This topic provides instructions for setting up SAML authentication on a Blackboard Learn instance with Active Directory Federation Services (ADFS) as the Identity Provider (IdP). Your Blackboard Learn environment acts as the Service Provider (SP). While these steps use ADFS version 3.0 with Windows Server 2012 R2, the steps can also be applied to ADFS 2.0.

Learn Service Provider

  1. Login to Blackboard Learn as an administrator and navigate to System Admin > Authentication.
  2. Select Create Provider > SAML.
  3. Enter the following settings:
    • Name > Type ADFS SAML or anything you want.
    • Authentication Provider > set as Inactive.
    • User Lookup Method > Username
    • Restrict by Hostname > Use this provider for any hostnames.
    • Link Text > Type ADFS Login or anything you want.
  4. Select Save and Configure.
  5. In the Entity ID field, ensure the value is the same as the ACS URL.
  6. Select Enable Automatic SSO Single Logout Service Type Post and Allow ADFS LogoutResponse. Leave Redirect deselected or unchecked.
  7. Under Service Provider Metadata, select Generate and save the XML file to your desktop.
  8. If you're using JIT, it's recommended to create a new Data Source for this provider named SAML, otherwise use SYSTEM or whatever you choose.
  9. Select the Enable JIT Provisioning checkbox to allow the system to automatically create an account when an unknown user attempts to login via this SAML authentication provider. If it is not selected, the user account will first need to be manually created in Blackboard Learn.
  10. In the Compatible Data Sources list, be sure to select the data sources that this authentication provider should be compatible with.
  11. Select Point Identity Provider for the Identity Provider Type.
  12. For the Identity Provider Metadata, select metadata URL and set the URL to be one of your ADFS metadata URLs. https://[adfs server hostname]/FederationMetadata/2001-03/FederationMetadata.xml and select Validate.

    The ADFS server ideally needs to have a commercial certificate. If it's using a self signed certificate, the validate will fail. You'll need to download the FederationMetadata.xml file and use the Metadata File option instead.

  13. Select Submit.

ADFS Identity Provider

  1. On the ADFS Server, access the ADFS Management Console.
  2. Navigate to Trust Relationships > Relying Party Trusts > Add Relying Party Trust.
  3. Select Start on the Add Relying Party Trust Wizard page.
  4. Select Import Data about the relying party from a file.
  5. Select Browse and upload the file that was created in Step 6 of the Learn SP section. Select Next.
  6. Enter a Display name such as yourlearnserver.blackboard.com and select Next.
  7. Select I do not want to configure multi-factor authentication settings... and select Next.
  8. Select Permit All Users to Access this Relying Party and select Next.
  9. Select Next on the Ready to Add Trust step and then select Close on the Finish step.
  10. After the Relying Party Trust has been created, it should open the Edit Claims Rules if the last checkbox was left checked. Otherwise right-click the Relying Party Trust and select Edit Claims.

Add claim rules for relying party trust

Send attributes as claims

Adding claim rules for the Relying Party Trust sends LDAP attributes as claims from the ADFS server to Blackboard Learn. In the ADFS management console, right-click the Relying Party Trust.

Send username

  1. On the Issuance Transform Rules tab, select Add Rule.
  2. On the Select Rule Template page, select Send LDAP Attributes as Claims as the Claim rule template and select Next.
  3. On the Configure Rule page, in the Claim rule name box, type Transform Username to NameID.
  4. In the Attribute Store dropdown, select Active Directory.
  5. In the Mapping box on the left side select SAM-Account-Name or Company.
  6. In the Mapping box on the right side type SamAccountName and select Finish.

The Name ID attribute needs to be a minimum length of 6 characters

Send first and last name (optional)

If the JIT Provisioning option is selected on the Blackboard Learn SAML Authentication Settings page, meaning user accounts will be created in Blackboard Learn if they don't exist, then the First and Last Name LDAP attributes can also be sent from ADFS to Blackboard Learn by mapping the attributes accordingly.

  1. On the Issuance Transform Rules tab, select Add Rule.
  2. On the Select Rule Template page, select Send LDAP Attributes as Claims as the Claim rule template and select Next.
  3. On the Configure Rule page, in the Claim rule name box, type Send First Name.
  4. In the Attribute Store dropdown, select Active Directory.
  5. In the Mapping box on the left side select Given-Name.
  6. In the Mapping box on the right side type urn:oid:2.5.4.42 and select Finish.
  7. On the Issuance Transform Rules tab, select Add Rule.
  8. On the Select Rule Template page, select Send LDAP Attributes as Claims as the Claim rule template and select Next.
  9. On the Configure Rule page, in the Claim rule name box, type Send Last Name.
  10. In the Attribute Store dropdown, select Active Directory.
  11. In the Mapping box on the left side select Surname.
  12. In the Mapping box on the right side type urn:oid:2.5.4.4 and select Finish.

Transform an incoming claim

  1. Select Add Rule.
  2. On the Select Rule Template page, select Transform an Incoming Claim for the Claim rule template and select Next.
  3. On the Configure Rule page, in the Claim rule name box, type Transform Email to Name ID.
  4. Incoming claim type should be SamAccountName. It must match the Outgoing Claim Type created in the earlier rule.
  5. The Outgoing claim type is Name ID.
  6. The Outgoing name ID format is Unspecified.
  7. Confirm Pass through all claim values is selected and select Finish.
  8. Select OK to save the rule and OK again to complete the attribute mappings.

Example attribute statement

After adding all of the previously mentioned claim rules for the Relying Party Trust, the rules appear in the Issuance Transform Rules tab.

Subject and AttributeStatement elements similar to the following will be sent in the SAML POST from ADFS to Blackboard Learn after the user has been authenticated:

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified ">luke.skywalker</NameID>
    [SNIP]
</Subject>
 
<AttributeStatement>
    <Attribute Name="SamAccountName">
        <AttributeValue>luke.skywalker</AttributeValue>
    </Attribute>
    <Attribute Name="urn:oid:2.5.4.42">
        <AttributeValue>Luke</AttributeValue>
    </Attribute>
    <Attribute Name="urn:oid:2.5.4.4">
        <AttributeValue>Skywalker</AttributeValue>
    </Attribute>
</AttributeStatement>

If the attributes from the IdP are not encrypted in the SAML response, the Firefox browser SAML tracer Add-on or Chrome SAML Message Decoder can be used to view the attributes that are being released from the IdP and sent to Blackboard Learn during the authentication process.


Set SAML authentication provider active

  1. In Blackboard Learn, navigate to System Admin > Authentication.
  2. Open the menu next to the SAML authentication provider's name and set it to Active.

The ADFS IdP is then successfully configured as a SAML authentication provider and can be used to login to Blackboard Learn.

  1. On the Blackboard Learn login page, select Sign in with third-party account.
  2. Select the SAML authentication provider.
  3. Enter the login credentials on the ADFS login page.