Changes between Version 1 and Version 2 of Transact


Ignore:
Timestamp:
11/12/14 12:04:07 (10 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Transact

    v1 v2  
     1== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Integrations]] / Blackboard Transact == 
     2 
    13Blackboard Transact is to be used with eAccounts to support Tapingo - online meal order and payment. 
    24 
    35Transact used for payment transactions with web clients; eAccounts (LDAP enabled, not Shibb) on mobile devices. 
    46 
    5 David DeWolfe is primary technical contact with these vendors. 
     7David !DeWolfe is primary technical contact with these vendors. 
     8 
     9Transact Service Provider (SP) is configured and tested through an administrative portal at Blackboard.  For the UA integration, David !DeWolfe used this console in consultation with Blackboard and IAM.  Transact integration was unique to UA IAM (as of 2014) in using TWO IdP profiles; it took several weeks of conversation to realize that the SP requests authentication  per usual, receives the SAML assertion from the IdP, BUT THEN ignores or discards the attributes and makes a SECOND call to the IdP using AttributeQueryProfile to retrieve attributes.  The configuration below reflects this SP behavior. 
     10 
     111. Custom relying party for Transact in relying-party.xml in the relying parties section: 
     12 
     13{{{ 
     14<!-- BlackBoard Transact does not support encryption; uses AttributeQuery 2014-10-23 --> 
     15   <RelyingParty id="https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt" 
     16       provider="urn:mace:incommon:alaska.edu" 
     17       defaultSigningCredentialRef="IdPCredential" 
     18       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> 
     19       <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> 
     20       <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" encryptAssertions="never" encryptNameIds="never" /> 
     21   </RelyingParty> 
     22}}} 
     23 
     242.  Blackboard metadata provider is also configured in relying-party.xml in the metadata provider section: 
     25 
     26{{{ 
     27      <!-- other metadata from other providers goes here -->   
     28 
     29      <metadata:MetadataProvider id="TransactSP" xsi:type="metadata:FileBackedHTTPMetadataProvider"  
     30                        metadataURL="https://mgmt-ualaska-sp.blackboard.com/mgmt/rest/MetadataRequest" 
     31                        backingFile="/opt/shibboleth-idp/metadata/TransactSP-metadata.xml" /> 
     32      </MetadataProvider> 
     33 
     34}}} 
     35 
     363. Blackboard Transact relies on a NameID with particular format to identify the user (rather than ePPN or other usual attributes).  A previous integration (Okta) relied on a similar NameID, so we are re-using the NameID constructed for Okta in attribute-resolver.xml: 
     37 
     38 
     39{{{ 
     40<!-- Okta and Bb Transact require something like ePPN in the SAML Subject --> 
     41<resolver:AttributeDefinition 
     42       id="oktanameid" 
     43       xsi:type="Script" 
     44       xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     45       sourceAttributeID="UASystemID" 
     46       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     47       xmlns:resolver="urn:mace:shibboleth:2.0:resolver"> 
     48<!-- use UA Username = uasystemid iff it was retrieved from MyLDAP=EDIR; if no value, try using uaadsytemid from UA AD --> 
     49       <resolver:Dependency ref="uasystemid" /> 
     50       <resolver:Dependency ref="uaadsystemid" /> 
     51       <resolver:AttributeEncoder 
     52         xsi:type="SAML2StringNameID" 
     53         xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     54         nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> 
     55       <resolver:AttributeEncoder 
     56         xsi:type="SAML2String" 
     57         xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     58         name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
     59         friendlyName="username" /> 
     60        <Script> 
     61        <![CDATA[ 
     62        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); 
     63        importPackage(Packages.org.slf4j); 
     64 
     65        logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest"); 
     66 logger.debug("Starting oktanameid Resolver Script:"); 
     67 
     68        if (null == oktanameid) {oktanameid = new BasicAttribute("oktanameid");} 
     69        if (typeof uasystemid != "undefined" && uasystemid != null && uasystemid.getValues().size() != 0){ 
