Beruflich Dokumente
Kultur Dokumente
Configuring
Configuring Blackboard Learn
This document refers to the Linux operating system. If you are configuring Blackboard
Learn on Windows, see http://help.blackboard.com/en-us/Learn/9.1_SP_14/
Administrator/100_Authentication/030_Auth_Implementing/
Shibboleth_Authentication_Provider_Type.
Note
The following is an overview of the steps required to configure the Blackboard Learn Web
application for single sign-on (SSO) via SAML.
1 Prepare Blackboard Learn for single sign-on.
Create Blackboard Learn user accounts and make sure you have a Blackboard Learn
account with administrator rights to configure SSO.
By default, Blackboard Learn uses its built-in Apache 1.3.You will need to install
Shibboleth on Apache 2 and configure Blackboard Learn to use that. For details, see
"Configuring Shibboleth and Blackboard Learn" on page 25-17.
3 In Cloud Manager, add the application and configure application settings.
For details, see "Configuring Blackboard Learn in Cloud Manager" on page 25-19. Once
the application settings are configured, complete the user account mapping and assign the
application to one or more roles.
4 Integrate the Centrify IdP to the Shibboleth SP.
For details, see " Integrating Centrify IdP with the Shibboleth SP" on page 25-24.
After you have finished configuring the application settings in the Cloud Manager and
integrating the Centrify IdP with the Shibboleth SP, users are ready to launch the
application from the user portal.
15
A signed certificate.
You can either download one from Cloud Manager or use your organizations trusted
certificate.
Supported?
Yes
Mobile client
Yes
SAML 2.0
Yes
SP-initiated SSO
Yes
IdP-initiated SSO
No
No
Support details
16
Capability
Supported?
Support details
Yes
User lockout
Yes
Administrator lockout
No
Yes
Self-service password
Yes
Yes
17
Value
Name
Provider name
Description
Optional description.
Authentication provider
Availability
Select Active
18
Field
Value
Select Username
Restrict by hostname
Link Text
Configuration
Attribute source
Choose Environment.
Environment
Logout URL
/Shibboleth.sso/Logout
/webapps/bb-auth-provider-shibboleth-BBLEARN/
execute/shibbolethLogin
Notification URL
/webapps/bb-auth-provider-shibboleth-BBLEARN/
shibboleth
7 Click Submit.
8 Log out of the server.
After configuration, there is an additional SSO login Link (with your defined Link Text)
in the Blackboard login page.
For additional information about this configuration process see:
https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator
https://help.blackboard.com/en-us/Learn/9.1_SP_14/Administrator/
100_Authentication/030_Auth_Implementing/
Shibboleth_Authentication_Provider_Type
19
The application that you just added opens to the Application Settings page.
7 Specify the following:
Field
Required or
optional
Set it to
What you do
Required
IdP entity ID
Required
to configure Shibboleth.
Shibboleth SP entity ID
Required
element in shibboleth2.xml
8 Click Download Identity Provider SAML Meta data and save the file to your
Shibboleth directory.
9 Click Download Signing Certificate.
10 On the Application Settings page, expand the Additional Options section and
Description
Application ID
Configure this field if you are deploying a mobile application that uses
the Centrify mobile SDK, for example mobile applications that are
deployed into a Samsung KNOX version 1 container. The cloud service
uses the Application ID to provide single sign-on to mobile applications.
Note the following:
The Application ID has to be the same as the text string that is
specified as the target in the code of the mobile application written
using the mobile SDK. If you change the name of the web application
that corresponds to the mobile application, you need to enter the
original application name in the Application ID field.
There can only be one SAML application deployed with the name used
by the mobile application.
The Application ID is case-sensitive and can be any combination of
letters, numbers, spaces, and special characters up to 256 characters.
20
Option
Description
Select Show in User app list so that this web application displays in the
user portal. (By default, this option is selected.)
If this web application is only needed in order to provide SAML for a
corresponding mobile application, deselect this option. This web
application wont display for users in the user portal.
Security Certificate
These settings specify the signing certificate used for secure SSO
authentication between the cloud service and the web application. Just
be sure to use a matching certificate both in the application settings in
the Cloud Manager and in the application itself. Select an option to
change the signing certificate.
