Blackboard Transact and IdP 3

db@alaska.edu dabantz at alaska.edu
Tue May 24 10:56:07 EDT 2016 

If I recall correctly,  Bb Transact is unusual in making two requests to the IdP. It ignores attributes in the IDP's authN response except to pull a (transient) ID, which is then used to make an attribute query which you have to explicitly support.

David.Bantz at Alaska.edu


> On May 24, 2016, at 06:36, James McCartin <jmccartin at loyola.edu> wrote:
> 
> I’ve setup a IdP v3 server.  It works with all of my SPs except Blackboard Transact. 
>  
> On my IdP v2 server, the log shows the following when logging in to Bb Transact:
>  
> 20160518T091808Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_281E36148A90137BEB2F951454AAFD5E|https://sp.transactsp.com/shibboleth-sp/eacct-loyola-sp.blackboard.com/eaccounts|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shibprodapp.loyola.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_37e97a02028ff0c58ccf9d21c2415708|nsbabirye|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonPrincipalName,eduPersonAffiliation,surname,eduPersonScopedAffiliation,loyolaID,givenName,memberOf,commonName,loyCampusHousing,BblastName,transientId,BbgivenName,eduPersonTargetedID,BbuserName,email,Bbemail,displayName,|_50a2bc08a2dc76a9e945e2684aa880e3||
>  
> 20160518T091809Z|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_139A6FB6324A1B8F6EB0044E5FFCD7B1|https://sp.transactsp.com/shibboleth-sp/eacct-loyola-sp.blackboard.com/eaccounts|urn:mace:shibboleth:2.0:profiles:saml2:query:attribute|https://shibprodapp.loyola.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:SOAP|_ad00eddc06406f88fc4b2063ee36cae1|nsbabirye||eduPersonPrincipalName,eduPersonAffiliation,surname,eduPersonScopedAffiliation,loyolaID,givenName,memberOf,commonName,loyCampusHousing,BblastName,transientId,BbgivenName,eduPersonTargetedID,BbuserName,email,Bbemail,displayName,|_50a2bc08a2dc76a9e945e2684aa880e3|_21f765d7e371d879a7a341218ad19816,|
>  
> On my IdP v3 server, the log shows the following when logging in to Bb Transact:
>  
> 20160519T094437Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_A7CEDB9D1C609C863316C7A5D2E53A3B|https://sp.transactsp.com/shibboleth-sp/eacct-loyola-sp.blackboard.com/eaccounts|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibprodapp.loyola.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_eb749e6e4984aaebd70b94400b5340bb|jmccartin|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|BblastName,commonName,telephoneNumber,Bbemail,eduPersonAffiliation,displayName,givenName,BbuserName,BbgivenName,title,eduPersonScopedAffiliation,loyCampusHousing,surname,eduPersonPrincipalName,email|AAdzZWNyZXQxGfgGRtIpzGacHGAKrI0Fwk8ZmTQgFviVuOzTpV+gGBdhSzb0i67h3BFoFaQsn6nbcDUdhqx/7QbykjV/0tqOcHp1CFdPtQ1fOKsCllNHlsliSYqhf5/k4Ulcz0r8DuWS7rBJ98SH5iZD0hbnjYHTsEWnYiO5UP3FpD/qyxtRtH+HLCOTBe2tojbzQ0I=|_5ad865cc85a89cb0953ee16b63fddf03|
>  
> The SOAP call is not there.  What would prevent the soap call from being made?
>  
> Bb Transact supports IdP v3 with the following configuration (which I made):
>  
> <util:list id="shibboleth.RelyingPartyOverrides">
>  
> <!--
> Override example that identifies a single RP by name and configures it
> for SAML 2 SSO without encryption. This is a common "vendor" scenario.
> -->
>  
> <bean parent="RelyingPartyByName" c:relyingPartyIds="[entitiyIds]">
> <property name="profileConfigurations">
> <list>
> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> 
> <bean parent="SAML2.SSO" p:signResponses="never" p:encryptAssertions="false" p:postAuthenticationFlows="attribute-release" /> 
> <bean parent="SAML2.AttributeQuery" p:encryptAssertions="false" />
> </list>
> </property>
> </bean>
>  
> </util:list>
>  
> Thanks,
>  
> James
>  
>  
> James McCartin
> Senior Systems Engineer
> Infrastructure – Technology Services 
> <image001.gif>
> Loyola University Maryland
> 4501 North Charles Street
> Baltimore, MD 21210
> 
> 410-617-2605
> jmccartin at loyola.edu
> 
> www.loyola.edu
>  
> <image002.gif><image003.gif><image004.gif>
> --
> Security Alert: Loyola Technology Services will never ask for your password.  Please do not share it with others.
>  
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160524/6462754e/attachment.html>

More information about the users mailing list