Changes between Version 9 and Version 10 of BBCShibIntegration


Ignore:
Timestamp:
05/30/13 14:41:51 (12 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BBCShibIntegration

    v9 v10  
    22University of Alaska Identity & Access Management November 2012 
    33University of Alaska has implemented central authentication and "single sign-on" (SSO) using [[https://shibboleth.net/ https://iam.alaska.edu|Shibboleth]]. The following is a brief description of the steps taken by UA to have services from [[http://www.blackboard.com/Platforms/Connect/Products/Blackboard-Connect.aspx|Blackboard Connect]] rely on our central authentication to log in users. This description does not attempt to be a general guide to either Shibboleth or Blackboard Connect. It is focused merely on the specific steps to integrate vendor-hosted Blackboard Connect services with a working campus-based Shibboleth Identity Provider (IdP). ''These steps are a little different than a prototypical integration because''[[BR]] 
    4 (1) Blackboard CONNECT entity id's depend on an X509 certificate the customer uploads to the hosted service, [[BR]] 
    5 (2) Blackboard CONNECT does not as of this writing participate in the [[http://www.incommon.org|InCommon federation]], requiring manual addition of metadata and certificates, and most important [[BR]] 
    6 (3) Blackboard CONNECT uses "unsolicited" or "IdP-initiated" SSO, which entails a work flow that differs from the norm. 
    7  
    8 === Step 1: (1) Determine the entity id for BBC service(s) === 
     4 (1) Blackboard CONNECT entity id's depend on an X509 certificate the customer uploads to the hosted service, [[BR]] 
     5 (2) Blackboard CONNECT does not as of this writing participate in the [[http://www.incommon.org|InCommon federation]], requiring manual addition of metadata and certificates, and most important [[BR]] 
     6 (3) Blackboard CONNECT uses "unsolicited" or "IdP-initiated" SSO, which entails a work flow that differs from the norm. 
     7 
     8Below are set-up details for these three steps. 
     9 
     10=== Step 1:  Determine the entity id for BBC service(s) === 
    911The Blackboard Connect administrative interface provides a setting to configure the service for Single Sign-On (SSO). You will of course need to have been provided administrative-level access and credentials by Blackboard Connect. You will also need to upload your IdP certificate. You need to do this step first because later steps will need the custom entity id generated in this process.[[BR]] 
    1012 
     
    3335The entity id for your production instance of Connect (at UA we call this the "Sender Portal" available only to those who can trigger alerts) will have a format like https://sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8 
    3436 
    35 === (2) Configure your IdP for BBC service(s). === 
     37=== Step 2: Configure your IdP for BBC service(s). === 
    3638The Shibboleth IdP relies on several xml files for knowing whether and how to communicate with services to assert authentication and attributes for authenticated users. Metadata for service providers (SPs) in the !InCommon federation can be consumed automatically, but BBC services are not in !InCommon, so you must add metadata specifically for BBC. In addition, you will likely have to generate specific attributes for BBC (in attribute-resolver.xml) and set an appropriate release policy to send those attributes to BBC (in attribute-filter.xml). 
    3739 
     
    172174</AttributeFilterPolicy> 
    173175}}} 
    174 === (3) Configure unsolicited SSO for BBC === 
     176=== Step 3: Configure unsolicited SSO for BBC === 
    175177 
    176178BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than the normal workflow of responding to a request from the SP that redirects the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes without BBC having initiated that request. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above. While it is possible to enter that link directly into a browser address bar, you will want to embed that long URL behind a button or text link on a web page you own. When the user clicks on the link, that initiates the request to your IdP to contact the BBC service. Additional information on