Use existing certificate
When selected the certificate currently in use is displayed. Its not
necessary to select this optionits present to display the current
certificate in use.
Use the default tenant signing certificate
Select this option to use the cloud service standard certificate. This is
the default setting.
Use a certificate with a private key (pfx file) from your local storage
Select this option to use your organizations own certificate. To use
your own certificate, you must click Browse to upload an archive file
(.p12 or .pfx extension) that contains the certificate along with its
private key. If the file has a password, you must enter it when
prompted.
11 (Optional) On the Description page, you can change the name, description, and logo
for the application. For some applications, the name cannot be modified.
The Category field specifies the default grouping for the application in the user portal.
Users have the option to create a tag that overrides the default grouping in the user portal.
12 On the User Access page, select the role(s) that represent the users and groups that have
If you select Optional Install, the application doesnt automatically appear in the
user portal and users have the option to add the application.
13 (Optional) On the Policy page, specify additional authentication control for this
21
option, you must also specify which IP addresses are considered as your intranet by
specifying the Corporate IP range in Settings > Corporate IP Range.
14 On the Account Mapping page, configure how the login information is mapped to the
The above script instructs the cloud service to set the login user name to the users mail
attribute value in Active Directory and add .ad to the end. So, if the users mail
attribute value is Adele.Darwin@acme.com then the cloud service uses
Adele.Darwin@acme.com.ad. For more information about writing a script to map
user accounts, see the SAML application scripting guide.
On the App Gateway page, you can configure the application so that your users can
access it whether they are logging in from an internal or external location. For
applications configured for the App Gateway, users do not have to use a VPN connection
to access the application remotely.
The App Gateway feature is a premium feature and is available only in the Centrify
Identity Service App+ Edition. Please contact your Centrify representative to have the
feature enabled for your account.
Note
Some applications can be used with App Gateway; not all applications are set up to
use this feature. At this time, Web applications may use HTTPS or HTTP, and either the
standard port of 443 or a non-standard port. IP addresses are only supported for onpremise apps and are not supported for external-facing apps.
Note
22
15 (Optional) To enable App Gateway mode, select Make this application available
locations. You can use an existing external URL or use one that the cloud service
generates automatically for you.
If you use an existing external URL, any links to the application URL do not need to
change and will continue to work as is. However, you do need to upload an SSL
certificate and modify your DNS settings.
To use your existing external URL, select the first option and do the following:
a Enter the existing external URL. You can enter an internal or external URL here.
b Click Upload to browse to and upload your SSL certificate with the private key
for the URL that you entered.
The certificate file has either a .PFX or .P12 filename extension.
To use the auto-generated external URL, select the second option. Later, youll need
to be sure to notify your users of the updated URL to use.
17 Select a cloud connector to use with the application at the Cloud connectors to use
23
If you configured the application to use an external URL, next you edit your DNS
settings to accommodate the App Gateway connection to this application. Youll enter a
CNAME record to map this URL to the applications gateway connection URL. For more
information about configuring App Gateway and troubleshooting App Gateway
connection issues, see "Configuring an application to use the App Gateway" on page 325 and "Troubleshooting" on page 3-28.
Note
19 (Optional) On the Advanced page, you can edit the script that generates the SAML
assertion, if needed. In most cases, you dont need to edit this script. For more
information, see the SAML application scripting guide.
On the Changelog page, you can see recent changes that have been made to the
application settings, by date, user, and the type of change that was made.
Note
20 Click Workflow to set up a request and approval work flow for this application.
The Workflow feature is a premium feature and is available only in the Centrify Identity
Service App+ Edition. See Configuring Workflow for more information.
21 Click Save.
After configuring the application settings (including the role assignment) and the
applications web site, youre ready for users to launch the application from the user
portal.
To:
<MetadataProvider type="XML" file="partner-metadata.xml"/>
3 Change:
<SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
To:
<SSO entityID="[Your IdP Entity ID]">
24
SAML2
</SSO>
4 Copy the meta data XML file you downloaded in "Configuring Blackboard Learn in
To:
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name"
defaultQualifiers="true"/>
</Attribute>
https://help.blackboard.com/en-us/Learn/9.1_SP_14/Administrator/
100_Authentication/030_Auth_Implementing/Integrating_Shibboleth
25