Version 13 (modified by dabantz@…, 12 years ago) (diff) |
---|
IAM / Projects / Shibboleth / Service Candidates / Blackboard Connect
relying-party.xml as of 2012-06:
<!-- BlackBoard Connect --> <RelyingParty id="https://ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9" provider="urn:mace:incommon:alaska.edu" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" defaultSigningCredentialRef="IdPCredential"> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> </RelyingParty>
On Tue, 11 Sep 2012, at 13:22 , David Stein <David.Stein@blackboard.com> wrote: I believe that this is now rectified. I have now loaded the same cert for both the recipient and sender portals. Here are the URLs. [N.B. the dependence of the URLs - really entity IDs - on the certificate! see warning below!] Recipient Portal: https://sso.blackboardconnect.com/SAML/Portal/7B9070E4D2DE4195A8B530EE72266AB0 [subsequently revised to: https://sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25 ] Sender Portal: https://sso.blackboardconnect.com/SAML/Connect/6F0CEAB5A3704F84A767DFA3CC6CEBF7 [subsequently revised to: https://sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8 ]
see "Connect SSO Implementation Manual" (too large to attach)
BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than responding to a user's request and redirecting the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above.
BBC also crafts the entityID [~URL] of the service based on the certificate used to sign the SAML assertion (attached). Note that means that if and when the UA IdP certificate is changed, these entity IDs will change, requiring changes to the sp-metadata file, the relying-party.xml file, and the attribute-filter.xml files, as each of these requires the explicit entity ids of the services to which the IdP will send assertions.
For BBC entities above, those URLs are: staging service: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9
Recipient Portal: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25
Shibboleth wiki IdPUnsolicitedSSO
SAML 2 Technical Overview see §5.1.4
Attachments
-
UAIdP.crt
(1.8 KB) -
added by dabantz@… 12 years ago.
UA IdP X509 certificate
-
BBC SSO Portal overview.pdf
(110.3 KB) -
added by dabantz@… 12 years ago.
BBC Connect overview with attribute requirements
-
attribue-resolver_BBC.rtf
(3.3 KB) -
added by dabantz@… 12 years ago.
attribute-resolver for BBC-specific attributes
-
relying-party.xml_BBC.txt
(1.5 KB) -
added by dabantz@… 12 years ago.
fragment for 3 BBC services
- Attribute filter (release) for BBC.txt (1.1 KB) - added by dabantz@… 12 years ago.
-
BBC-entity-descriptors.xml.txt
(5.1 KB) -
added by dabantz@… 12 years ago.
metadata.xml fragment - BBC entity descriptors
-
UA IdP x509 cert decoded.txt
(3.3 KB) -
added by dabantz@… 12 years ago.
Decoded X509 certificate for UA IdP