wiki:BbConnect

Version 17 (modified by dabantz@…, 12 years ago) (diff)

--

IAM / Projects / Shibboleth / Service Candidates / Blackboard Connect

The three BBC services for UA are:

Staging service:

https://ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9

Recipient Portal:

https://sso.blackboardconnect.com/SAML/Portal/E0D069C2563D4D63A14CBB95D6845C25

Sender Portal:

https://sso.blackboardconnect.com/SAML/Connect/9F95200F70EB4E8F844320653CCD97A8

see "Connect SSO Implementation Manual" (too large to attach)

BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than responding to a user's request and redirecting the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above.

BBC also crafts the entityID [~URL] of the service based on the certificate used to sign the SAML assertion (attached). Note that means that if and when the UA IdP certificate is changed, these entity IDs will change, requiring changes to the sp-metadata file, the relying-party.xml file, and the attribute-filter.xml files, as each of these requires the explicit entity ids of the services to which the IdP will send assertions.

For BBC entities above, those URLs are:

Staging service:

https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9

Recipient Portal:

https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FPortal%2FE0D069C2563D4D63A14CBB95D6845C25

Sender Portal:

https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsso.blackboardconnect.com%2FSAML%2FConnect%2F9F95200F70EB4E8F844320653CCD97A8

Shibboleth wiki IdPUnsolicitedSSO

Attributes for BBC:

The same attributes are released to each of the services above. These are, using the 'friendlyName's requested by BBC:

FirstName LastName ContactRefCode LogoutURL

Additional documentation:

SAML 2 Technical Overview see §5.1.4

BBC Portal SSO overview (attachment)

UA IdP X509 certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b4:bd:2d:f0:ba:69:97:01
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Alaska, L=Fairbanks, O=University of Alaska, OU=Office of Information Technology, CN=idp.alaska.edu/emailAddress=iam@alaska.edu
        Validity
            Not Before: Jul  7 00:01:49 2011 GMT
            Not After : Jul  6 00:01:49 2014 GMT
        Subject: C=US, ST=Alaska, L=Fairbanks, O=University of Alaska, OU=Office of Information Technology, CN=idp.alaska.edu/emailAddress=iam@alaska.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b8:46:cf:06:c9:87:b1:c4:56:65:42:95:90:dd:
                    58:70:0c:a5:06:39:81:7e:70:48:86:6b:a7:99:c2:
                    4c:39:1d:b7:8b:d3:6d:6d:9e:b8:3c:92:0c:1e:e2:
                    66:2e:4a:c8:13:54:dc:6c:a7:9d:1e:45:fa:f3:3c:
                    38:c1:3d:aa:12:4d:57:5a:84:17:dd:55:b7:9e:70:
                    c9:52:33:74:9e:63:a0:f7:86:1b:c6:5e:ab:1a:78:
                    50:2b:67:db:37:d0:29:1d:06:2b:60:68:ab:d3:48:
                    0b:17:02:74:5a:f4:1d:a8:96:65:3f:01:f5:1f:48:
                    f9:91:c0:3c:43:26:8e:64:b4:66:19:3b:0c:14:8c:
                    1e:20:85:db:91:b5:77:34:da:ab:8b:62:33:b7:37:
                    d4:f8:87:3c:76:b5:e3:b5:75:0e:5b:13:01:fb:42:
                    20:f4:e8:00:3b:fa:62:9b:74:b3:3d:b2:9a:af:f1:
                    c8:15:14:a9:b2:b8:a6:2c:26:c9:d4:3c:e3:07:8e:
                    f2:a1:fe:cf:66:07:02:22:4d:e2:37:79:f9:b7:e5:
                    76:63:60:ba:5c:51:45:66:64:31:3c:5f:23:c3:f7:
                    16:6d:8c:91:7f:c5:7f:11:ec:10:13:08:67:40:fc:
                    3d:19:d3:53:85:20:3e:e5:47:1c:a5:41:14:80:7c:
                    ee:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                15:77:9E:06:4D:33:17:A6:73:07:FB:07:90:E7:5B:D4:45:2C:15:3B
            X509v3 Authority Key Identifier: 
                keyid:15:77:9E:06:4D:33:17:A6:73:07:FB:07:90:E7:5B:D4:45:2C:15:3B
                DirName:/C=US/ST=Alaska/L=Fairbanks/O=University of Alaska/OU=Office of Information Technology/CN=idp.alaska.edu/emailAddress=iam@alaska.edu
                serial:B4:BD:2D:F0:BA:69:97:01

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        1a:71:bf:f2:8b:1d:3a:62:b9:1f:59:b5:48:14:ff:8b:f6:ee:
        7c:6a:ae:d6:5d:13:1e:85:44:13:ed:50:83:3c:37:2d:67:94:
        a3:b4:c5:9d:d0:0d:9b:e2:28:19:b6:fd:8e:c5:c1:bb:53:a7:
        69:06:23:80:93:e3:06:10:67:98:97:eb:30:e0:a1:4d:07:e2:
        b7:54:25:38:0f:04:fb:75:e6:d5:ab:4a:ae:24:79:8f:db:7a:
        00:76:62:1d:f7:6c:34:f8:93:7d:ff:44:f5:a4:96:5f:cf:21:
        59:06:04:cc:53:b7:08:91:6a:a7:31:da:c6:85:a9:79:30:dc:
        eb:63:2a:4e:52:f6:61:28:ea:df:fc:4d:74:7b:a6:6e:b8:1e:
        be:e6:58:86:ba:cf:18:65:b7:ee:d7:c5:2b:de:4f:5f:43:78:
        08:49:0d:ef:28:6d:59:f0:00:b2:54:3d:a9:78:26:e9:a0:dd:
        90:12:d8:c8:ac:0b:14:d5:61:e0:0e:bb:e2:01:de:64:e6:c9:
        45:1e:e7:b9:83:a5:23:7a:7e:13:07:cf:50:80:f0:ac:16:bd:
        b4:6d:5d:8b:0e:61:04:9f:13:4e:e3:b1:7a:a4:55:65:1d:89:
        eb:77:14:02:b1:ff:44:4d:4f:fb:83:38:27:da:0e:4e:5f:5c:
        24:98:44:cb

Attachments