Chapter 25

Configuring
Configuring Blackboard Learn
This document refers to the Linux operating system. If you are configuring Blackboard
Learn on Windows, see http://help.blackboard.com/en-us/Learn/9.1_SP_14/
Administrator/100_Authentication/030_Auth_Implementing/
Shibboleth_Authentication_Provider_Type.
Note

The following is an overview of the steps required to configure the Blackboard Learn Web
application for single sign-on (SSO) via SAML.
1 Prepare Blackboard Learn for single sign-on.

Create Blackboard Learn user accounts and make sure you have a Blackboard Learn
account with administrator rights to configure SSO.

2 Configure the Blackboard Learn application to use Shibboleth.

By default, Blackboard Learn uses its built-in Apache 1.3.You will need to install
Shibboleth on Apache 2 and configure Blackboard Learn to use that. For details, see
"Configuring Shibboleth and Blackboard Learn" on page 25-17.
3 In Cloud Manager, add the application and configure application settings.

For details, see "Configuring Blackboard Learn in Cloud Manager" on page 25-19. Once
the application settings are configured, complete the user account mapping and assign the
application to one or more roles.
4 Integrate the Centrify IdP to the Shibboleth SP.

For details, see " Integrating Centrify IdP with the Shibboleth SP" on page 25-24.
After you have finished configuring the application settings in the Cloud Manager and
integrating the Centrify IdP with the Shibboleth SP, users are ready to launch the
application from the user portal.

15

Preparing for Configuration

Preparing for Configuration

Blackboard Learn requirements for SSO
Before you configure the Blackboard Learn web application for SSO, you need the
following:


An active Blackboard Learn account with administrator rights for your organization.

A signed certificate.
You can either download one from Cloud Manager or use your organizations trusted
certificate.

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you
need to have the same signing certificate in both the application and the application settings
in Cloud Manager.
If you use your own certificate, you upload the signing certificate and its private key in a
.pfx or .p12 file to the application settings in Cloud Manager. You also upload the public
key certificate in a .cer or .pem file to the web application.
To download an application certificate from Cloud Manager (overview):
1 In the Apps page, add the application.
2 Click the application to open the application details.
3 In the Application Settings tab, click Download Signing Certificate to download and

save the certificate.

What you need to know about Blackboard Learn

Each SAML application is different. The following table lists features and functionality
specific to Blackboard Learn.
Capability

Supported?

Web browser client

Yes

Mobile client

Yes

SAML 2.0

Yes

SP-initiated SSO

Yes

IdP-initiated SSO

No

Force user login via SSO only

No

Chapter 25 Configuring Blackboard Learn

Support details

iOS and Android

If SP-initiated is enabled, IdP-initiated SSO is still supported.

After SSO is enabled, users can continue to log in to Blackboard

Learn with their local user name and password.

16

Configuring Shibboleth and Blackboard Learn

Capability

Supported?

Support details

Separate administrator login

after SSO is enabled

Yes

After SSO is enabled, administrators can continue to log in to

Blackboard Learn with their local user name and password.

User lockout

Yes

Admin can Make Unavailable a user.

Administrator lockout

No

User provisioning through SAML No

Multiple User Types

Yes

Refer to Blackboard Learn documentation for details.

Self-service password

Yes

Users can reset their own passwords. Note that administrators

cannot reset a users password.

Access restriction using a

corporate IP range

Yes

You can specify an IP Range in the Cloud Manager Policy page to

restrict access to the application.

Configuring Shibboleth and Blackboard Learn

By default, Blackboard Learn uses its built-in Apache 1.3.You will need to install Shibboleth
on Apache 2 and configure Blackboard Learn to use that. For details, see https://
help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator/
060_Installation/Install_UNIX/020_Apache_2

Installing and configuring Shibboleth

To install and configure Shibboleth:
1 In your web browser, go to the following URL:
http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/

2 Download the file:

security:shibboleth.repo

3 Copy the file to:

/etc/yum.repos.d/

4 Sign in as root, and issue this command:

run yum install shibboleth.x86_64

For additional information about this installation process, see: https://

wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall

Configuring Blackboard Learn to use Shibboleth

To configure Blackboard Learn to use Shibboleth:
1 Log in to your as Blackboard Learn server as Administrator.

Cloud Manager users guide

17

Configuring Shibboleth and Blackboard Learn

2 Select System Admin > Authentication.

3 Select Create Provider > Shibboleth.

4 Fill in the fields as shown:
Field

Value

Name

Provider name

Description

Optional description.

Authentication provider
Availability

Select Active

Chapter 25 Configuring Blackboard Learn

18

Configuring Blackboard Learn in Cloud Manager

Field

Value

User Lookup Method

Select Username

Restrict by hostname

Select Use this provider for any hostnames

Link Text

Text to display for the provider link.

