Introduction
Genius+ has two ways to use SAML as SSO Authentication:
- Using Genius+ as Service Provider
- It is used to login into Genius+ using an external identity provider (e.g.: Azure AD, shibboleth). Genius+ will use a 3rd party tool to check if the user is allowed to login into Genius+.
- Using Genius+ as Identity Provider
- It is used to login into an external tool using Genius+ as the Identity Provider. In this case, Genius+ is the toll that will confirm that the user is allowed to login.
This document is intended to serve as a guide for configuring the parties involved in both types of SAML.
ACTIVE DIRECTORY ARTICLE HERE!
Using Genius+ as Service Provider
In this scenario, Genius+ will ask to an external identity provider for some prompts to ensure that the user who wants to login to Genius+ is a valid user. The external tool will process the authentication and guarantee that this is a valid user.
The diagram below explains how communication flows between Genius+ (as a service provider) and an Identity Provider:
Identity Provider: Azure AD, Shibboleth…
Service Provider: Genius SIS (Genius+)
Configuration
These are the steps to take to configure Genius+ as a Service Provider.
The topics below show the required order in which steps should occur, as there is interaction and the need for information from the client (Identity Provider).
1. Generating Metadata from Service Provider
Generate the service provider metadata from Genius+ "SAML Settings in the Admin menu under "Integrations". This can be imported directly into the external identity provider.
- The metadata will be contained in an XML file and will be able to be generated via Genius+ using the following URL: [CLIENT URL]/metadata.ashx.
E.g.: https://enterprise-dev.geniussis.com/metadata.ashx
2. Importing an Identity Provider in Genius+
With the metadata file created in step 1, the Identity Provider will generate their metadata file.
This file should then be uploaded into the SAML Settings.
3. Configuring Claims mapping in Genius+
In this step, you should configure the claims expected by Genius+ when the Identity Provider posts the SAML Response to Genius+.
Claims are attributes named by convention, and often look similar to this pattern: "urn:oid:0.9.2342.19200300.100.1.3”.
- Open Genius+ Site
- Navigate to the Admin Panel
- Select “SAML Settings” under the System Setup heading.
- If it is the first time that you've gone to this page, we will fill the information using the default values.
- You can add how many Claims you want, but at this moment, Genius+ will use just the attribute mapped to the login type (Email/username) and login the user in Genius+.
4. Test
At this point, the SSO in Genius+ using SAML will be active if the settings were configured correctly.
Using Genius+ as the Identity Provider (SSO from Genius+ to Blackboard)
This feature was created to be used with Blackboard in place of the old SSO Method.
Although it was built for Genius+ to perform SSO in Blackboard, we can reuse the flow for other integrations that utilize SSO through SAML.
The diagram below explains the communication flow between Genius+ (as an identity provider) and Blackboard (as a service provider):
Identity Provider: Genius SIS (Genius+)
Service Provider: Blackboard
Blackboard Configuration
These are the steps that must be followed to configure Genius+ as an Identity Provider.
1. Activate the SAML Provider Building Block in Blackboard
- Access Blackboard Site
- Navigate to the Admin Panel.
- Under Integrations, select Building Blocks.
- Select Installed Tools.
- Locate Authentication Provider - SAML in the list and set its status as available.
- On the Admin Panel, under Integrations, select Authentication.
- SAML now appears in the Create Provider list on the Authentication Provider page.
2. Configure SAML Connection in Blackboard
- Access Blackboard Site.
- Navigate to the Admin Panel.
- Under Integrations, select Building Blocks.
- Select Installed Tools.
- Locate Authentication Provider - SAML in the list.
- Open the menu and select Settings.
- You have the following options:
- Regenerate Certificate: Select Regenerate to regenerate the SAML certificate. You may need to regenerate a certificate to keep your connection secure or if the certificate has expired. After you regenerate the certificate, you need to re-upload the Service Provider metadata to the Identity Provider. When you select Regenerate, the system prompts you to confirm this step.
- Assertion Expiration Settings: In this section, you can adjust the Expiration time (ResponseSkew) and the SAML session age limit. You may need to edit the ResponseSkew value if your Blackboard Learn server is in a different time zone than the Identity Provider's server. The time difference can cause SAML assertions to expire before users are properly authenticated. SAML sessions expire in the time length in SAML session age limit. Select Don't limit session age if you want to allow sessions to never expire.
- Signature Algorithm Settings: Choose a signature algorithm type that meets your security needs or as required by Identity Providers. After you select the Signature Algorithm Type, restart the SAML building block to apply the new settings.
- You have the following options:
7. Select Submit to save your changes.
3. Create the SAML authentication provider
- Access Blackboard Site.
- Navigate to the Admin Panel.
- Under Integrations, select Authentication.
- Select the Create Provider button and select the SAML authentication provider type.
- Type a name and optional description for the provider.
- Set the Authentication Provider Availability to Active.
- Set the User Lookup Method to Username.
- In the Link Text field, type the title for the link as you want it to appear on the Blackboard Learn login page.
- You can also add an icon to the login page, if desired. Select Browse to upload an icon for the login page.
- Select Save and Configure to continue.
4. Configure SAML in Genius+ and Blackboard
In this step you will need to configure both sites together, as there is some information both systems still need from one another.
- Open Blackboard Site
- Navigate to the Admin Panel.
- Under Integrations, select Authentication.
- Open Saml Settings from the authentication provider created.
- Open Genius Site
- Navigate to the Admin Tab
- Under System Setup, select Saml Identity Provider
- On Blackboard Page:
- Fill in the Entity ID field.
- Check the Enable IdP-Initiated SSO
- Make sure the Single Logout Service Type is checked for the option Post and Redirect.
- Click on the button Generate the Service Provider Metadata File.
- This will download an XML File.
- Select the correct data source and check the compatible data sources.
4. On Genius+ Site:
- Under the Service Provider area, import the XML File from step 3.
- If there is any specific URL that Genius+ should redirect to on tries to login, fill it with this information. If you don’t know it, leave it blank.
- It will create a new line in the data grid.
- Click on Genius+ Metadata to download the file created by Genius+ to the service provider.
5. On Blackboard Site Again:
-
- Under the Identity Provider Settings:
- Select Identity Provider Type = Point Identity Provider.
- Select Metadata Type = Metadata File.
- Import the file downloaded in step 4 (Click on Enterprise+ Metadata to download the file created by Genius+ to the service provider).
- Under Map SAML Attributes, select Remote User ID = NameID.
- Save.
5. Enable Genius+ SSO using SAML
- Open Genius+ Site
- Navigate to the Admin Panel
- Select LMS under the System Setup Area.
- Edit/Create the LMS integration, referring to the Blackboard Ultra under the LMS Type.
- Select the SSO Method as SAML.
- Select the SAML Service Provider imported in Enterprise+.
PLEASE NOTE:
For some clients that use SAML authentication in Genius+, it is likely at some point that they will be prompted with a screen asking them to reset their password. Once the password is managed by your SAML authentication, this screen will no longer be useful.
To avoid this:
- Login as an administrator and go to > Administration > Parameters.
- Change the following parameters to have these values:
- FORCE_PASSWORD_CHANGE_FOR_NEW_ACCOUNTS = 0
- FORCE_PASSWORD_CHANGE_WHEN_OTHERS_CHANGE_USER_PASSWORD =0
- PASSWORD_EXPIRATION_DAYS = 9999
INVALID_LOGIN_MAX_ATTEMPT = 999
This should help eliminate any conflicts with users logging in through the IdAM SAML SSO.
Comments
0 comments
Article is closed for comments.