Blackboard 9.1 - Guidance

Richard Wendel richard.e.wendel at
Fri Nov 18 21:36:08 GMT 2011

I got some guidance from a person with Blackboard. Certainly gave me the
confidence that even in my Shib 2.4.x attempt I actually did have it setup

What I was doing wrong was passing in unscoped attributes ( not claim :D )
into the SAML token. I have mapped StudentID (batch uid/external uid in
Blackboard) to AD acct attribute EmployeeID. I was publishing it to both
the eduPersonPrincipalName attribute. I modified my custom ADFS rule (that
swaps the attribute to eduPersonPrincipalName) to just append '@local'
(Value = c.Value + '@local') on to my attribute (using for local SSO, no
outside federated IDs). Another option would have been of course to switch
to UPN or Email address as the mapped ID, but for name/account changes
mid-term, this would cause more problems in the short term.

Thanks all!


On Thu, Nov 17, 2011 at 3:07 PM, Cantor, Scott <cantor.2 at> wrote:

> On 11/17/11 2:17 PM, "Richard Wendel" <richard.e.wendel at> wrote:
> >
> >I wanted to find out if anyone was using the Blackboard Shibboleth
> >authentication module with current (2.4.x) software and what additional
> >steps were needed. I have already repackaged the RPM for Apache 1.3.41
> >that is included in Blackboard 9.1. I have it passing me to a "secure"
> >area after successfully authenticating against my ADFS, so it appears
> >that my Apache integration specifically of Shibboleth works fine.
> Then apart from support issues, there's no concern.
> >My guess is that I believe previous versions used the Header vars to pass
> >info, and current uses the Env vars.
> Both support both. Defaults are different.
> > In addition, they recommend a separate mapped var (ShibMapAttribute)
> >when using Ajp1.2 (which is what is there) since REMOTE_USER doesn't get
> >sent properly, which isn't an Apache directive in the current versions of
> >Shib.
> I don't even remember what that command did to be honest, but there is no
> material difference here, and REMOTE_USER works fine with AJP.
> >Also, is there a way to log/capture the unencrypted claims after
> >attribute mapping in Shib so I can verify the claims mapping from ADFS to
> >what Shib expects like eppn, etc.
> Attribute, not claim. When MS starts enhancing their offering, I'll
> consider using their invented terminology. ;-)
> If you can see the headers and/or environment, you see exactly what the
> app sees. If you're talking about dumping the SAML, that's available via
> logging. If you mean something else, let me know.
> Bottom line, the app integration available with SP 1.x is all supported in
> 2.x, no exceptions.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list