5 Click Save and Configure.

6 Configure as shown here.
Field

Configuration

Attribute source

Choose Environment.
Environment

Logout URL

/Shibboleth.sso/Logout

Secure Location URL

/webapps/bb-auth-provider-shibboleth-BBLEARN/
execute/shibbolethLogin

Notification URL

/webapps/bb-auth-provider-shibboleth-BBLEARN/
shibboleth

7 Click Submit.
8 Log out of the server.

After configuration, there is an additional SSO login Link (with your defined Link Text)
in the Blackboard login page.
For additional information about this configuration process see:
https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator

https://help.blackboard.com/en-us/Learn/9.1_SP_14/Administrator/
100_Authentication/030_Auth_Implementing/
Shibboleth_Authentication_Provider_Type

Configuring Blackboard Learn in Cloud Manager

To add and configure the Blackboard Learn application in Cloud Manager:
1 In Cloud Manager, click Apps.
2 Click Add Web Apps.

The Add Web Apps screen appears.

3 On the Search tab, enter the partial or full application name in the Search field and click

the search icon.

4 Next to the application, click Add.
5 In the Add Web App screen, click Yes to confirm.

Cloud Manager users guide

19

Configuring Blackboard Learn in Cloud Manager

Cloud Manager adds the application.

6 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.
7 Specify the following:
Field

Required or
optional

Set it to

What you do

Shibboleth ACS endpoint

Required

Your Blackboard Learn host Replace BLACKBOARD-LEARNURL

HOST-URL with your Blackboard
Learn host URL, e.g.
bblearn.acme.com.

IdP entity ID

Required

Use provided value

Do not change. Use this in the

SSO element in shibboleth2.xml

to configure Shibboleth.
Shibboleth SP entity ID

Required

Your Shibboleth SP entity ID. Copy from the

ApplicationDefaults

element in shibboleth2.xml

8 Click Download Identity Provider SAML Meta data and save the file to your

Shibboleth directory.
9 Click Download Signing Certificate.
10 On the Application Settings page, expand the Additional Options section and

specify the following settings:

Option

Description

Application ID

Configure this field if you are deploying a mobile application that uses
the Centrify mobile SDK, for example mobile applications that are
deployed into a Samsung KNOX version 1 container. The cloud service
uses the Application ID to provide single sign-on to mobile applications.
Note the following:
The Application ID has to be the same as the text string that is
specified as the target in the code of the mobile application written
using the mobile SDK. If you change the name of the web application
that corresponds to the mobile application, you need to enter the
original application name in the Application ID field.
There can only be one SAML application deployed with the name used
by the mobile application.
The Application ID is case-sensitive and can be any combination of
letters, numbers, spaces, and special characters up to 256 characters.

Chapter 25 Configuring Blackboard Learn

20

Configuring Blackboard Learn in Cloud Manager

Option

Description

Show in User app list

Select Show in User app list so that this web application displays in the
user portal. (By default, this option is selected.)
If this web application is only needed in order to provide SAML for a
corresponding mobile application, deselect this option. This web
application wont display for users in the user portal.

Security Certificate

These settings specify the signing certificate used for secure SSO
authentication between the cloud service and the web application. Just
be sure to use a matching certificate both in the application settings in
the Cloud Manager and in the application itself. Select an option to
change the signing certificate.
Use existing certificate
When selected the certificate currently in use is displayed. Its not
necessary to select this optionits present to display the current
certificate in use.
Use the default tenant signing certificate
Select this option to use the cloud service standard certificate. This is
the default setting.
Use a certificate with a private key (pfx file) from your local storage
Select this option to use your organizations own certificate. To use
your own certificate, you must click Browse to upload an archive file
(.p12 or .pfx extension) that contains the certificate along with its
private key. If the file has a password, you must enter it when
prompted.

11 (Optional) On the Description page, you can change the name, description, and logo

for the application. For some applications, the name cannot be modified.
The Category field specifies the default grouping for the application in the user portal.
Users have the option to create a tag that overrides the default grouping in the user portal.
12 On the User Access page, select the role(s) that represent the users and groups that have

access to the application.

When assigning an application to a role, select either Automatic Install or Optional
Install:


Select Automatic Install for applications that you want to appear automatically for
users.

If you select Optional Install, the application doesnt automatically appear in the
user portal and users have the option to add the application.

13 (Optional) On the Policy page, specify additional authentication control for this

application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to
prevent users outside the company intranet from launching this application. To use this

Cloud Manager users guide

21

Configuring Blackboard Learn in Cloud Manager

option, you must also specify which IP addresses are considered as your intranet by
specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application.
Specify these mechanisms in Policy > Add Policy Set > Account Security Policies >
Authentication.
You can also include JavaScript code to identify specific circumstances when you want
to block an application or you want to require additional authentication methods. For
details, see Specifying application access policies with JavaScript.

14 On the Account Mapping page, configure how the login information is mapped to the

applications user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this
option if the user accounts are based on user attributes. For example, specify an Active
Directory field such as mail or userPrincipalName or a similar field from the Centrify user
service.


Everybody shares a single user name: Use this option if you want to share access
to an account but not share the user name and password. For example, some people
share an application developer account.


