Building SAML connection – BlackBoard and OneLogin

It’s been a while since my last blog, and I have been thinking about starting back up for a while now.  So as I have been learning and implementing SSO and SAML, I decided I will blog about it and hopefully get back into the groove of blogging my experiences.  Anyway, let’s get started and SAML it up.  :)

SAML, or Security Assertion Markup Language, is an XML-based framework that is an open standard for exchanging authentication, authorization and attribute information between two vendors, usually identified by the identity provider (IdP) and a service provider (SP).

The most important use case for SAML is to provide Single Sign-On (SSO) for organizations.  This brings one portal for all of the organization’s service providers and allows the user to be more efficient than having to log in to multiple SP’s and remember usernames and passwords.  SSO also brings along a way for users to be more self-service with passwords.

Here I will talk about my process to get our OneLogin (IdP) to connect with our Blackboard Learn (SP).  First, we’ll need to gather bits of information to make our process quicker.  Then we can setup OneLogin and Blackboard, do a bit of testing and some follow up information.  Let’s get started.

What we need:

• An account with Blackboard Learn
• Support Email / Phone number for Blackboard Learn
• Account with OneLogin
• Blackboard Learn Rectangular Icon
• Blackboard Learn Square Icon
• SAML-Tracer plugin for the browser
• Certificate from OneLogin – Blackboard connector
• Metadata from OneLogin – Blackboard connector (These are different for each connector)

Setting up OneLogin:

Setting up the OneLogin connector was a little more confusing because OneLogin tries to help you out and create pre-built connectors asking for the proper configuration items.  Due to messing around with the pre-built connector, I ended up using the advanced connector: “SAML Test Connector (Advanced)”.  This connector allows you all configuration items.  Let’s get this OneLogin App connector built.

1. Log in to OneLogin: ({subdomain}.OneLogin.com)
2. Select Administration
3. Hover over Apps and select Add Apps
4. Search for “SAML Test Connector (Advanced)” and select this connector
   1. Enter Display Name
   2. Visible in Portal: Yes
   3. Click on the Rectangular Icon and select the proper image
   4. Click on the Square Icon and select the proper image
   5. Enter a detailed description
   6. Click Save
5. Now you will see additional tabs at the top, we will use the Configuration, Parameters, SSO and Access tabs next.
6. Select the Configuration tab
   1. Audience: OneLogin  (This Audience setting with be Blackboard Learn’s Entity ID, and will have to match)
   2. Recipient: (We will have to put in a temporary URL until we get the Blackboard Learn provider built, then come back and change.  Let’s use: https://{sub-domain}.blackboard.com/auth-saml/saml//SSO/alias/{acsID})
   3. ACS (Consumer) URL Validator:
   4. (We will have to put in a temporary URL until we get the Blackboard Learn provider built, then come back and change.  Let’s use: https://{sub-domain}.blackboard.com/auth-saml/saml//SSO/alias/{acsID})
   5. ACS (Consumer) URL:
   6. (We will have to put in a temporary URL until we get the Blackboard Learn provider built, then come back and change.  Let’s use: https://{sub-domain}.blackboard.com/auth-saml/saml//SSO/alias/{acsID})
7. Select the Parameters tab
   1. Click Add Parameter
   2. Field Name: “First Name” and select “Include in SAML assertion” > Save
   3. Value: “Frist Name” > Save
   4. Repeat the steps 1 – 3 to create the following:
      • Field:  “Last Name” – Value “Last Name”
      • Field: “Email” – Value “Email”
8. Select the SSO tab
   1. SAML Signature Algorithm: SHA-256 (Make sure this matches the Building blocks – Authentication Provider – SAML settings.  System Admin > Integrations > Building Blocks > Installed Tools > Authentication Provider – SAML > Settings > Signature Algorithm Settings)
   2. Issuer URL: Click the copy button to copy the URL. (This will be needed for Blackboards Metadata URL and Validate)
9. Select the Access tab
   1. Select the Role you would like this application to have access. (Roles and Mappings will be a separate blog)
10. Click Save

Setting up Blackboard:

Setting up Blackboard learn was pretty straight forward, although I did run into a few bugs that Blackboard support knows about, I just had to learn the workarounds.  The great thing about Blackboard Learn is the ability to maintain multiple connections to separate providers.  This allows you to migrate or have multiple ways to connect to Blackboard Learn without affecting the connections to Blackboard Learn.  Let us get to the process of creating a provider in Blackboard with OneLogin.

