Recent Changes - Search:

Categories

Does Portal Guard Support Black Board

Does PortalGuard support federation with BlackBoard

Tags: blackboard, sso, sspr, federation education

Problem Definition

You have purchased PortalGuard / are interested in purchasing PortalGuard and you are wondering if PortalGuard can federate with BlackBoard.


Solution

PortalGuard does support federation with BlackBoard. Listed below are the steps to federate the two products.

1) In IdP_Config, click the CAS Websites tab, click the Blackboard entry and click the Edit button

2) On the General tab, double-click the entry in the Service Ids / URLs list to edit it. Set it to the root URL of your Blackboard server.

3) On the SSO Jump Page tab, set the Default Access URL to the root URL of the Blackboard server as well, then save the CAS configuration.

4) On the Attribute Stores tab, configure the default entry to point to your user directory (whether it is Active Directory, LDAP or SQL).

Configuration – CAS Client (Blackboard example)

5) Log into the Blackboard server and click the System Admin tab

6) In the Building Blocks section, click the Authentication item

7) From the Create Provider button, choose CAS:

In the Create CAS screen, set the following fields then click the Save and Configure button:

  • . Name: PortalGuard CAS
  • . Authentication Provider Availability: Active
  • . User Lookup Method: Username
  • . Restrict by hostname: Use this provider for any hostnames
  • . Provider Settings – Link Text: CAS SSO

In the CAS Settings screen, set the following fields then click the Submit button:

  • . CAS Server URL Prefix: http://YOUR.PG.SERVER/cas(approve sites)
  • . Global Logout: Yes
  • . Logout URL Suffix: /logout
  • . Require Credentials: No

NOTE: If you wish to have Blackboard contact the PortalGuard server over SSL, then one of the following must be true:

8) The PortalGuard server must use a commercially-signed SSL certificate (from Verisign or Thawte), OR

9) If PortalGuard is using a self-signed certificate, you must add it to the certificate store of the Blackboard server’s JDK using keytool. Please see the Blackboard Troubleshooting section below.

10) Ensure the Blackboard server resolves the PortalGuard server name to the expected IP address and can reach it via HTTP. CAS requires that both the end user and “target” server can reach the CAS server.

Confirming Configuration

Accessing Blackboard should display the standard Blackboard login screen. However, there should be a CAS SSO link at bottom of the screen.

Click it to initiate CAS-based Single Sign-On; the user should be redirected to PortalGuard login screen. Providing the correct username and password should result in the user being automatically authenticated into PortalGuard and Blackboard.

BlackBoard Troubleshooting

CAS SSO to Blackboard may not work if you deviate from the steps above. Please reference this section if you encounter errors receiving CAS SSO to Blackboard.

Network Connectivity During CAS authentication, your Blackboard server directly connects to PortalGuard to retrieve user information. As such, the following must be true:

1) The Blackboard server must be able to resolve the PortalGuard server name to an IP address. Use “nslookup” on the Blackboard server to ensure the PortalGuard server name resolves to the expected IP address.

2) HTTP/HTTPS traffic must not be blocked between the PortalGuard and Blackboard servers. Check the firewalls between the servers to ensure the traffic is not being blocked. If network connectivity is a problem for Blackboard, you will most likely see an error message like below but where your PortalGuard server name is shown instead of cas.pistolstar.com:

Self-Signed SSL Certificate on PortalGuard

If you specified a HTTPS URL for the CAS Server URL Prefix setting in step #17 above, your Blackboard server will attempt to establish a SSL connection to the PortalGuard web server. This should work without issue if the PortalGuard server is using a certificate issued by a trusted 3rd certificate authority (e.g. Verisign, DigiCert). If PortalGuard is using a self-signed SSL certificate, Blackboard will show an unable to find valid certification path to requested target error:

The workarounds for this issue are either:

1) Change the CAS Server URL Prefix setting in the Blackboard CAS configuration to use standard HTTP. No passwords are sent over this server-to-server connection so this may be an acceptable approach for you.

2) Update the Blackboard server’s JDK keystore file to include the self-signed certificate and any/all intermediate certificates. The keystore path is typically in the bbconfig.appserver.keystore.filename variable in bb-config.properties. If you update the keystore yourself, you must run PushConfigUpdates for them to take effect (link). Please see Blackboard: CAS Authentication Provider Type and Web Services for SSL for more details or contact Blackboard or your Blackboard hosting provider for help.

Change Blackboard Default Authentication Provider

It is generally a best practice to have CAS SSO start when users access Blackboard initially. This reduces logon steps for the large majority of users and eliminates confusion and potential help desk calls. It is also a best practice to establish a URL for administrative/manual login to Blackboard to ensure administrators can login to Blackboard regardless of the CAS server’s availability. NOTE: This step should only be done after you have sufficiently verified CAS SSO through PortalGuard is working.

To change the default authentication type in Blackboard, perform the following steps:

1) Log into the Blackboard server and click the System Admin tab

2) In the Building Blocks section, click the Authentication item

3) Determine your primary authentication provider. It could be named “Default” if you’re using Blackboard’s built-in user repository or “LDAP” if you configured Blackboard to authenticate against an external LDAP directory like Active Directory.

4) Click the arrow that appears next to the authentication provider and choose “Edit” from the pop-up menu

5) For the Restrict by hostname tab, choose the “Restrict this provider to only the specified hostname”. In the Restricted Hostnames field, enter the host name administrators will begin using to perform manual logins to Blackboard. This hostname/alias must be in DNS for it to resolve to the Blackboard server.

6) Click Submit to save the change.

7) IMPORTANT: Leave the administrator logged into Blackboard through the current browser session and try accessing Blackboard through the “standard” and “admin-only” server names to ensure they work as expected. If they do not, then simply edit the default authentication provider, set it back to Use this provider for any hostnames, save the change and contact either Blackboard or PortalGuard support for assistance.

Page last modified on February 10, 2016, at 01:00 PM