Use Account Mapping Script: You can customize the user account mapping here
by supplying a custom JavaScript script. For example, you could use the following line
as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the users mail
attribute value in Active Directory and add .ad to the end. So, if the users mail
attribute value is Adele.Darwin@acme.com then the cloud service uses
Adele.Darwin@acme.com.ad. For more information about writing a script to map
user accounts, see the SAML application scripting guide.
On the App Gateway page, you can configure the application so that your users can
access it whether they are logging in from an internal or external location. For
applications configured for the App Gateway, users do not have to use a VPN connection
to access the application remotely.
The App Gateway feature is a premium feature and is available only in the Centrify
Identity Service App+ Edition. Please contact your Centrify representative to have the
feature enabled for your account.

Note

Some applications can be used with App Gateway; not all applications are set up to
use this feature. At this time, Web applications may use HTTPS or HTTP, and either the
standard port of 443 or a non-standard port. IP addresses are only supported for onpremise apps and are not supported for external-facing apps.
Note

Chapter 25 Configuring Blackboard Learn

22

Configuring Blackboard Learn in Cloud Manager

15 (Optional) To enable App Gateway mode, select Make this application available

via the internet.

The Centrify identity platform verifies the application settings and displays the URL that
you provided in application settings as the internal URL for the application.
16 Specify the external URL that users open to access the application from external

locations. You can use an existing external URL or use one that the cloud service
generates automatically for you.
If you use an existing external URL, any links to the application URL do not need to
change and will continue to work as is. However, you do need to upload an SSL
certificate and modify your DNS settings.


To use your existing external URL, select the first option and do the following:
a Enter the existing external URL. You can enter an internal or external URL here.
b Click Upload to browse to and upload your SSL certificate with the private key
for the URL that you entered.
The certificate file has either a .PFX or .P12 filename extension.


To use the auto-generated external URL, select the second option. Later, youll need
to be sure to notify your users of the updated URL to use.
17 Select a cloud connector to use with the application at the Cloud connectors to use

with this service section. Choose one of the following:

Any available
Select this option to allow the Centrify Identity Service to randomly select one of the
available cloud connectors for your App Gateway configuration. Click Test
Connection to make sure the connection between the cloud connector and the
application is successful.


Choose
Select this option to specify one or more cloud connectors to use for your App
Gateway configuration. If you select more than one cloud connector, the Centrify
Identity Service randomly chooses one of the selected cloud connectors to use for the
application. Once the configuration is saved, each future App Gateway request uses a
random cloud connector from those selected, as long as the cloud connector is online.
Once you select the cloud connectors you want to use, click Test Connection to
make sure the connection between the selected cloud connectors and the application
is successful. At least one cloud connector must succeed in order to save the
configuration.
Note If any of the cloud connectors are offline, they are not displayed in the list of
available cloud connectors.

18 Click Save to save the App Gateway changes.

Cloud Manager users guide

23

Integrating Centrify IdP with the Shibboleth SP

If you configured the application to use an external URL, next you edit your DNS
settings to accommodate the App Gateway connection to this application. Youll enter a
CNAME record to map this URL to the applications gateway connection URL. For more
information about configuring App Gateway and troubleshooting App Gateway
connection issues, see "Configuring an application to use the App Gateway" on page 325 and "Troubleshooting" on page 3-28.
Note

19 (Optional) On the Advanced page, you can edit the script that generates the SAML

assertion, if needed. In most cases, you dont need to edit this script. For more
information, see the SAML application scripting guide.
On the Changelog page, you can see recent changes that have been made to the
application settings, by date, user, and the type of change that was made.

Note

20 Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity
Service App+ Edition. See Configuring Workflow for more information.
21 Click Save.

After configuring the application settings (including the role assignment) and the
applications web site, youre ready for users to launch the application from the user
portal.

Integrating Centrify IdP with the Shibboleth SP

To integrate Centrify IdP with the Shibboleth SP:
1 On your server, open /etc/shibboleth/shibboleth2.xml in a text editor.
2 Change:
<!-<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->

To:
<MetadataProvider type="XML" file="partner-metadata.xml"/>

3 Change:
<SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>

To:
<SSO entityID="[Your IdP Entity ID]">

Chapter 25 Configuring Blackboard Learn

24

For more information about Blackboard Learn

SAML2
</SSO>

4 Copy the meta data XML file you downloaded in "Configuring Blackboard Learn in

Cloud Manager" on page 25-19 to:

/etc/shibboleth/partner-metadata.xml

5 Open /etc/shibboleth/attribute-map.xml in a text editor.

6 Change:
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>

To:
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name"
defaultQualifiers="true"/>
</Attribute>

7 Sign in as root, and issue this command:

run /sbin/service shibd restart

For more information about Blackboard Learn

For more information about configuring Blackboard Learn for SSO:


Configure Blackboard Learn for Shibboleth:
https://help.blackboard.com/en-us/Learn/9.1_SP_14/Administrator/
100_Authentication/030_Auth_Implementing/
Shibboleth_Authentication_Provider_Type
Configure Shibboleth for Blackboard Learn:

https://help.blackboard.com/en-us/Learn/9.1_SP_14/Administrator/
100_Authentication/030_Auth_Implementing/Integrating_Shibboleth

Cloud Manager users guide

25