Changes between Version 7 and Version 8 of BBCShibIntegration


Ignore:
Timestamp:
05/30/13 14:36:31 (12 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BBCShibIntegration

    v7 v8  
    3737 
    3838 
    39 (2.1) Add descriptors and certificates for BBC services into the metadata used by your IdP. Your IdP will be configured to consume metadata from one or more files. Add EntityDescriptor elements - including the entityIDs from step 1 and a certificate for each of the BBC services to be integrated to one of these files (order in which EntityDescriptors are listed or read is immaterial). As of this writing, the certificate itself is not actually used, so any certificate will do! Even though not actively used, a certificate must be present. The entityID must exactly match the entityID from step 1. 
    40 example (a more complete example is in the appendix): 
     39(2.1) Add descriptors and certificates for BBC services into the metadata used by your IdP. Your IdP will be configured to consume metadata from one or more files. Add EntityDescriptor elements - including the entityIDs from step 1 and a certificate for each of the BBC services to be integrated to one of these files (order in which EntityDescriptors are listed or read is immaterial). As of this writing, the certificate itself is not actually used, so any certificate will do! Even though not actively used, a certificate must be present. The entityID must exactly match the entityID from step 1.[[BR]] 
     40 
     41''example (a more complete example is in the appendix)'': 
     42{{{ 
     43<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
     44xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
     45entityID="https://ssostg.blackboardconnect.com/SAML/Connect/ 
     46B46C75BF139144349190F775C38F05A9"> 
     47  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML: 
     482.0:protocol"> 
     49    <md:KeyDescriptor> 
     50      <ds:KeyInfo> 
     51        <ds:X509Data> 
     52          <ds:X509Certificate> 
     53MIIC3zCCAcegAwIBAgIJAJ21e7iR+TNiMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV 
     54H9uAnnFzNljGLT/EFIy2zDT/lCYetRT5kEthGjc1j4/9XfB85o75isrYcDAMdxrz 
     55... 
     56POST" 
     57Location="https://ssostg.blackboardconnect.com/SAML/Connect/ 
     58B46C75BF139144349190F775C38F05A9" index="1"/> 
     59  </md:SPSSODescriptor> 
     60</md:EntityDescriptor> 
     61}}} 
     62(2.2) Add "profile" data for BBC service(s) into relying-party.xml configuration file. [[BR]] 
     63''example fragment of relying-party.xml to support BBC services: 
     64'' 
     65{{{ 
     66<!-- BlackBoard Connect Staging --> 
     67    <RelyingParty id="https://ssostg.blackboardconnect.com/SAML/Connect/ 
     68B46C75BF139144349190F775C38F05A9" 
     69          provider="urn:mace:incommon:alaska.edu" 
     70          defaultAuthenticationMethod="urn:oasis:names:tc:SAML: 
     712.0:ac:classes:PasswordProtectedTransport" 
     72          defaultSigningCredentialRef="IdPCredential"> 
     73  </ds:X509Certificate> 
     74</ds:X509Data> 
     75  </ds:KeyInfo> 
     76</md:KeyDescriptor> 
     77<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- 
     78<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
     79encryptAssertions="never" encryptNameIds="never" /> 
     80    </RelyingParty> 
     81  <!-- BlackBoard Connect Sender Portal --> 
     82    <RelyingParty id="https://sso.blackboardconnect.com/SAML/Connect/ 
     836F0CEAB5A3704F84A767DFA3CC6CEBF7" 
     84          provider="urn:mace:incommon:alaska.edu" 
     85          defaultAuthenticationMethod="urn:oasis:names:tc:SAML: 
     862.0:ac:classes:PasswordProtectedTransport" 
     87          defaultSigningCredentialRef="IdPCredential"> 
     88        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
     89encryptAssertions="never" encryptNameIds="never" /> 
     90    </RelyingParty> 
     91  <!-- BlackBoard Connect Recipient Portal --> 
     92    <RelyingParty id="https://sso.blackboardconnect.com/SAML/Portal/ 
     937B9070E4D2DE4195A8B530EE72266AB0" 
     94          provider="urn:mace:incommon:alaska.edu" 
     95          defaultAuthenticationMethod="urn:oasis:names:tc:SAML: 
     962.0:ac:classes:PasswordProtectedTransport" 
     97          defaultSigningCredentialRef="IdPCredential"> 
     98        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
     99encryptAssertions="never" encryptNameIds="never" /> 
     100}}} 
     101(2.3) Define and encode attributes needed by BBC in attribute-resolver.xml configuration file. You will need to understand what attributes are required for your customized implementation of BBC service(s) and how to obtain that data from the data sources available to your IdP. Our implementation specified, for each user: 
     102first name, last name, unique "!RefCode," and a logout URL. The example below assumes the name and unique identifier are available in an Active Directory and that the IdP and Active Directory have been configured to enable the IdP to retrieve that data from AD. The logout URL is the same for all users; it relies on a static data connector. 
