Skip to content Skip to sidebar Skip to footer
Home / Aws Login Your Authentication Information Is Incorrect Please Try Again

Aws Login Your Authentication Information Is Incorrect Please Try Again

Post a Comment

This page provides a general overview of the Security Exclamation Markup Language (SAML) 2.0 Building Block forth with common Single Sign-On (SSO) issues and troubleshooting techniques for the SAML authentication provider.

If for any reason an updated/new IdP metadata XML file is uploaded in the Blackboard Learn GUI on the SAML Authentication Settings page in the Identity Provider Settings department for a SAML hallmark provider, the SAML B2 and that SAML authentication provider should also be toggled Inactive/Available, while having the SAML authentication provider in 'Agile' status, to ensure whatever buried IdP metadata is cleared out and the updated IdP metadata is fully utilized.

Key terms

The post-obit terms and abbreviations are used throughout this guide:

  • SAML: Security Exclamation Markup Language
  • IdP: Identity Provider
  • SP: Service Provider
  • ADFS: Active Directory Federation Services
  • GUI: Graphical User Interface. In the context of Blackboard Learn, this ways working within the software.

Edit SAML configuration settings

To aid troubleshoot SAML hallmark issues, the SAML Building Block was updated in release 3200.2.0 to include these configuration settings and options:

  • Define the SAML session age limit
  • Choose a signature algorithm blazon
  • Regenerate certificates
  • Change the ResponseSkew value

More on how to configure settings in the SAML Edifice Block

Errors and exceptions

SAML related errors/exceptions are captured in the following logs:

  • /usr/local/blackboard/logs/bb-services-log.txt
  • /usr/local/blackboard/logs/tomcat/stdout-stderr-<date>.log
  • /usr/local/blackboard/logs/tomcat/catalina-log.txt

These logs should ever be searched when investigating a reported SAML hallmark outcome.

SAML Tracer

With SAML 2.0 authentication troubleshooting iterations, at some betoken it may exist necessary to ostend/view the attributes that are really beingness released from the IdP and sent to Learn during the authentication process. If the attributes from the IdP are NOT encrypted in the SAML response, the Firefox browser SAML tracer Add-on or Chrome SAML Bulletin Decoder can be used to view the attributes.

Attribute not properly mapped

If the aspect containing the userName is not properly mapped equally specified in the Remote User ID field in the Map SAML Attributes section on the SAML Hallmark Settings folio in the Blackboard Learn GUI, the following result will be logged in the bb-services log when attempting to login to Blackboard Acquire via SAML authentication:

2016-06-28 12:48:12 -0400 - userName is null or empty

A like Sign On Fault! message displayed in the browser: Blackboard Acquire is currently unable to log into your account using single-sign on. Contact your administrator for aid.

An image of a Sign On Error message displayed in the browser that says Blackboard Learn is currently unable to log into your account using single-sing on. Contact your administrator for assistance.

An Authentication Failure entry appears in the bb-services log:

2016-06-28 12:48:12 -0400 - BbSAMLExceptionHandleFilter - javax.servlet.ServletException: Authentication Failure
at blackboard.auth.provider.saml.customization.handler.BbAuthenticationSuccessHandler.checkAuthenticationResult(BbAuthenticationSuccessHandler.java:81)
at blackboard.auth.provider.saml.customization.handler.BbAuthenticationSuccessHandler.onAuthenticationSuccess(BbAuthenticationSuccessHandler.coffee:57)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.coffee:331)
at org.springframework.security.web.hallmark.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.coffee:245)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.asking.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.spider web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sunday.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at dominicus.reverberate.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.coffee:62)
at dominicus.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
[SNIP]

Resolution

You lot have two options to resolve the issue. Commencement, select the Create accounts if they don't exist in the organisation option on the SAML Authentication Settings page in the Blackboard Acquire GUI. Alternatively, yous can attempt to view the value of the attributes released by the IdP via SAML tracer or Debug Logging if the attributes are Not encrypted:

<saml2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3">
<saml2:AttributeValue xmlns:xs="http://world wide web.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-example"
xsi:blazon="xs:anyType"
>bbuser_saml2@bbchjones.internet</saml2:AttributeValue>
</saml2:Attribute>

and map the Attribute Name that has the desired AttributeValue to the Remote User ID on the SAML Authentication Settings page in the Blackboard Larn GUI.

