locked
Help with ADFS Relying Party Trust configuration for OneLogin (Blackboard) RRS feed

  • Question

  • So I've been working on an issue with ADFS and am unable to find a solution. I'm using ADFS and my SP is Blackboard which uses OneLogin for SSO. I've tried to work with their support but i think their knowledge of SAML is limited to the screen shots they have. So here's some information.

    What I was initially told: "So, when the login response comes back to our server, we attempt to match the "userId" it sends to the ID number we have (for Staff, this would be the Staff ID). Lastly, as an option, ‘emailAddress’ can be sent as an attribute. If we can't find a match on ‘userID’, we’ll look for an existing account that has that email address attribute, and match on that."

    Maybe a week later, I got this: "Do you have both the emailAddress and Employee ID set as attributes?"

    So, based on that i'm not totally sure which values they're really wanting?

    This is the AuthRequest from them:  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" /> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

    So I have created the relying party trust using the metadata URL they provided. I have set up two "Send LDAP attributes as claims" rules. One is using "physicalDeliveryOfficeName" with an outgoing claim type of "userID". The other is "E-mail Addresses" with an outgoing claim type as "E-mail Address". I then have a "Transform incoming claim" rule with incoming claim type of E-mail Address, outgoing claim type of Name ID, and outgoing name ID format of Email. 

    With this setup, it allows students to authenticate just fine. Students have the Ad attribute of "physicalDeliveryOfficeName" populated with a student ID number and the Email AD attribute populated with their email address. 

    Staff does NOT have this physicalDeliveryOfficeName attribute populated with anything. When they try to log in, they get "Unable to find an account for someone@somewhere.com". But it seemed that per their information, it would use email address if the ID was not found.

    Now, they sent me a screen shot of ADFS claims rules, and they show in order to use only email address as the attribute, to set the attribute "Email Addresses" and outgoing claim type of Name ID, and "Email Addresses" also to outgoing claim type of "emailAddress" (they say it has to be that format exactly). When i configure mine this way, I get an "InvalidNameIDPolicy" error. So maybe there's a transform rule I need to add somewhere? Either way, I really need to be able to either authenticate ONLY on email address, or for it to use email address if userID is not populated. 

    Any help any of you SAML experts can give me would be greatly appreciated!


    Jeff Green MCSA/MCSE 2003, MCITP 2008

    Monday, July 22, 2019 4:16 PM

All replies

  • "Email Addresses" also to outgoing claim type of "emailAddress".

    So as an LDAP claim rule, select email address on the left and type the word emailAddress into the "dropdown" on the right.

    The "dropdown" is editable.

    Monday, July 22, 2019 6:50 PM
  • So if I do that and remove any other rules as well as the transform rule, I get invalidNameIDPolicy. The only thing left is that one policy with email Address as the attribute and emailAddress manually typed into the outgoing claim box. 

    Jeff Green MCSA/MCSE 2003, MCITP 2008

    Monday, July 22, 2019 6:57 PM
  • I would put the Transform rule back.

    Can you post the claims rules screen shot and the claim rules you are using.

    Tuesday, July 23, 2019 1:00 AM
  • So the claims rules i am using are...

    And this one works for STUDENTS only. if a staff member tries, they get a message that the user wasn't found. 

    With it configured like this...

    ...which is their supposed recommended setup, I get InvalidnameIDPolicy with or without the transform rule. 


    Jeff Green MCSA/MCSE 2003, MCITP 2008

    Tuesday, July 23, 2019 5:11 PM
  • Take out the email address to NameID LDAP rule and do it via a Transform rule with format email address.

    Just to confirm - the "InvalidNameIDPolicy" error is on their side after you authenticate?

    If the above doesn't work, ask them for an example of a AuthnResponse that works and compare to yours.

    Tuesday, July 23, 2019 6:51 PM
  • Also, do they have SAML metadata?

    If so, what email policy is referenced there?

    Tuesday, July 23, 2019 6:52 PM
  • That is correct, after authenticating on my ADFS page, I then get the InvalidNameIDPolicy error. So, with this as my transform rule...

    ... and ONLY the E-mail Addresses to emailAddress mapping left, I get InvalidNameIDPolicy. If I remove the rule entirely, and just have the transform, I still get the InvalidNameIDPolicy error. 

    So, they provided me with a URL during configuration, and I plugged the metadata URL into ADFS to create the trust to begin with. When I click the link they provided, I get this... "<md:nameidformat style="font-family:'Times New Roman';font-size:medium;">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:nameidformat> <md:assertionconsumerservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="1" location="https://xxxxxx.parentlink.net/main/login/saml-acs/" style="font-family:'Times New Roman';font-size:medium;"><md:attributeconsumingservice index="1"><md:servicename xml:lang="en">Blackboard"</md:servicename></md:attributeconsumingservice></md:assertionconsumerservice>

    My other two vendors I have set up using ADFS are working flawlessly, but both of them use nameid-format of unspecified. This vendor says they can't change that...


    Jeff Green MCSA/MCSE 2003, MCITP 2008


    • Edited by SnG 2K Tuesday, July 23, 2019 7:54 PM
    Tuesday, July 23, 2019 7:21 PM
  • Also, let me add, in case it makes a difference, the process for authentication is, I visit the login page they have created for us. From there I click the SSO button that redirects me to my ADFS login page. I log in, and should get redirected back to Blackboard and logged in. 

    The difference is, for Google Apps, when I visit our Google page, the first thing I have to do is enter my email address., then I get redirected to my ADFS page... I'm guessing this is the difference between IdP initiated and SP initiated SSO?


    Jeff Green MCSA/MCSE 2003, MCITP 2008

    Tuesday, July 23, 2019 7:26 PM
  • I assume this is the documentation:

    https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type/SAML_Setup_Guide_for_ADFS

    The format of an email to NameID rule is:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";mail;{0}", param = c.Value);

    Note no email format.

    The format of a Transform rule is:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

    Note email format.

    The doc. shows:

    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">luke.skywalker</NameID>
        [SNIP]
    </Subject>

    There is no way to get this via the first rule.

    Also "luke.skywalker" is not an email address!

    BTW: ADFS also has an IDPInitiated page.

    Tuesday, July 23, 2019 10:41 PM
  • That documentation may or may not be applicable to what I'm doing. Blackboard has several areas they deal in, one being a learning management system they offer, and one being a mass notification system which I'm using. But, assuming it does apply, what does this mean for what I'm trying to accomplish? Thanks.

    Jeff Green MCSA/MCSE 2003, MCITP 2008

    Wednesday, July 24, 2019 1:20 PM