <requires> <bbversion value="9.1.80257.0" /> </requires>

<vendor> <id value="bb" /> <name value="Blackboard Inc." /> <url value="http://www.blackboard.com" /> <description value="Blackboard Learn" /> </vendor>

<extension-defs> <definition namespace="blackboard.sample.auth.filter"> <extension id="beforeLogin” point="blackboard.platform.authUserPassPreValidation” class="blackboard.sample.auth.filter.BeforeLogin” singleton="true" /> <extension id="afterLogin” point="blackboard.platform.authUserPassPostValidation” class="blackboard.sample.auth.filter.AfterLogin” singleton="true" /> </definition> </extension-defs>

<permissions> <permission type="attribute" name="user.authinfo" actions="get" /> </permissions></plugin>

Working Example

Working Example

Sample code

LDAP delegated credential provider http://tinyurl.com/BbLearnLDAPRequires Behind the Blackboard credential

Sample code - login rate limiter (github)

http://tinyurl.com/BbSampleAuthFilter

27

Resources

Blackboard Learn Help Center http://help.blackboard.com

Shibboleth http://shibboleth.net/

CAS http://www.jasig.org/cas

This presentation will be available via http://edugarage.com at some point after the

conference ends.

dan.rinzel@blackboard.comalex.varju@blackboard.com