39 | | (2.1) Add descriptors and certificates for BBC services into the metadata used by your IdP. Your IdP will be configured to consume metadata from one or more files. Add EntityDescriptor elements - including the entityIDs from step 1 and a certificate for each of the BBC services to be integrated to one of these files (order in which EntityDescriptors are listed or read is immaterial). As of this writing, the certificate itself is not actually used, so any certificate will do! Even though not actively used, a certificate must be present. The entityID must exactly match the entityID from step 1. |
40 | | example (a more complete example is in the appendix): |
| 39 | (2.1) Add descriptors and certificates for BBC services into the metadata used by your IdP. Your IdP will be configured to consume metadata from one or more files. Add EntityDescriptor elements - including the entityIDs from step 1 and a certificate for each of the BBC services to be integrated to one of these files (order in which EntityDescriptors are listed or read is immaterial). As of this writing, the certificate itself is not actually used, so any certificate will do! Even though not actively used, a certificate must be present. The entityID must exactly match the entityID from step 1.[[BR]] |
| 40 | |
| 41 | ''example (a more complete example is in the appendix)'': |
| 42 | {{{ |
| 43 | <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" |
| 44 | xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
| 45 | entityID="https://ssostg.blackboardconnect.com/SAML/Connect/ |
| 46 | B46C75BF139144349190F775C38F05A9"> |
| 47 | <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML: |
| 48 | 2.0:protocol"> |
| 49 | <md:KeyDescriptor> |
| 50 | <ds:KeyInfo> |
| 51 | <ds:X509Data> |
| 52 | <ds:X509Certificate> |
| 53 | MIIC3zCCAcegAwIBAgIJAJ21e7iR+TNiMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV |
| 54 | H9uAnnFzNljGLT/EFIy2zDT/lCYetRT5kEthGjc1j4/9XfB85o75isrYcDAMdxrz |
| 55 | ... |
| 56 | POST" |
| 57 | Location="https://ssostg.blackboardconnect.com/SAML/Connect/ |
| 58 | B46C75BF139144349190F775C38F05A9" index="1"/> |
| 59 | </md:SPSSODescriptor> |
| 60 | </md:EntityDescriptor> |
| 61 | }}} |
| 62 | (2.2) Add "profile" data for BBC service(s) into relying-party.xml configuration file. [[BR]] |
| 63 | ''example fragment of relying-party.xml to support BBC services: |
| 64 | '' |
| 65 | {{{ |
| 66 | <!-- BlackBoard Connect Staging --> |
| 67 | <RelyingParty id="https://ssostg.blackboardconnect.com/SAML/Connect/ |
| 68 | B46C75BF139144349190F775C38F05A9" |
| 69 | provider="urn:mace:incommon:alaska.edu" |
| 70 | defaultAuthenticationMethod="urn:oasis:names:tc:SAML: |
| 71 | 2.0:ac:classes:PasswordProtectedTransport" |
| 72 | defaultSigningCredentialRef="IdPCredential"> |
| 73 | </ds:X509Certificate> |
| 74 | </ds:X509Data> |
| 75 | </ds:KeyInfo> |
| 76 | </md:KeyDescriptor> |
| 77 | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- |
| 78 | <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" |
| 79 | encryptAssertions="never" encryptNameIds="never" /> |
| 80 | </RelyingParty> |
| 81 | <!-- BlackBoard Connect Sender Portal --> |
| 82 | <RelyingParty id="https://sso.blackboardconnect.com/SAML/Connect/ |
| 83 | 6F0CEAB5A3704F84A767DFA3CC6CEBF7" |
| 84 | provider="urn:mace:incommon:alaska.edu" |
| 85 | defaultAuthenticationMethod="urn:oasis:names:tc:SAML: |
| 86 | 2.0:ac:classes:PasswordProtectedTransport" |
| 87 | defaultSigningCredentialRef="IdPCredential"> |
| 88 | <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" |
| 89 | encryptAssertions="never" encryptNameIds="never" /> |
| 90 | </RelyingParty> |
| 91 | <!-- BlackBoard Connect Recipient Portal --> |
| 92 | <RelyingParty id="https://sso.blackboardconnect.com/SAML/Portal/ |
| 93 | 7B9070E4D2DE4195A8B530EE72266AB0" |
| 94 | provider="urn:mace:incommon:alaska.edu" |
| 95 | defaultAuthenticationMethod="urn:oasis:names:tc:SAML: |
| 96 | 2.0:ac:classes:PasswordProtectedTransport" |
| 97 | defaultSigningCredentialRef="IdPCredential"> |
| 98 | <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" |
| 99 | encryptAssertions="never" encryptNameIds="never" /> |
| 100 | }}} |
