The Shibboleth initiative is developing an open, standards-based solution to meet the needs for organizations to exchange information about their users in a secure, and privacy-preserving manner. This document offers a brief overview of Shibboleth and explains how it is installed on the Blackboard Learning System.
Shibboleth allows organizations to exchange information about users securely and privately. Shibboleth is designed to provide a way for a person using a web browser (for example, Internet Explorer or Netscape Navigator,) accessing a target site to be authorized to access a target site using information housed at the user's security domain. This permits users to access controlled information securely from anywhere without additional passwords, or needlessly compromising privacy. For example, if a Student is taking classes at two universities, and both schools use Shibboleth, the Student may have a single user name and password to access information at both universities’ Web sites.
Shibboleth is fully supported as a custom authentication option for Blackboard Learning System on UNIX operating systems. Due to the experimental nature of the underlying Shibboleth technologies, and limited operational expertise available for Shibboleth, Blackboard recommends customers consider running a restricted, pilot implementation on a test or development server before making this feature generally available on their system.
Note: The Blackboard Backpack client application does not support Shibboleth authentication.
The following section explains how to install Shibboleth and how to set up Shibboleth with the Blackboard Learning System. These instructions only apply to setting up the Blackboard Learning System as a Shibboleth target.
Note: Shibboleth has only been tested with Blackboard Learning Systems on UNIX Operating Systems.
Part I – Installation
Install Blackboard Learning System and enable OpenSSL.
Configure SSL for Blackboard Learning System. Save the certificate files under blackboard/apps/httpd/conf/certs/. These are formatted as .cer, .crt and .key.
Download the correct Shibboleth package for the operating system and install it. The package is located at http //shibboleth.internet2.edu/.
Follow the Shibboleth v1.1 instructions to install the package. Check that the most current libraries are installed. The Shibboleth directions contain detailed instructions for updating libraries. The institution needs a signed CA certificate, for example, from Verisign. This is the same certificate used for SSL.
Part II – Configure Shibboleth and Blackboard Learning System
Edit the blackboard/apps/httpd/conf/httpd.conf to include the /opt/shibboleth/etc/shibboleth/apache.config file. This step must be repeated when PushConfigUpdates is run. PushConfigUpdates may overwrite this setting.
Add the following to apache.config in the Shibboleth file system. This instructs Shibboleth to protect all files beginning with ‘/webapps’. The apache.confing and.ini files are located in /opt/shibboleth/etc/shibboleth
<Location /webapps>
AuthType shibboleth
require affiliation ~ ^member@.+$
# This rule below accepts any valid principal name passed from the Origin.
require user ~ ^.+$
</Location>
The value of the “require” directive is dependent on the Attribute Acceptance and Attribute Release Policies for the Target and Origin, respectively. Check with the Shibboleth federation administration for details on what attributes will be released to your Target.
Add the following custom attributes to apache.config ShibMapAttribute urn mace dir attribute-def eduPersonPrincipalName Shib-EP-BBUSER-NAME If you configure AJP13 as the Apache/Tomcat protocol, you may omit this value. Edit the Blackboard Tomcat server.xml to use AJP13 as the connector protocol. This should be done using the Ajp13Connector configuration. The AJP12 protocol readers in Tomcat have a bug that prevents REMOTE_USER from being properly propagated to Tomcat from Apache. Additionally, the Coyote connectors have not been tested with Shibboleth. For example (make sure you’ve disabled any other listeners that may be listening on the same port)
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
port="8009"
minProcessors="50"
maxProcessors="100"
tomcatAuthentication="false"/>
Edit /opt/shibboleth/etc/shibboleth/shibboleth.ini file to point to the correct WAYF server. Shibboleth should default to the correct location wayfURL = http //servername.blackboard.com 8080/shibboleth/HS
Point to the location of the certificate file, the key file, calist and the password (omit the line breaks after the ‘=’)
certfile= /usr/local/blackboard/apps/httpd/conf/certs/server.crt
keyfile= /usr/local/blackboard/apps/httpd/conf/certs/server.key
calist=/usr/local/blackboard/apps/httpd/conf/certs/qa-b64.cer
keypass=‘password’
Add PEM-encoded HS certificate to the trust.xml file in /opt/shibboleth/etc/shibboleth. This certificate is the one created as the signing certificate of the origin.
<KeyAuthority>
<ds: KeyInfo>
<ds: X509Data>
<ds: X509Certificate>
Add PEM-encoded HS here
.
</ds: X509Certificate>
</ds: X509Data>
</ds: KeyInfo>
<Subject>qamigl2.qa.dc.blackboard.com</Subject>
</KeyAuthority>
Change the authentication type in Blackboard the Blackboard bb-config.properties file. bbconfig.auth.type=shib
Uncomment all the Shibboleth Authentication Properties in the Blackboard authentication.properties file.
Edit site.xml file under /opt/shibboleth/etc/shibboleth to point to a valid origin server. See example below.
<OriginSite Name="qamigl2.qa.dc.blackboard.com">
<Alias>Blackboard QA Testing Origin</Alias>
<Contact Type="technical" Name="John Doe" Email="jdoe@blackboard.com"/>
<HandleServiceLocation="http://qamigl2.qa.dc.blackboard.com 8080/shibboleth/HS" Name="qamigl2.qa.dc.blackboard.com"/>
<Domain>qa.dc.blackboard.com</Domain>
</OriginSite>
Start the shar executable on the Shibboleth server /opt/shibboleth/bin/shar -f
Restart the Blackboard web services
/usr/local/blackboard/tools/admin/ServiceController.sh services.restart
The following information explains certificates that are needed for Shibboleth.
The certificate must be signed by an authority.
If a Test Certificate is used, then the Administrator must coordinate with representatives from Shibboleth to be added to the trusted list of institutions (this is referred to as In Queue)
Users of a system that participates in Shibboleth will go through the following steps to login
Click Login on the Blackboard Learning System Login page.
Choose the institution from the drop-down list.
Enter login and password information and click Login.
Users may enter the URL for another institution that participates in Shibboleth and enter that school’s Web site.