Compatible data source not selected

Users won't be able to login to Blackboard Learn via SAML hallmark if the Data Source for the users is not selected in the Services Provider Settings > Compatible Data Sources department on the SAML Authentication Settings page in the Blackboard Acquire GUI. The post-obit event will be logged in the bb-services log when attempting to log in to Blackboard Learn via SAML authentication:

2016-09-23 12:33:13 -0500 - userName is null or empty

The Sign On Error! message appears in the browser, as well as the Authentication Failure in the bb-services log:

2016-09-23 12:33:thirteen -0500 - BbSAMLExceptionHandleFilter - javax.servlet.ServletException: Hallmark Failure
at blackboard.auth.provider.saml.customization.handler.BbAuthenticationSuccessHandler.checkAuthenticationResult(BbAuthenticationSuccessHandler.java:82)
at blackboard.auth.provider.saml.customization.handler.BbAuthenticationSuccessHandler.onAuthenticationSuccess(BbAuthenticationSuccessHandler.java:58)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.coffee:331)
at org.springframework.security.web.hallmark.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:245)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.spider web.FilterChainProxy.doFilter(FilterChainProxy.coffee:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.coffee:64)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.asking.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.coffee:53)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.SecurityContextPersistenceFilter.doFilter (SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sun.reflect.GeneratedMethodAccessor3399.invoke(Unknown Source)
at lord's day.reverberate.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reverberate.Method.invoke(Method.java:498)
[SNIP]

Resolution

  1. Obtain the username of a user that is unable to login.
  2. In the Blackboard Acquire GUI, navigate to System Admin > Users and search for the user.
  3. Copy the Data Source Key of the user.
  4. Navigate to Organization Admin > Authentication > "Provider Proper noun" > SAML Settings > Uniform Data Sources.
  5. Place a cheque marking next to that Information Source in the Name column and select Submit.

"Given URL is not well formed" mistake message

If OneLogin is configured every bit the IdP for the SAML hallmark provider in Blackboard Larn, a Given URL is non well formed error may be displayed on the page afterwards inbound the OneLogin credentials when attempting login to Blackboard Learn.

With the following displayed in the bb-services-log:

2016-09-sixteen 09:43:40 -0400 - Given URL is non well formed<P><span course="captionText">For reference, the Fault ID is 17500f44-7809-4b9f-a272-3bed1d1af131.</span> - coffee.lang.IllegalArgumentException: Given URL is not well formed
at org.opensaml.util.URLBuilder.<init>(URLBuilder.java:120)
at org.opensaml.util.SimpleURLCanonicalizer.canonicalize(SimpleURLCanonicalizer.java:87)
at org.opensaml.common.bounden.decoding.BasicURLComparator.compare(BasicURLComparator.java:57)
at org.opensaml.mutual.binding.decoding.BaseSAMLMessageDecoder.compareEndpointURIs(BaseSAMLMessageDecoder.java:173)
at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:213)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.coffee:72)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.coffee:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.coffee:80)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
[SNIP]
at coffee.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.coffee:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: coffee.cyberspace.MalformedURLException: no protocol: {recipient}
at java.net.URL.<init>(URL.coffee:593)
at java.internet.URL.<init>(URL.coffee:490)
at java.internet.URL.<init>(URL.java:439)
at org.opensaml.util.URLBuilder.<init>(URLBuilder.java:77)
... 203 more than

Resolution

  1. Turn on the Firefox browser SAML tracer and replicate the login issue.
  2. Review the beginning of the SAML Mail service consequence:

    <samlp:Response Destination="{recipient}"
    ID="R8afbfbfee7292613f98ad4ec4115de7c6b385be6"
    InResponseTo="a3g2424154bb0gjh3737ii66dadbff4"
    IssueInstant="2016-09-16T18:49:09Z"
    Version="2.0"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:haven:names:tc:SAML:2.0:protocol"
    >
    <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer>
    [SNIP]

  3. For line 1 with the Response, observe that the Destination= is just fix to recipient.
  4. Have the client access the Configuration section of their OneLogin IdP.
  5. Confirm if the Recipient field is blank.
  6. Re-create the value of the ACS (Consumer) URL, paste it into the Recipient field and select Save.

