Articles in this section

SAML Configuration - Genius CE & Enterprise

  • Updated
Follow

Introduction

Genius CE & Enterprise have two ways to use SAML as SSO Authentication:

  • Using Genius CE or Enterprise as a Service Provider
    • It is used to log in to Genius CE or Enterprise using an external identity provider (e.g., Azure AD, Shibboleth). Genius CE or Enterprise will use a third-party tool to check if the user is allowed to log in to Genius CE or Enterprise.
  • Using Genius CE or Enterprise as Identity Provider
    • It is used to log in to an external tool using Genius CE & Enterprise as the Identity Provider. In this case, Genius CE and Enterprise are the tools that confirm the user is allowed to log in.

This document is intended to serve as a guide for configuring the parties involved in both types of SAML.

ACTIVE DIRECTORY ARTICLE HERE!

Using Genius CE or Enterprise as a Service Provider

In this scenario, Genius CE or Enterprise will request prompts from an external identity provider to ensure that the user attempting to log in to Genius CE or Enterprise is a valid user. The external tool will process the authentication and guarantee that this is a valid user.

 

The diagram below explains how communication flows between Genius CE & Enterprise (as a service provider) and an Identity Provider:

Identity Provider: Azure AD, Shibboleth…

Service Provider: Genius SIS (Genius CE & Enterprise)

SAML1.png

Configuration

These are the steps to take to configure Genius CE or Enterprise as a Service Provider.

The topics below outline the required sequence of steps, as there is interaction and a need for information from the client (Identity Provider).

 

 1. Generating Metadata from the Service Provider

Generate the service provider metadata from Genius CE or Enterprise "External Authentication" in the Admin menu under "Integrations". This can be imported directly into the external identity provider. 

  • The metadata will be contained in an XML file and can be generated via Genius+ using the following URL: [CLIENT URL]/metadata.ashx.

E.g.: https://enterprise-dev.geniussis.com/metadata.ashx

2. Importing an Identity Provider in Genius CE & Enterprise

With the metadata file created in step 1, the Identity Provider will generate their metadata file.

This file should then be uploaded into the External Authentication settings.

 

3. Configuring Claims Mapping in Genius CE & Enterprise

In this step, you should configure the claims expected by Genius CE or Enterprise when the Identity Provider posts the SAML Response to either.

Claims are attributes named by convention, and often look similar to this pattern: "urn:oid:0.9.2342.19200300.100.1.3”.

  • Open Genius CE or Enterprise Site
    • Navigate to the Admin Panel
    • Select “External Authentication” under the System Setup heading.
      • If this is your first time on this page, we will fill in the information using the default values.
  • You can add as many Claims as you want, but currently, Genius CE & Enterprise will use only the attribute mapped to the login type (Email/username) and log the user into either product.

 

4. Test

At this point, the SSO in Genius CE or Enterprise using SAML will be active if the settings were configured correctly.

 

Using Genius CE & Enterprise as the Identity Provider (SSO from Genius CE & Enterprise to Blackboard)

This feature was designed to replace the old SSO method in conjunction with Blackboard.

Although it was built for Genius CE & Enterprise to perform SSO in Blackboard, we can reuse the flow for other integrations that utilize SSO through SAML.

The diagram below explains the communication flow between Genius CE & Enterprise (as identity providers) and Blackboard (as a service provider):

Identity Provider: Genius SIS (Genius CE & Enterprise)

Service Provider: Blackboard

SAML3.png

 

Blackboard Configuration

These are the steps that must be followed to configure Genius CE & Enterprise as Identity Providers.

Reference: https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type

1. Activate the SAML Provider Building Block in Blackboard

  1. Access the Blackboard Site
  2. Navigate to the Admin Panel.
  3. Under Integrations, select Building Blocks.
  4. Select Installed Tools.
  5. Locate Authentication Provider - SAML in the list and set its status as available.
  6. On the Admin Panel, under Integrations, select Authentication.
  7. SAML now appears in the Create Provider list on the Authentication Provider page.