| 101 | (2.3) Define and encode attributes needed by BBC in attribute-resolver.xml configuration file. You will need to understand what attributes are required for your customized implementation of BBC service(s) and how to obtain that data from the data sources available to your IdP. Our implementation specified, for each user: |
| 102 | first name, last name, unique "!RefCode," and a logout URL. The example below assumes the name and unique identifier are available in an Active Directory and that the IdP and Active Directory have been configured to enable the IdP to retrieve that data from AD. The logout URL is the same for all users; it relies on a static data connector. |
| 103 | BBC required that these attributes be passed with particular attribute names in the SAML assertion (different from the names commonly used in our Directores), so this fragment also associates those specific attribute names. |
| 104 | |
| 105 | |
| 106 | ''example fragments of attribute-resolver.xml to support BBC'': |
| 107 | {{{ |
| 108 | <!-- RefCode is the Banner ID# released with attribute name required by Blackboard |
| 109 | Connect --> |
| 110 | <!-- Sourced from UA Domain AD attribute uaIdentifier --> |
| 111 | <resolver:AttributeDefinition id="ContactRefCode" xsi:type="Simple" |
| 112 | xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uaIdentifier"> |
| 113 | <resolver:Dependency ref="uaADLDAP" /> |
| 114 | <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: |
| 115 | 2.0:attribute:encoder" name="urn:mace:alaska.edu:attributes:ContactRefCode" |
| 116 | friendlyName="ContactRefCode"/> |
| 117 | </resolver:AttributeDefinition> |
| 118 | <!-- DATA CONNECTOR STATIC LogoutURL for BBC --> |
| 119 | <resolver:DataConnector id="staticValueAttributes" xsi:type="Static" |
| 120 | xmlns="urn:mace:shibboleth:2.0:resolver:dc"> |
| 121 | <Attribute id="LogoutURL"> |
| 122 | <Value>https://www.alaska.edu/uaalerts/</Value> |
| 123 | </Attribute> |
| 124 | </resolver:DataConnector> |
| 125 | <!-- ATTRIBUTE DEF LogoutURL uses staticValueAttributes data connector --> |
| 126 | <resolver:AttributeDefinition xsi:type="ad:Simple" id="LogoutURL"> |
| 127 | <resolver:Dependency ref="staticValueAttributes" /> |
| 128 | <resolver:AttributeEncoder xsi:type="enc:SAML2String" |
| 129 | xmlns="urn:mace:shibboleth:2.0:resolver:ad" name="https://iam.alaska.edu/trac/wiki/ |
| 130 | IamUaArp" friendlyName="LogoutURL" /> |
| 131 | </resolver:AttributeDefinition> |
| 132 | <!-- BBC-named attributes: FirstName is givenName ; LastName is sn --> |
| 133 | <resolver:AttributeDefinition id="FirstName" xsi:type="Simple" |
| 134 | xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="givenName"> |
| 135 | <resolver:Dependency ref="uaADLDAP" /> |
| 136 | <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: |
| 137 | 2.0:attribute:encoder" name="urn:oid:2.5.4.42" friendlyName="FirstName"/> |
| 138 | </resolver:AttributeDefinition> |
| 139 | <resolver:AttributeDefinition id="LastName" xsi:type="Simple" |
| 140 | xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="sn"> |
| 141 | <resolver:Dependency ref="uaADLDAP" /> |
| 142 | <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth: |
| 143 | 2.0:attribute:encoder" name="urn:oid:2.5.4.4" friendlyName="LastName"/> |
| 144 | }}} |
| 145 | |
| 146 | (2.4) Configure policies to release appropriate attributes to BBC service(s). Configure the specific named attributes are released to the entityIDs of BBC service(s) in the attribute-filter.xml configuration file. |
| 147 | |
| 148 | |
| 149 | ''example attribute release policy for BBC'': |
| 150 | {{{ |
| 151 | <AttributeFilterPolicy id="releaseToBBConnect"> |
| 152 | <PolicyRequirementRule xsi:type="basic:OR"> |
| 153 | <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// |
| 154 | sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25" /> |
| 155 | <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// |
| 156 | sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8" /> |
| 157 | <basic:Rule xsi:type="basic:AttributeRequesterString" value="https:// |
| 158 | ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9" /> |
