Different Approaches to Single-Sign-On

advertisement
Different Approaches
to Single-Sign-On
Jeff Kahn, Verbena Consulting
Topics We Will Cover
• Problem Domain
• Uninteresting Cases
• Simple Cases
– Username and Password
– Provisioning a License Key
• More Complicated Cases
– Desktop Application Push
– Account Mapping
– Standards-Based Approach (IMS Basic LTI)
Problem Domain
• Communication between Blackboard and some
other system
• “Other” system requires a login
• User logs in at most once (via user interface)
Uninteresting
Uninteresting Case
• URL in Blackboard to a site without login, e.g.
weather.com
Uninteresting Case
Push Content to Blackboard
Simple Challenge to Login to Blackboard
Simple
Simple Cases
• Building Block holds credentials such as
username / password
– Managed through Properties / Settings pages
• Ways to Send Credentials
–
–
–
–
–
In the clear
Basic Authentication (not so secure)
Digest access authentication (more secure)
Set a Cookie
Encryption
Provisioning
(redirect)
•
•
•
•
Skip case of process outside Blackboard
Request a key by redirecting to a sign-up site
Useful with an approval workflow
Note change in “look and feel”
– Loss of Blackboard look
– Reinforce other system’s brand
Properties / Settings Pages
Requested by E-mail
• Notification of events
– Request key, enter key, etc.
– Support business purposes such as “credit” for a
sign-up.
• Issues
– Sending mail from Blackboard may not be enabled
– E-mail should not be sent to a specific person
Identifying Instances Uniquely
• Dynamically provisioned once
– Submit a customer ID, get a web services key in
response.
– Systems are now “paired”.
• Distribute shared secret.
Portal Info Classes
import blackboard.portal.data.ExtraInfo;
import blackboard.portal.data.PortalExtraInfo;
import blackboard.portal.servlet.PortalUtil;
PortalExtraInfo pei = PortalUtil.loadPortalExtraInfo(null,
null, ”myConfig");
ExtraInfo ei = pei.getExtraInfo();
ei.setValue(”foo", “some value”);
myVar = ei.getValue(”foo");
PortalUtil.savePortalExtraInfo(pei);
More Complex
Access as Specific bbUser
Desktop Application to Blackboard
• Publishing content to Blackboard
– Unknown Bb access method in place
• Step 1: User Accesses Building Block
– Requires login
– Creates access token mapped to bbUsername
– Copy token and paste into application
SoftChalk Key Creation
Step 2: NOSESSION holds REST handler
Step 3: Application passes access token
with each request
Recap
• User logs in somehow
• We generate a token and associate it with their
bbUsername.
• Application stores this token.
• Application passes this token to JSP in the
“NOSESSION” folder
– a folder containing files without Bb page tags that
can be accessed without an access challenge.
• JSP maps token back to bbUsername.
• We now have a logged in user.
Map to External Account
Account Mapping
• Associate Bb user with same user in other
system
• Optimistic Mapping (never a UI challenge)
• Declared Mapping (user facilitated mapping)
Optimistic Account Mapping
• Both accounts exist
– Accounts can be mapped with Bb user data (email)
• Fetch email out of Bb use for login
• Wrinkles
– Email not in place
– Email address not the same
• multiple accounts, different address purpose
• Variant: Provision accounts in the other system
from bbUsernames or e-mails.
Create or Map
Map
Create
Declared Mapping
• First Time
– Try using Bb data
– Offer an option to substitute
• Allow for account creation
– Redirect to site or sign-up form in B2
– Store what worked
• configuration file
• UserRegistry classes
• Next Time
– Fetch what was stored the first time
– Allow for a change it what will work
• Depends on Remote System API
UserRegistry Classes
import blackboard.data.registry.*;
import blackboard.persist.registry.*;
UserRegistryEntry ure =
UserRegistryEntryDbLoader.Default.getInstance().
loadByKeyAndUserId(”fooKey", userId);
String fooKey = ure.getValue();
Standards-Based
Launch Data
IMS Basic Learning Tools Interoperability
• http://www.imsglobal.org
• Required and optional parameters:
– User ID, Role, Name, Email
– Resource and Context ID
– Custom
• Key and secret (OAuth)
• Alliance
• Allure of single development effort
– wrapped inside building block
Issues
• No data returned ( there is “Outcomes”)
• Subtle LMS-specific integration
– e.g. name and description with link
– Single or multiple
– LMS not required
• User part of key to identify
• Documentation and Support
– Admin and Instructor Controls
– How to add a BLTI Link
• BLTI Links part of Common Cartridge v1.1
Barnes & Noble NOOK Study
• Textbook list and links no longer stored in
Blackboard
– Move from license key to key and secret.
– Textbook and link list no longer stored in
Blackboard
• Converted Building Block to BLTI Tool Provider
Distribute a Shared Encryption Secret
• Website to request key and secret.
• Back-end generates pair and emails to provider,
end-user, or both.
• User enters key and secret.
Barnes & Noble NOOK Study
• Same code supports
– Angel, D2L, Jenzabar, Moodle, Sakai, WebCT
• Blackboard supports BLTI in SP4
– Also supports BLTI links in Common Cartridges
Q&A
Jeff Kahn
jeffkahn@verbenaconsulting.com
www.verbenaconsulting.com
Please provide feedback for this session by emailing
DevConFeedback@blackboard.com.
The title of this session is:
Different Approaches to Single-Sign-On from Blackboard
to Other Systems
Download