== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Integrations]] / Blackboard Connect == === The three BBC services for UA are: === ==== Staging service: ==== https://ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9 ==== Recipient Portal: ==== https://sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25 ==== Sender Portal: ==== https://sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8 === SAML Profile - Unsolicited SSO === see "Connect SSO Implementation Manual" (too large to attach) BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than responding to a user's request and redirecting the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above. BBC also crafts the entityID [~URL] of the service based on the certificate used to sign the SAML assertion (attached). Note that means that ''if and when the UA IdP certificate is changed, these entity IDs will change, requiring changes to the sp-metadata file, the relying-party.xml file, and the attribute-filter.xml files'', as each of these requires the explicit entity ids of the services to which the IdP will send assertions. For BBC entities above, those URLs are: ==== Staging service: ==== https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9 ==== Recipient Portal: ==== https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25 ==== Sender Portal: ==== https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FConnect%2F9F95200F70EB4E8F844320653CCD97A8 === Attributes for BBC: === The same attributes are released to each of the services above. These are, using the 'friendlyName's requested by BBC: * !FirstName := givenName from UA AD * !LastName := sn from UA AD * !ContactRefCode := uaidentifier (aka Banner ID# or "30 million number") from UA AD * LogoutURL := static value for all users, https://www.alaska.edu/uaalerts/ === Additional documentation: === [[BBCShibIntegration|Step-by-step: Shibboleth authN to Bb Connect]] [[https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO|Shibboleth wiki IdPUnsolicitedSSO]] [[http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html|SAML 2 Technical Overview]] see ยง5.1.4 [[https://iam.alaska.edu/shib/raw-attachment/wiki/BbConnect/BBC%20SSO%20Portal%20overview.pdf|BBC Portal SSO overview (attachment)]] see xml fragments from IdP config files in the attachments