Most organizations have an application firewall to control what websites are accessible to students. Sometimes this affects the access to certain resources in Learning Explorer. As a result, we implemented an approach to whitelist our resources by appending a special parameter to all of our resource URLs.
District or Organization IT Administrators, use this guide to set up Learning Explorer whitelisting.
How it Works
Displaying Resources
For district licenses, all references to third-party resource URLs are now appended with a special parameter: le_resource_origin=<token>
Examples:
https://ed.ted.com/lessons/what-is-dust-made-of-michael-marder?le_resource_origin=el53s274
https://coreknowledge.org/wp-content/uploads/2017/01/CKLA_G3_U1_TG_web.pdf?le_resource_origin=el53s274
Token Generation
District licenses are assigned a unique <token> that is generated and stored when a district license is created.
In the examples above, you can see the special parameter appended to the resource URLs, each containing the unique token, el53s274.
Using unique tokens for each district license allows us to, upon request, regenerate the token for one district without requiring all other districts to update their firewall rules.
*Learning Explorer admins are able to regenerate the token upon request. Please contact [email protected] if you would like us to regenerate your district license token.
Finding your Unique <token>
In order to access your token, you must have a designated Admin role in Learning Explorer.
While signed into Learning Explorer, hover over your name and select Admin Manager from the dropdown menu.*
Select Access from the Admin Manager ribbon.
This is the Content Access Manager (CAM). You can access your unique token by clicking on the link in the footer of the CAM that reads:
“Having trouble with resources being blocked by your firewall? Learn more.”
Clicking on this link opens the following modal:
On this modal, the unique district token is displayed within the URL parameters, making this information available to all users with access to the Content Access Manager.
le_resource_origin=el53s274
Instructions for Firewall Administrators
Use the domain and URL parameters to configure the whitelist settings in your firewall system.
1. Requirements for whitelisting any blocked domains (ex: youtube.com)
Option 1: If your firewall supports whitelisting by URL parameters explicitly
Whitelist pages from youtube.com when a URL parameter of origin is provided with a value of le_resource_origin=el53s274
Option 2: If your firewall supports whitelisting by specified text in the URL
Whitelist pages from blocked domains when the URL contains le_resource_origin=el53s274
*Note: the token for this parameter is unique to this example. Be sure to use your unique token when configuring these whitelisting settings.
2. Requirements for whitelisting BoClips resources
Use the domain and URL parameters to configure the whitelist settings for BoClips resources in your firewall system (see the section on Limitations below).
Option 1: If your firewall supports whitelisting by URL parameters explicitly
Whitelist pages from cdnapisec.kaltura.com and cfvod.kaltura.com when a URL parameter of origin is provided with a value of origin=https%3A%2F%2Fwww.lessonplanet.com
Option 2: If your firewall supports whitelisting by specified text in the URL
Whitelist pages from cdnapisec.kaltura.com and cfvod.kaltura.com when the URL contains origin=https%3A%2F%2Fwww.lessonplanet.com
Limitations
While this solution works in most situations some websites may sanitize the URL, which may remove unrecognized parameters. Our approach will not work for these sites, however, these are uncommon situations. Below are the currently identified domains that are incompatible with the Learning Explorer token parameters:
Web Archive (archive.org) - Currently, we already append a parameter to URLs from this domain to remove the toolbar that normally appears on Web Archive pages. This prevents us from adding the additional LE token parameter.
Boclips (kaltura.com) - We can add the firewall token parameter to the initial call that is made for a Boclips video using the Boclips Video Player, however, we cannot control/add parameters to the requests that are made by the Boclips Video Player itself. The Boclips Video Player makes a lot of calls to Kaltura to retrieve the video or other information, so if some of the Kaltura domains are blocked then the users won’t be able to play the video.
To address this issue, we recommend districts whitelist the domains cdnapisec.kaltura.com and cfvod.kaltura.com (see Resource Access modal above).
Boclips (youtube.com) - There is no way to add the firewall token parameter to the YouTube player created by the Boclips Video Player, however, the implemented solution for youtube.com does work in these situations. Districts will need to add the URL parameter origin=https%3A%2F%2Fwww.lessonplanet.com to their firewall settings (see Resource Access modal above).
Another consideration is that this technique relies on so-called “security-by-obscurity.” An astute student could observe this behavior and use it to circumvent firewall restrictions. Districts will always have the choice of whether to take advantage of this capability and may choose to allow it only for certain sites or not implement it at all.