     70        oktausername = uasystemid.getValues().get(0); 
     71        oktanameid.getValues().add(oktausername + "@alaska.edu");} 
     72 else { if (typeof uaadsystemid != "undefined" && uaadsystemid != null && uaadsystemid.getValues().size() != 0){ 
     73        oktausername = uaadsystemid.getValues().get(0); 
     74        oktanameid.getValues().add(oktausername + "@alaska.edu");} 
     75      } 
     76 logger.debug("adding scope to UA Username; result is oktanameid = " + oktanameid.getValues() ); 
     77        ]]> 
     78        </Script> 
     79    </resolver:AttributeDefinition> 
     80}}} 
     81 
     82 
     834. Blackboard Transact processes attributes based on their !FriendlyNames rather than actual names, and also requires specific !FriendlyNames for the attributes consumed.  So these custom attributes are encoded in attribute-resolver.xml: 
     84 
     85{{{ 
     86<!-- Bb Transact requires its own unique FriendlyNames so add definitions and encoders with those FriendlyNames --> 
     87 
     88    <resolver:AttributeDefinition id="BbTemail" xmlns="urn:mace:shibboleth:2.0:resolver:ad" xsi:type="Simple" sourceAttributeID="onemail"> 
     89       <resolver:Dependency ref="onemail" /> 
     90       <resolver:AttributeEncoder xmlns="urn:mace:shibboleth:2.0:attribute:encoder" xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="BbSPEmailAddress" /> 
     91    </resolver:AttributeDefinition> 
     92 
     93    <resolver:AttributeDefinition id="BbTFirstName" xmlns="urn:mace:shibboleth:2.0:resolver:ad" xsi:type="Simple" sourceAttributeID="FirstName" > 
     94       <resolver:Dependency ref="FirstName" /> 
     95       <resolver:AttributeEncoder xmlns="urn:mace:shibboleth:2.0:attribute:encoder" xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="BbSPFirstName" /> 
     96    </resolver:AttributeDefinition> 
     97 
     98    <resolver:AttributeDefinition id="BbTLastName" xmlns="urn:mace:shibboleth:2.0:resolver:ad" xsi:type="Simple" sourceAttributeID="LastName"> 
     99       <resolver:Dependency ref="LastName" /> 
     100       <resolver:AttributeEncoder xmlns="urn:mace:shibboleth:2.0:attribute:encoder" xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="BbSPLastName" /> 
     101    </resolver:AttributeDefinition> 
     102 
     103    <resolver:AttributeDefinition id="BbTusername" xmlns="urn:mace:shibboleth:2.0:resolver:ad" xsi:type="Simple" sourceAttributeID="oktanameid"> 
     104       <resolver:Dependency ref="oktanameid" /> 
     105       <resolver:AttributeEncoder xmlns="urn:mace:shibboleth:2.0:attribute:encoder" xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="BbSPUserName" /> 
     106    </resolver:AttributeDefinition> 
     107 
     108    <resolver:AttributeDefinition id="BbTbannerID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" xsi:type="Simple" sourceAttributeID="uakPersonID"> 
     109       <resolver:Dependency ref="uakPersonID" /> 
     110       <resolver:AttributeEncoder xmlns="urn:mace:shibboleth:2.0:attribute:encoder" xsi:type="SAML2String" name="https://iam.alaska.edu/trac/wiki/IamUaArp#uakPersonID" friendlyName="BbSPCustomerNumber" /> 
     111    </resolver:AttributeDefinition> 
     112}}} 
     113 
     1145. Finally, to release these unique attributes to Bb Transact, the following policy was added to attribute-filter.xml: 
     115 
     116{{{ 
     117<AttributeFilterPolicy id="releaseToTransact"> 
     118    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt" /> 
     119 
     120    <AttributeRule attributeID="oktanameid"> 
     121        <PermitValueRule xsi:type="basic:ANY" /> 
     122    </AttributeRule> 
     123 
     124    <AttributeRule attributeID="BbTLastName"> 
     125        <PermitValueRule xsi:type="basic:ANY" /> 
     126    </AttributeRule> 
     127 
     128    <AttributeRule attributeID="BbTFirstName"> 
     129        <PermitValueRule xsi:type="basic:ANY" /> 
     130    </AttributeRule> 
     131 
     132    <AttributeRule attributeID="BbTbannerID"> 
     133        <PermitValueRule xsi:type="basic:ANY" /> 
     134    </AttributeRule> 
     135 
     136    <AttributeRule attributeID="BbTemail"> 
     137        <PermitValueRule xsi:type="basic:ANY" /> 
     138    </AttributeRule> 
     139 
     140    <AttributeRule attributeID="BbTusername"> 
     141        <PermitValueRule xsi:type="basic:ANY" /> 
     142    </AttributeRule> 
     143 
     144</AttributeFilterPolicy> 
     145}}} 
     146 
     147 
     148 
     149 
     150