wiki:BbConnect

Version 5 (modified by dabantz@…, 12 years ago) (diff)

--

IAM / Projects / Shibboleth / Service Candidates / Blackboard Connect

relying-party.xml as of 2012-06:

  <!-- BlackBoard Connect -->
	    <RelyingParty id="https://ssostg.blackboardconnect.com/SAML/Connect/B46C75BF139144349190F775C38F05A9"
	          provider="urn:mace:incommon:alaska.edu"
	          defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
	          defaultSigningCredentialRef="IdPCredential">
	        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
            </RelyingParty>

see "Connect SSO Implementation Manual" (too large to attach)

BBC uses "unsolicited" or "IdP initiated" SSO. That means that, rather than responding to a user's request and redirecting the user's browser to the IdP for authentication and attributes, BBC requires us to send a SAML assertion with user authentication and required attributes. This is accomplished in the Shibboleth IdP by setting up a URL that invokes a profile (or "end point") specifically for unsolicited SSO ("idp/profile.SAML2/Unsolicited/SSO") and includes the (encoded) relying party entity id above.

For BBC entity above, that URL is: https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fssostg.blackboardconnect.com%2FSAML%2FConnect%2FB46C75BF139144349190F775C38F05A9

Shibboleth wiki IdPUnsolicitedSSO

SAML 2 Technical Overview see §5.1.4

Attachments