The Authentication Service (or Auth) is an OAuth 2.0 security token microservice. Its primary responsibility is to issue security tokens to authorized clients (software applications, including free-range apps) to enable them to interact with D2L microservices.
By design, the Authentication Service, on which Brightspace Pulse is dependent, does not support self-signed, expired, or invalid certificates. Organizations using any of these will not be able to use Brightspace Pulse.
The Authentication Service is enabled by default. As a result, Brightspace features or products that depend on the Authentication Service, such as Brightspace Pulse, can be accessed. Currently, all features or products that depend on the Authentication Service are turned off by default. If those features or products are enabled, it is possible for data to flow into them.
Location
A globally accessible D2L microservice that resides in AWS.
Dependencies
Depends on the Landlord Service. Before using the Authentication Service, on-premise clients must register their org with the Landlord Service.
Depended on by multiple microservices, Brightspace Pulse, and Brightspace Insights.
Data Stored
The Authentication Service stores the URLs of authorized clients (software applications, including free-range apps) and provisions access tokens for these clients for service-to-service authentication used by Brightspace products. It stores the userId as part of the context for user authentication - for example, when authenticating a user of the data API for the Brightspace Data Platform.
Using a proxy server with the Authentication Service for on-premise clients
The Authentication Service supports proxy servers. This allows on-premise clients that use proxy servers to take advantage of Brightspace products that depend on the Authentication Service such as Brightspace Pulse.
For on-premise clients using a proxy server, allow outbound traffic from Brightspace Learning Environment to https://auth.brightspace.com.
Important: You must specify the host name (not the IP address) and port 443.
How the Service Works
The Authentication Service facilitates service-level and user-level authentication and authorization. The following example summarizes user-level authentication and authorization.
-
A learner navigates to a tool that depends on the Authentication Service.
1.The Learning Management System (LMS) contacts the Authentication Service, provisions an Auth token (JSON Web Token) for the learner, and provides the Auth token to the tool/application.
2.While using the tool, JavaScript running in the learner’s browser can call secured D2L microservices directly, providing the Auth token during each request.
3.Microservices extract and authenticate the Auth token, then ensure that the caller is authorized to perform the requested operation before proceeding.
In this way, the learner’s browser is less tightly coupled to the LMS, which improves performance and robustness, and facilitates the development of new Brightspace features.
Brightspace Assignment Grader Transcoding Service
Description
The Brightspace Assignment Grader Transcoding Service converts documents from a given format into a format that can be read by Brightspace Assignment Grader. Brightspace Assignment Grader requires this functionality to support annotating files submitted by learners for grading.
Location
One global instance in Microsoft Azure West US.
Dependencies
Depends on EduDentity Authentication Service.
Depended on by Brightspace Assignment Grader.
Data Transmitted/Stored
Data is cached for five days, after which is it is automatically deleted. There is no long term storage.
A programmatic identifier for the user such as User ID = 123.
The converted file and the identified file type.
How the Service Works
-
Brightspace Assignment Grader submits a file to the service.
4.The service converts the file and returns a link.
5.The file and associated data is deleted five days after the request is made.
Brightspace Binder Data Store
Description
The Brightspace Binder Data Store contains Binder documents on behalf of a user. It is not a microservice, but is a centralized repository that is used by Brightspace Binder.
Location
One global instance in Microsoft Azure South Central US and West US.
Dependencies
Depended on by Brightspace Binder.
Data Transmitted/Stored
A programmatic identifier for the user such as User ID = 123.
Files related to the user, including tags, annotations, and metadata.
How the Service Works
-
Brightspace Binder submits documents for storage in the Brightspace Binder data store.
6.At a later point in time, Brightspace Binder requests a document on behalf of a user.
7.An authentication check happens for the user.
8.The requested document is retrieved.
Description
The Caliper Gateway Service allows 3rd-party tools implementing the Caliper Analytics™ 1.0 Standard to send events to the Brightspace Data Platform for storage and aggregation.
Location
One global instance in AWS.
Dependencies
Depends on the Authentication Service.
Depended on by the Brightspace Data Platform.
Data Transmitted/Stored
The Caliper Gateway Service does not store any client data. The service transmits data in the form of events, from a 3rd party tool to the Brightspace Data Platform. The Caliper Gateway Service uses the HTTPS networking protocol. While in transit, all events are encrypted. The events that are transmitted contain programmatic identifiers for the user, the context of the event, and the type of the event. For example:
A programmatic identifier for the user such as User ID = 123.
A programmatic identifier for courses such as Course ID = 987.
Events such as logins, tool access, and content visits are identified by the programmatic identifier for the user.
How the Service Works
-
A learner performs an action in a 3rd-party tool which triggers events.
9.The 3rd-party tool sends events to the Caliper Gateway Service.
10.The Caliper Gateway Service sends events to the Brightspace Data Platform.
Figure : How the Caliper Gateway sends events to the Brightspace Data Platform
Share with your friends: |