== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Candidates]] / Blackboard Connect == relying-party.xml as of 2012-06: {{{ }}} {{{ On Tue, 11 Sep 2012, at 13:22 , David Stein wrote: I believe that this is now rectified. I have now loaded the same cert for both the recipient and sender portals. Here are the URLs. [N.B. the dependence of the URLs - really entity IDs - on the certificate! see warning below!] Recipient Portal: https://sso.blackboardconnect.com/SAML/Portal/7B9070E4D2DE4195A8B530EE72266AB0 [subsequently revised to: https://sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25 ] Sender Portal: https://sso.blackboardconnect.com/SAML/Connect/6F0CEAB5A3704F84A767DFA3CC6CEBF7 [subsequently revised to: https://sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8 ] }}} see "Connect SSO Implementation Manual" (too large to attach) BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than responding to a user's request and redirecting the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above. BBC also crafts the entityID [~URL] of the service based on the certificate used to sign the SAML assertion (attached). Note that means that ''if and when the UA IdP certificate is changed, these entity IDs will change, requiring changes to the sp-metadata file, the relying-party.xml file, and the attribute-filter.xml files'', as each of these requires the explicit entity ids of the services to which the IdP will send assertions. For BBC entities above, those URLs are: staging service: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9 Recipient Portal: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25 Sender Portal: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FConnect%2F9F95200F70EB4E8F844320653CCD97A8 [[https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO|Shibboleth wiki IdPUnsolicitedSSO]] [[http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html|SAML 2 Technical Overview]] see ยง5.1.4