2. Configure SAML Connection in Blackboard

  1. Access the Blackboard Site.
  2. Navigate to the Admin Panel.
  3. Under Integrations, select Building Blocks.
  4. Select Installed Tools.
  5. Locate Authentication Provider - SAML in the list.
  6. Open the menu and select Settings.
    • You have the following options:
      • Regenerate Certificate: Select Regenerate to regenerate the SAML certificate. You may need to regenerate a certificate to maintain a secure connection, or if the certificate has expired. After you regenerate the certificate, you need to re-upload the Service Provider metadata to the Identity Provider. When you select Regenerate, the system prompts you to confirm this step.
      • Assertion Expiration Settings: In this section, you can adjust the Expiration time (ResponseSkew) and the SAML session age limit. You may need to edit the ResponseSkew value if your Blackboard Learn server is in a different time zone than the Identity Provider's server. The time difference can cause SAML assertions to expire before users are properly authenticated. SAML sessions expire within the time limit of the SAML session age limit. Select 'Don't limit session age' if you want to allow sessions never to expire.
      • Signature Algorithm Settings: Select a signature algorithm type that meets your security requirements or as specified by Identity Providers. After you select the Signature Algorithm Type, restart the SAML building block to apply the new settings.

7. Select Submit to save your changes.

3. Create the SAML authentication provider

  1. Access the Blackboard Site.
  2. Navigate to the Admin Panel.
  3. Under Integrations, select Authentication.
  4. Select the "Create Provider "button and choose the SAML authentication provider type.
  5. Type a name and an optional description for the provider.
  6. Set the Authentication Provider Availability to Active.
  7. Set the User Lookup Method to Username.
  8. In the Link Text field, type the title for the link as you want it to appear on the Blackboard Learn login page.
  9. You can also add an icon to the login page, if desired. Select Browse to upload an icon for the login page.
  10. Select Save and Configure to continue.

4. Configure SAML in Genius CE or Enterprise and Blackboard

In this step, you will need to configure both sites together, as there is some information that both systems still need from one another.

  1. Open Blackboard Site
    • Navigate to the Admin Panel.
    • Under Integrations, select Authentication.
    • Open the External Authentication settings from the authentication provider you created.
  2. Open Genius Site
    • Navigate to the Admin Tab
    • Under System Setup, select Saml Identity Provider
  3. On Blackboard Page:
    • Fill in the Entity ID field.
    • Check the Enable IdP-Initiated SSO
    • Ensure the Single Logout Service Type is set to 'Post and Redirect'.
    • Click on the button Generate the Service Provider Metadata File.
      • This will download an XML File.
    • Select the correct data source and check the compatible data sources.

 

SAML4.png

 

4. On the Genius+ Site:

  • Under the Service Provider area, import the XML File from step 3.
  • If there is a specific URL that Genius CE or Enterprise should redirect to when trying to log in, fill it in with this information. If you don’t know it, leave it blank.

image (64).png

  • It will create a new line in the data grid.
  • Click on Genius CE or Enterprise Metadata to download the file created by either product to the service provider.

5. On Blackboard Site Again:

  1.  
    • Under the Identity Provider Settings:
    • Select Identity Provider Type = Point Identity Provider.
    • Select Metadata Type = Metadata File.
    • Import the file downloaded in step 4 (Click on Genius CE or Enterprise Metadata to download the file created by Genius CE or Enterprise to the service provider).
    • Under Map SAML Attributes, select Remote User ID = NameID.
    • Save.

5. Enable Genius+ SSO using SAML

  1. Open Genius CE or Enterprise Site
    • Navigate to the Admin Panel
    • Select LMS under the System Setup Area.
  2. Edit/Create the LMS integration, referring to the Blackboard Ultra under the LMS Type.
  3. Select the SSO Method as SAML.
  4. Select the SAML Service Provider imported in Genius CE or Enterprise.

SAML6.png

PLEASE NOTE:

For some clients who use SAML authentication in Genius CE and Enterprise, it is likely that they will be prompted at some point to reset their password. Once your password is managed by SAML authentication, this screen will no longer be necessary.

To avoid this:

  1. Log in as an administrator and go to > Administration > Parameters.
  2. Change the following parameters to have these values:
    • FORCE_PASSWORD_CHANGE_FOR_NEW_ACCOUNTS = 0
    • FORCE_PASSWORD_CHANGE_WHEN_OTHERS_CHANGE_USER_PASSWORD =0
    • PASSWORD_EXPIRATION_DAYS = 9999
      INVALID_LOGIN_MAX_ATTEMPT = 999

This should help eliminate any conflicts with users logging in through the IdAM SAML SSO.

Related articles

Comments

0 comments

Article is closed for comments.