     103BBC required that these attributes be passed with particular attribute names in the SAML assertion (different from the names commonly used in our Directores), so this fragment also associates those specific attribute names. 
     104 
     105 
     106''example fragments of attribute-resolver.xml to support BBC'': 
     107{{{ 
     108<!-- RefCode is the Banner ID# released with attribute name required by Blackboard 
     109Connect   --> 
     110<!-- Sourced from UA Domain AD attribute uaIdentifier --> 
     111     <resolver:AttributeDefinition id="ContactRefCode" xsi:type="Simple" 
     112xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uaIdentifier"> 
     113     <resolver:Dependency ref="uaADLDAP" /> 
     114     <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: 
     1152.0:attribute:encoder" name="urn:mace:alaska.edu:attributes:ContactRefCode" 
     116friendlyName="ContactRefCode"/> 
     117     </resolver:AttributeDefinition> 
     118<!-- DATA CONNECTOR STATIC LogoutURL for BBC --> 
     119  <resolver:DataConnector id="staticValueAttributes" xsi:type="Static" 
     120xmlns="urn:mace:shibboleth:2.0:resolver:dc"> 
     121        <Attribute id="LogoutURL"> 
     122           <Value>https://www.alaska.edu/uaalerts/</Value> 
     123        </Attribute> 
     124</resolver:DataConnector> 
     125<!-- ATTRIBUTE DEF LogoutURL uses staticValueAttributes data connector --> 
     126  <resolver:AttributeDefinition xsi:type="ad:Simple" id="LogoutURL"> 
     127       <resolver:Dependency ref="staticValueAttributes" /> 
     128       <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
     129xmlns="urn:mace:shibboleth:2.0:resolver:ad" name="https://iam.alaska.edu/trac/wiki/ 
     130IamUaArp" friendlyName="LogoutURL" /> 
     131   </resolver:AttributeDefinition> 
     132<!-- BBC-named attributes: FirstName is givenName ; LastName is sn --> 
     133     <resolver:AttributeDefinition id="FirstName" xsi:type="Simple" 
     134xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="givenName"> 
     135     <resolver:Dependency ref="uaADLDAP" /> 
     136     <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: 
     1372.0:attribute:encoder" name="urn:oid:2.5.4.42" friendlyName="FirstName"/> 
     138     </resolver:AttributeDefinition> 
     139     <resolver:AttributeDefinition id="LastName" xsi:type="Simple" 
     140xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="sn"> 
     141     <resolver:Dependency ref="uaADLDAP" /> 
     142     <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: 
     1432.0:attribute:encoder" name="urn:oid:2.5.4.4" friendlyName="LastName"/> 
     144}}} 
     145 
     146(2.4) Configure policies to release appropriate attributes to BBC service(s). Configure the specific named attributes are released to the entityIDs of BBC service(s) in the attribute-filter.xml configuration file. 
