Shibboleth allows organizations to exchange information about users securely and privately. Shibboleth is a single sign-on system that authenticates visitors to a website by accessing information stored on the user’s security domain. This permits users to access controlled information securely from anywhere without additional passwords or needlessly compromising privacy. For example, if a student is taking classes at two universities, and both schools use Shibboleth, the student may have a single username and password to access information at both universities’ websites.
The Shibboleth provider shipped with Learn cannot be configured in isolation like the other providers. You need additional software installed on the Learn server and additional configuration is required. This provider is considered a custom authentication provider. On Windows, you can install Shibboleth 2.x with the default IIS7. On UNIX systems, another key component requirement of a Shibboleth Authentication Integration is the installation of Apache™ HTTP Server 2. Apache 1.3 is not compatible with Shibboleth 2.x.
An important note about using CAS/Shibboleth and Blackboard Drive, Mobile, or WebDAV
Authentication Providers in Learn can be based on two possible Authentication Mode types, REDIRECT and USER_PASS:
REDIRECT type providers, such as CAS and Shibboleth, hand off authentication to the remote authentication source, which will handle the validation of the username/password. They are designed for SSO (Single SignOn) type scenarios where users will engage the SSO by selecting a link in the login page (multiple provider scenario), automatically by accessing the Blackboard system (single provider scenario), or by accessing a link to the authentication provider that is made available in an external system such as a portal (external access scenario).
USER_PASS type providers, such as Learn Default and LDAP validate the username/password directly with the authentication source. These providers are called when the username/password is entered on the login page or when client applications such as Blackboard Drive, WebDAV, or Mobile attempt authentication. These providers also allow for provider chaining (i.e. choosing the order in which the authentication providers should attempt validation) and authentication failback (i.e. allowing for username/password validation with the authentication source as a secondary means when needed – see the warning below).
The REDIRECT Authentication types are suitable only for web based SSO for browser-based application authentication use cases and are not suitable for use in out-of-band desktop application cases or contexts which require USER_PASS authentication. Use of any Authentication Provider other than USER_PASS when using additional Blackboard products such as Blackboard Drive or Mobile or native WebDAV will require provisioning of at least one USER_PASS authentication type (see help pages for Mobile and Blackboard Drive) or use of a custom authentication type provided by you or Consulting Services.
For example, if you wish to configure an LDAP authentication provider for fallback you can follow the instructions found in the LDAP Authentication Type topic. If you wish to configure the local database, use the Learn Default authentication provider and ensure that you have loaded the user/password information in the Blackboard system.
If your environment supports Kerberos, the use of a custom authentication type for Kerberos provided by Consulting may also be an alternative to configuring the LDAP or Default providers.
If you have any questions, contact Blackboard Learn or Mobile Support, your Sales Engineer, or your Consulting Services representative.
For detailed information about integrating Shibboleth see Integrating Shibboleth.
Configure a Shibboleth provider
You need to create and configure a Shibboleth provider prior to installing the Shibboleth software on the Learn application servers.
- Optionally, set the:
- Attribute Source as Environment. The default is HTTP headers. This defines where Learn loads the Shibboleth attributes from. Apache (UNIX) typically provides attributes using environment variables, while IIS (Windows) provides them using HTTP headers.
- Shibboleth Spoof Key. The default is a randomly generated key. This key is a shared secret that ensures HTTP headers cannot be tampered with. Make a note of this key as you need it when configuring the Shibboleth software. You can set this property only if the Attribute Source property is set to HTTP headers.
- Provide the Logout URL. The default is /Shibboleth.sso/Logout. This represents the URL that users are redirected to when they select Logout within Learn. You may provide a URL that is relative to Learn or an absolute URL.
- Make a note of the Secure Location URL and Notification URL as these are needed when configuring the Shibboleth software.
- Select Submit to save the configuration.
Before making the new authentication provider Active if your Learn application servers are UNIX you need to install and configure the Shibboleth software and Apache™ HTTP Server 2.x. Once installed, select Test Connection Settings from the menu to confirm that the configuration works as expected.