Blackboard Transact and IdP 3

Michael A Grady mgrady at
Tue May 24 16:30:45 EDT 2016

No, Transact did not require EPPN in the Subject, it worked fine, at least with IdPv2, with Transient or CryptoTransient as the NameId. Some things about Transact that have been sent to this list before:

 - has no allowance/capability for checking the front-channel signature, which is why it "ignores" any and all attributes sent that way,
 - only cares about the FriendlyName for attributes, ignores the actual name,
 - always does the back-channel attribute query, because that's the only way it has "security" around the attributes it receives

I got a site working with v2 using Scott's added CryptoTransient support for v2. But it was trial and error, as one gets no feedback from the other side. Most frustrating integration I can recall.

Presumably it works with v3 with the default Transient which is essentially equivalent to the crypto-transient for v2.

> On May 24, 2016, at 12:28 PM, IAM David Bantz <dabantz at> wrote:
> Here's my working v2 relying party config for Transact:
> <!-- BlackBoard Transact does not support encryption; uses AttributeQuery 2014-10-23 -->
>    <RelyingParty id=" <>"
>        provider=" <>"
>        defaultSigningCredentialRef="IdPCredential"
>        defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
>        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
>        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" encryptAssertions="never" encryptNameIds="never" />
>    </RelyingParty>
> Additional unique aspects of the Transact SP are:
> <!-- Bb Transact require something like ePPN in the SAML Subject -->
> <!-- Bb Transact requires its own unique FriendlyNames so add definitions and encoders with those FriendlyNames -->
> David Bantz
> UAlaska
> On Tue, May 24, 2016 at 8:24 AM, Peter Schober <peter.schober at <mailto:peter.schober at>> wrote:
> * James McCartin <jmccartin at <mailto:jmccartin at>> [2016-05-24 17:56]:
> > The SP does ignore the attributes sent in the HTTP POST and then
> > queries the IdP.  What can I look at to confirm that my v3 IdP
> > supports this type of attribute query?
> The documentation? I have no idea how you deployed your IDP, how you
> decided supported SOAP queries, on what port, involving what
> containers, etc.
> Assuming for now you have properly configured SOAP support, I'd start
> with making sure the port you publish for your IDP's
> AttributeAuthority endpoints is open on the firewall.
> I.e., if <> is your IDP
> make sure that <> can be reached
> from the outside world -- it currently isn't.
> If in doubt look at the SAML Metadata the SP in question has about
> your IDP, and make sure the endpoints puiblished there are reachable.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at <mailto:users-unsubscribe at>
> --
> To unsubscribe from this list send an email to users-unsubscribe at

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the users mailing list