Blackboard Transact & IDP 3.x

[Powell, Alan]

On the bright side, Ive learned more about Shibboleth configuration in the
last month than I did in the three years Ive been running an IDP - Ive
never had any issue with integrating with any of the other six vendor
products we use; it¹s usually effortless.

At any rate, since its clear the 443 requirement is hogwash, I switched
to 8443 and got rid of the p:encryptAssertions=³false² in <bean
parent="SAML2.AttributeQuery" /> and works fine. One less thing to bite me
with another integrationŠ




>
>
>------------------------------
>
>Message: 4
>Date: Fri, 8 Apr 2016 15:44:59 +0000
>From: "Cantor, Scott" <cantor.2 at osu.edu>
>To: Shib Users <users at shibboleth.net>
>Subject: RE: Blackboard Transact & IDP 3.x
>Message-ID:
>	<9846A6064BD102419D06814DD0D78DE1128B3C03 at CIO-TNC-D2MBX02.osuad.osu.edu>
>	
>Content-Type: text/plain; charset="us-ascii"
>
>> I missed your earlier response. I am indeed running it over port 443
>>and,
>> now that you mention, it it explains why I needed to do it when others
>> seemingly did not. The original document Blackboard provider for using
>> Shibboleth insisted you use port 443 (Im not suggesting that makes sense
>> but it was in their document)
>
>Thanks. This thing is really something.
>
>I don't really know if what you're doing is secure, or not, but I guess
>it must be authenticating that query somehow for your release policy to
>be working. Maybe it's signing the query.
>
>What it's doing is assuming that because you're using 443, you're not
>doing mutual TLS with the SP, and so there's no MITM protection for the
>data. So it encrypts it by default and treats it as a non-confidential
>channel. That's a feature in V3 that's designed to start migrating people
>to using the front channel port for back channel requests without losing
>security.
>
>-- Scott
>
>