Blackboard Transact & IDP 3.x

[Cantor, Scott]

> I missed your earlier response. I am indeed running it over port 443 and,
> now that you mention, it it explains why I needed to do it when others
> seemingly did not. The original document Blackboard provider for using
> Shibboleth insisted you use port 443 (Im not suggesting that makes sense
> but it was in their document)

Thanks. This thing is really something.

I don't really know if what you're doing is secure, or not, but I guess it must be authenticating that query somehow for your release policy to be working. Maybe it's signing the query.

What it's doing is assuming that because you're using 443, you're not doing mutual TLS with the SP, and so there's no MITM protection for the data. So it encrypts it by default and treats it as a non-confidential channel. That's a feature in V3 that's designed to start migrating people to using the front channel port for back channel requests without losing security.

-- Scott