IdP/SP Trouble Scenarios

  1. If an mistake appears before you are redirected to the IdP's login page, the IdP's metadata may exist invalid.
  2. If an error appears afterward you lot log in on the IdP's page, the reasons could be that:
    1. Attribute mapping between the SP and IdP is incorrect, or the IdP didn't render a valid Remote User ID.
    2. The SAML response from the IdP wasn't validated by the SP. This could be acquired past:
      • The IdP signs the SAML response with a document that is non issued by a valid certificate authority, and the SP'southward keystore doesn't contain this certificate.
      • The SP'southward organisation clock is incorrect.

Active Directory Federation Services (ADFS)

The attribute names are case sensitive in the Map SAML Attributes section on the SAML Authentication Settings page in the Blackboard Larn GUI. And then if the Remote User ID has sAMAccountName for the Attribute Proper name on the settings page and the actual SAML Mail from the IdP has this for the Attribute Name in the AttributeStatement:

<AttributeStatement>
<Attribute Proper name="SamAccountName>
<AttributeValue>Examination-User</AttributeValue>
</Aspect>
</AttributeStatement>

The user will not be able to login. The Remote User ID aspect name value on the SAML Hallmark Settings page would need to be changed from sAMAccountName to SamAccountName.

"Resource not found" or "Sign on error!" alert

This section contains some of the common problems that may prevent a user from logging into Learn via SAML authentication with ADFS when The specified resource was not establish, or you do not have permission to access information technology or Sign On Mistake! bulletin is displayed in the Blackboard Learn GUI.

Problem #1

Later on inbound the login credentials on the ADFS login page, an error may exist displayed after beingness redirected to the Blackboard Learn GUI: The specified resource was not constitute, or you lot do not accept permission to admission it.

A specified resource was not found error message

With a corresponding message in the stdout-stderr log:

INFO | jvm 1 | 2016/06/22 06:08:33 | - No mapping found for HTTP request with URI [/auth-saml/saml/SSO] in DispatcherServlet with proper noun 'saml'

The problem occurs because the noHandlerFound() method is used in the DispatcherServlet.java lawmaking and is unable to locate/map the HTTP SSO request.

/**
* No handler found -> prepare appropriate HTTP response condition.
* @param request current HTTP request
* @param response current HTTP response
* @throws Exception if preparing the response failed
*/
protected void noHandlerFound(HttpServletRequest request, HttpServletResponse response) throws Exception {
if (pageNotFoundLogger.isWarnEnabled()) {
pageNotFoundLogger.warn("No mapping found for HTTP request with URI [" + getRequestUri(request) +
"] in DispatcherServlet with name '" + getServletName() + "'");
}
if (this.throwExceptionIfNoHandlerFound) {
throw new NoHandlerFoundException(request.getMethod(), getRequestUri(request),
new ServletServerHttpRequest(request).getHeaders());
}
else {
response.sendError(HttpServletResponse.SC_NOT_FOUND);
}
}

Resolution

This typically occurs considering the Entity ID for the SP configured in the Blackboard Learn GUI is incorrect. This can be resolved by navigating to Organization Admin > Authentication > SAML Authentication Settings > Service Provider Settings and updating the Entity ID. For ADFS, the default configuration for the Entity ID would be https://[Acquire Server Hostname]/auth-saml/saml/SSO.

If a school changes their URL from the default https://schoolhouse.blackboard.com to https://their.school.edu, the Entity ID in the Blackboard Learn GUI on the SAML Authentication Settings page should exist updated to https://their.school.edu/auth-saml/saml/SSO.

Trouble #2

After inbound the login credentials on the ADFS login page, an error may be displayed after being redirected to the Blackboard Learn GUI: The specified resources was not establish, or y'all do not have permission to access it.