     147 
     148 
     149''example attribute release policy for BBC'': 
     150{{{ 
     151<AttributeFilterPolicy id="releaseToBBConnect"> 
     152<PolicyRequirementRule xsi:type="basic:OR"> 
     153    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// 
     154sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25" /> 
     155    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// 
     156sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8" /> 
     157    <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// 
     158ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9" /> 
     159</PolicyRequirementRule> 
     160   <AttributeRule attributeID="FirstName"> 
     161        <PermitValueRule xsi:type="basic:ANY" /> 
     162    </AttributeRule> 
     163    <AttributeRule attributeID="LastName"> 
     164        <PermitValueRule xsi:type="basic:ANY" /> 
     165    </AttributeRule> 
     166    <AttributeRule attributeID="ContactRefCode"> 
     167        <PermitValueRule xsi:type="basic:ANY" /> 
     168    </AttributeRule> 
     169    <AttributeRule attributeID="LogoutURL"> 
     170        <PermitValueRule xsi:type="basic:ANY" /> 
     171    </AttributeRule> 
     172</AttributeFilterPolicy> 
     173}}} 
     174=== (3) Configure unsolicited SSO for BBC === 
     175 
     176BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than the normal workflow of responding to a request from the SP that redirects the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes without BBC having initiated that request. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above. While it is possible to enter that link directly into a browser address bar, you will want to embed that long URL behind a button or text link on a web page you own. When the user clicks on the link, that initiates the request to your IdP to contact the BBC service. Additional information on 
     177unsolicited SSO with Shib 
     178boleth is at Shibboleth wiki IdPUnsolicitedSSO. 
     179 
     180 
     181(3.1) Your IdP must be able to accept unsolicited requests to a specific end point at the IdP. If your IdP configuration files were installed from Shibboleth 2.3.0 or later, the profile should already be there, but it's worth checking the configuration files and adding the following if not already present: 
     182The unsolicited or idp-initiated profile handler should be in handler.xml: 
     183{{{ 
     184<ProfileHandler xsi:type="SAML2SSO" 
     185    inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" 
     186    outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign 
     187                                urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 
     188                                urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"> 
     189  <RequestPath>/SAML2/Unsolicited/SSO</RequestPath> 
     190</ProfileHandler> 
     191}}} 
     192Also needed is the message decoder in internal.xml: 
     193{{{ 
     194<entry> 
     195  <key> 
     196    <value>urn:mace:shibboleth:2.0:profiles:AuthnRequest</value> 
     197  </key> 
     198  <bean id="shibboleth.UnsolicitedSSODecoder" 
     199        class="edu.internet2.middleware.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder"> 
     200    <constructor-arg ref="shibboleth.IdGenerator"/> 
     201  </bean> 
     202</entry> 
     203}}} 
     204(3.2) Determine the URL that triggers the IdP-initiated SSO session with BBC. Recall that we have to forge the request to the IdP rather than the SP re-directing the user's browser. That's done with a link to your IdP that references the Unsolicited SSO profile and includes the subsequent BBC entityID to which the user's browser will be re- directed upon successful authentication by the IdP. Of course you will substitute your own !IdPs location for idp.alaska.edu and the entityIDs for BBC from step 1 (suitably encoded as here). 
     205'' 
     206examples of URLs for SSO to BBC using the entityIDs from step 1:'' 
     207 
     208Staging service: 
     209{{{ 
     210https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2F ssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9 
     211}}} 
     212Recipient Portal: 
     213{{{ 
     214https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2F sso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25 
     215}}} 
     216Sender Portal: 
     217{{{ 
     218https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FConnect%2F9F95200F70EB4E8F844320653CCD97A8 
     219}}} 
     220 
     221(3.3) You can test the integration by directly pasting those URLs into a browser, but you will want to have users click on a link on a web site you manage. That's your last task - to set up a web page with a description of the service and a button or text link behind which is one of the URLs for unsolicited SSO to BBC from (3.2).