1. Log in to Blackboard Learn and click System Admin (https://{sub-domain}.blackboard.com/webapps/login/)
2. Select Authentication
3. Now click Create Provider and select SAML
   1. Enter a Name
   2. Enter a Detailed Description
   3. Authentication Provider Availability: Active
   4. User Lookup Method: Username
   5. Restrict by hostname: “Use this provider for any hostname”
   6. Link Text: (This will be the link name on the Blackboard Learn login page, keep it short but detailed)
   7. Click Save and Configure
   8. Entity ID will be the same as the entry you put in for OneLogin’s “Audience” field. So make sure these match “OneLogin”
   9. Enable Automatic SSO: Enter checkmark
   10. Single Logout Service Type: Checkmark Post, Redirect
   11. Data Source: System
   12. Compatible Data Sources: Checkmark Internal and System
   13. Enable JIT Provisioning: Checkmark
   14. Identity Provider Type: “Point Identity Provider”
   15. Metadata Type: Metadata URL
       1. Click Browse and select the OneLogin Metadata URL from the OneLogin setup process
       2. Click Validate
   16. Custom SAML Attribute: Email
   17. First Name: First Name
   18. Last Name: Last Name
   19. Email: Email
   20. Click Submit
4. Back on the Authentication page
5. Hover over the Provider Name you just created and click the drop-down menu
6. Select Test Connection
7. Close the Test Connection browser window

Testing:

Now that we have OneLogin and Blackboard configured, let’s make sure SAML is working in all of the possible ways someone might try to access Blackboard Learn.

First, the user may attempt to access Blackboard from the domain URL.

1. Enter your domain URL into a “New Incognito Browser”. Example:  mydomain.blackboard.com.
2. You should see at the bottom of your Blackboard login window an option to select: “Sign in with third-party account”
3. You will now be redirected to your OneLogin page to authentication
4. Login and you will be redirected back to Blackboard successfully
5. Close the Incognito Browser

Second, is from your OneLogin Browser

1. Log in to OneLogin
2. Select the proper tab to view the Blackboard Learn App
3. Click the Blackboard Learn App
4. Success

Definitions:

These are some of the Fields and Descriptions from OneLogin. Take note that not all of these are synonymous across all vendors.  I will add other Field names if I know of them or update this Blog when I learn about them.

• Service Provider (SP)
• Identity Provider (IdP)
• Assertion
  • An assertion is a package of information used by a SAML authority. There are three kinds of assertion statements:
    • Authentication assertions – Used to make the user prove their identity. Created by IDP.
    • Attribute assertions – Used to supply specific information about a user. Name, number, email…
    • Authorization assertions – Specifies if the user has been granted or denied access to SP.
• Assertion Consumer Service (ACS)
• Relay State – Not Required
  • SP will specify a URL, and a user will be redirected after the SSO completes authentication.  If no value is entered, the application will direct the user to the default home page.  The URL can also be used to preserve and convey the state information of the original entity.
• Audience – Not Required – AKA: Entity ID
  • The Audience is also known as Entity ID in other vendors. The Audience identifies to whom the assertion is intended for at the SP.
• Recipient – Required when SP expects and validates it
  • This is the endpoint that will receive the SAML assertion & matches the ACS URL.  The Recipient URL improves security by ensuring the SAML response reaches the intended target.
  • Recipient vs Audience: The recipient identifies the SAML recipient, and the audience indicates the target for the response.
• ACS (Consumer) URL Validator – Required
  • This field is used by OneLogin to ensure they POST the response to the correct URL.  If the response is initiated by the SP, they will provide the URL to POST the SAML response to.
  • The ACS (Consumer) URL Validator value will take the ACS (Consumer) URL and “escape out” the periods and forward slashes.
  • ^https:\/\/serviceprovider\.com\/saml\/consume\/$  –  Note the anchors ^ and $
• ACS (Consumer) URL – Required
  • Assertion Consumer URL or ACS is a target endpoint which is listening for requests from the IdP and cannot be changed.
• Login URL – Required if the SP as SAML initiator is selected
  • The login URL for an SP that starts an SP-initiated SSO flow.

 

References:

• https://en.wikipedia.org/wiki/SAML_2.0
• https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
• https://support.okta.com/help/s/article/Beginner-s-Guide-to-SAML
• https://onelogin.service-now.com/support?id=kb_article&sys_id=83f71bc3db1e9f0024c780c74b961970
• https://auth0.com/blog/how-saml-authentication-works/
• https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
• https://learning.getpostman.com/docs/postman_enterprise/sso/saml_in_azure_ad/
• https://community.cisco.com/t5/security-documents/anyconnect-azure-ad-saml-sso/ta-p/3810013
• https://www.gluu.org/resources/documents/articles/how-does-saml-work-idps-sps/