| 159 | </PolicyRequirementRule> |
| 160 | <AttributeRule attributeID="FirstName"> |
| 161 | <PermitValueRule xsi:type="basic:ANY" /> |
| 162 | </AttributeRule> |
| 163 | <AttributeRule attributeID="LastName"> |
| 164 | <PermitValueRule xsi:type="basic:ANY" /> |
| 165 | </AttributeRule> |
| 166 | <AttributeRule attributeID="ContactRefCode"> |
| 167 | <PermitValueRule xsi:type="basic:ANY" /> |
| 168 | </AttributeRule> |
| 169 | <AttributeRule attributeID="LogoutURL"> |
| 170 | <PermitValueRule xsi:type="basic:ANY" /> |
| 171 | </AttributeRule> |
| 172 | </AttributeFilterPolicy> |
| 173 | }}} |
| 174 | === (3) Configure unsolicited SSO for BBC === |
| 175 | |
| 176 | BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than the normal workflow of responding to a request from the SP that redirects the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes without BBC having initiated that request. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above. While it is possible to enter that link directly into a browser address bar, you will want to embed that long URL behind a button or text link on a web page you own. When the user clicks on the link, that initiates the request to your IdP to contact the BBC service. Additional information on |
| 177 | unsolicited SSO with Shib |
| 178 | boleth is at Shibboleth wiki IdPUnsolicitedSSO. |
| 179 | |
| 180 | |
| 181 | (3.1) Your IdP must be able to accept unsolicited requests to a specific end point at the IdP. If your IdP configuration files were installed from Shibboleth 2.3.0 or later, the profile should already be there, but it's worth checking the configuration files and adding the following if not already present: |
| 182 | The unsolicited or idp-initiated profile handler should be in handler.xml: |
| 183 | {{{ |
| 184 | <ProfileHandler xsi:type="SAML2SSO" |
| 185 | inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" |
| 186 | outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign |
| 187 | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| 188 | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"> |
| 189 | <RequestPath>/SAML2/Unsolicited/SSO</RequestPath> |
| 190 | </ProfileHandler> |
| 191 | }}} |
| 192 | Also needed is the message decoder in internal.xml: |
| 193 | {{{ |
| 194 | <entry> |
| 195 | <key> |
| 196 | <value>urn:mace:shibboleth:2.0:profiles:AuthnRequest</value> |
| 197 | </key> |
| 198 | <bean id="shibboleth.UnsolicitedSSODecoder" |
| 199 | class="edu.internet2.middleware.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder"> |
| 200 | <constructor-arg ref="shibboleth.IdGenerator"/> |
| 201 | </bean> |
| 202 | </entry> |
| 203 | }}} |
| 204 | (3.2) Determine the URL that triggers the IdP-initiated SSO session with BBC. Recall that we have to forge the request to the IdP rather than the SP re-directing the user's browser. That's done with a link to your IdP that references the Unsolicited SSO profile and includes the subsequent BBC entityID to which the user's browser will be re- directed upon successful authentication by the IdP. Of course you will substitute your own !IdPs location for idp.alaska.edu and the entityIDs for BBC from step 1 (suitably encoded as here). |
| 205 | '' |
| 206 | examples of URLs for SSO to BBC using the entityIDs from step 1:'' |
| 207 | |
| 208 | Staging service: |
| 209 | {{{ |
| 210 | https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2F ssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9 |
| 211 | }}} |
| 212 | Recipient Portal: |
| 213 | {{{ |
| 214 | https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2F sso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25 |
| 215 | }}} |
| 216 | Sender Portal: |
| 217 | {{{ |
| 218 | https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FConnect%2F9F95200F70EB4E8F844320653CCD97A8 |
| 219 | }}} |
| 220 | |
| 221 | (3.3) You can test the integration by directly pasting those URLs into a browser, but you will want to have users click on a link on a web site you manage. That's your last task - to set up a web page with a description of the service and a button or text link behind which is one of the URLs for unsolicited SSO to BBC from (3.2). |