With this corresponding message in the stdout-stderr log:

INFO  | jvm ane  | 2016/06/22 06:08:33 | - No mapping found for HTTP request with URI [/auth-saml/saml/SSO] in DispatcherServlet with proper name 'saml'

And this message in the catalina log:

Fault 2016-06-27 x:47:03,664 connector-6: userId=_2_1, sessionId=62536416FB80462298C92064A7022E50 org.opensaml.xml.encryption.Decrypter - Fault decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal fundamental size
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.coffee:596)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.coffee:535)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.coffee:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.coffee:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.coffee:82)
at org.springframework.security.hallmark.ProviderManager.authenticate(ProviderManager.coffee:167)
[SNIP]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at coffee.lang.Thread.run(Thread.java:745)
Acquired by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Zip.checkCryptoPerm(Cipher.coffee:1039)
at javax.crypto.Cipher.init(Null.java:1393)
at javax.crypto.Cipher.init(Cipher.java:1327)
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1820)
... 205 more than

And this message displayed in the bb-services log:

2016-06-27 x:47:03 -0400 - unsuccessfulAuthentication - org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML bulletin
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.coffee:100)
at org.springframework.security.authentication.ProviderManager.cosign(ProviderManager.coffee:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.coffee:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.coffee:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.coffee:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.coffee:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.spider web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.coffee:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at dominicus.reverberate.GeneratedMethodAccessor3422.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.coffee:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.coffee:277)
at org.apache.catalina.security.SecurityUtil$one.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.coffee:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.cadre.ApplicationFilterChain$i.run(ApplicationFilterChain.coffee:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.coffee:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.cadre.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:thirty)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at sun.reflect.GeneratedMethodAccessor3421.invoke(Unknown Source)
[SNIP]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.coffee:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.coffee:61)
at java.lang.Thread.run(Thread.java:745)
Caused past: org.opensaml.common.SAMLException: Response doesn't accept any valid exclamation which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.coffee:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.coffee:87)
... 229 more than

The problem occurs because by default ADFS encrypts the attributes information technology sends using AES-256 and the Java runtime used by Blackboard Learn doesn't support AES-256 out of the box.

Resolution

A universal resolution option is to open a PowerShell on the ADFS server and set up the relying party created for Blackboard Acquire to send the attributes as unencrypted. Every bit the whole communication is over SSL, this will not reduce the security of the authentication. It also makes debugging of any issues easier equally the attributes can be viewed using debugging tools such as the Firefox browser SAML tracer Addition and a restart of the Blackboard Learn organisation is not required. To ready the relying political party created for Blackboard Learn to send the attributes as unencrypted, open a PowerShell and execute the following command, replacing TargetName with the proper name of the Relying Party Trust that is in the ADFS Direction Panel nether Trust Relationships > Relying Party Trusts.

fix-ADFSRelyingPartyTrust –TargetName "yourlearnserver.blackboard.com" –EncryptClaims $False

Afterward this change the ADFS service will need to be restarted with the command: Restart-Service ADFSSRV

Trouble #3

Later inbound the login credentials on the ADFS login page, an error may exist displayed after being redirected to the Blackboard Learn GUI: The specified resources was not found, or you practice non accept permission to access information technology or Sign On Error!

With either, these similar corresponding SAML related events announced in the stdout-stderr log:

INFO   | jvm one    | 2016/09/06 20:33:04 | - /saml/login?apId=_107_1&redirectUrl=https%3A%2F%2Fbb.fraser.misd.cyberspace%2Fwebapps%2Fportal%2Fexecute%2FdefaultTab at position 1 of 10 in boosted filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO   | jvm 1    | 2016/09/06 20:33:04 | - No HttpSession currently exists
INFO   | jvm ane    | 2016/09/06 20:33:04 | - No SecurityContext was available from the HttpSession: nada. A new one will exist created.
INFO   | jvm 1    | 2016/09/06 20:33:04 | - /saml/login?apId=_107_1&redirectUrl=https%3A%2F%2Fbb.fraser.misd.net%2Fwebapps%2Fportal%2Fexecute%2FdefaultTab at position 2 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
INFO   | jvm 1    | 2016/09/06 20:33:04 | - /saml/login?apId=_107_1&redirectUrl=https%3A%2F%2Fbb.fraser.misd.cyberspace%2Fwebapps%2Fportal%2Fexecute%2FdefaultTab at position three of x in boosted filter chain; firing Filter: 'HeaderWriterFilter'
INFO   | jvm 1    | 2016/09/06 20:33:04 | - /saml/login?apId=_107_1&redirectUrl=https%3A%2F%2Fbb.fraser.misd.cyberspace%2Fwebapps%2Fportal%2Fexecute%2FdefaultTab at position 4 of ten in additional filter concatenation; firing Filter: 'FilterChainProxy'
INFO   | jvm 1    | 2016/09/06 20:33:04 | - Checking match of request : '/saml/login'; against '/saml/login/**'
INFO   | jvm 1    | 2016/09/06 xx:33:04 | - /saml/login?apId=_107_1&redirectUrl=https%3A%2F%2Fbb.fraser.misd.internet%2Fwebapps%2Fportal%2Fexecute%2FdefaultTab at position i of ane in additional filter chain; firing Filter: 'SAMLEntryPoint'
INFO   | jvm i    | 2016/09/06 20:33:04 | - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
INFO   | jvm 1    | 2016/09/06 20:33:04 | - Request for URI http://world wide web.w3.org/2000/09/xmldsig#rsa-sha1
INFO   | jvm 1    | 2016/09/06 xx:33:04 | - SecurityContext is empty or contents are bearding - context will not be stored in HttpSession.
INFO   | jvm ane    | 2016/09/06 20:33:04 | - SecurityContextHolder now cleared, equally asking processing completed
INFO   | jvm 1    | 2016/09/06 xx:33:07 | - /saml/SSO at position 1 of 10 in boosted filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO   | jvm 1    | 2016/09/06 20:33:07 | - HttpSession returned null object for SPRING_SECURITY_CONTEXT
INFO   | jvm 1    | 2016/09/06 20:33:07 | - No SecurityContext was bachelor from the HttpSession: [email protected] A new one will be created.
INFO   | jvm 1    | 2016/09/06 20:33:07 | - /saml/SSO at position 2 of x in additional filter concatenation; firing Filter: 'WebAsyncManagerIntegrationFilter'
INFO   | jvm ane    | 2016/09/06 twenty:33:07 | - /saml/SSO at position 3 of 10 in boosted filter chain; firing Filter: 'HeaderWriterFilter'
INFO   | jvm 1    | 2016/09/06 20:33:07 | - /saml/SSO at position 4 of 10 in boosted filter chain; firing Filter: 'FilterChainProxy'
INFO   | jvm one    | 2016/09/06 twenty:33:07 | - Checking match of request : '/saml/sso'; against '/saml/login/**'
INFO   | jvm i    | 2016/09/06 20:33:07 | - Checking match of request : '/saml/sso'; confronting '/saml/logout/**'
INFO   | jvm ane    | 2016/09/06 twenty:33:07 | - Checking match of asking : '/saml/sso'; confronting '/saml/bbsamllogout/**'
INFO   | jvm 1    | 2016/09/06 twenty:33:07 | - Checking match of request : '/saml/sso'; against '/saml/sso/**'
INFO   | jvm i    | 2016/09/06 20:33:07 | - /saml/SSO at position 1 of one in additional filter chain; firing Filter: 'SAMLProcessingFilter'
INFO   | jvm 1    | 2016/09/06 20:33:07 | - Hallmark attempt using org.springframework.security.saml.SAMLAuthenticationProvider
INFO   | jvm ane    | 2016/09/06 20:33:07 | - Forwarding to /
INFO   | jvm 1    | 2016/09/06 20:33:07 | - DispatcherServlet with proper noun 'saml' processing POST request for [/auth-saml/saml/SSO]
INFO   | jvm i    | 2016/09/06 20:33:07 | - No mapping institute for HTTP request with URI [/auth-saml/saml/SSO] in DispatcherServlet with name 'saml'
INFO   | jvm 1    | 2016/09/06 xx:33:07 | - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
INFO   | jvm 1    | 2016/09/06 20:33:07 | - Successfully completed asking
INFO   | jvm 1    | 2016/09/06 20:33:07 | - Skip invoking on
INFO   | jvm one    | 2016/09/06 20:33:07 | - SecurityContextHolder now cleared, every bit request processing completed

Or these similar SAML exceptions in the bb-services log:

2016-11-29 09:04:24 -0500 - unsuccessfulAuthentication - org.springframework.security.hallmark.AuthenticationServiceException: Mistake validating SAML bulletin
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.coffee:100)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.spider web.hallmark.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.coffee:64)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.context.asking.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.coffee:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.coffee:176)
at org.springframework.spider web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.coffee:262)
at sun.reflect.GeneratedMethodAccessor853.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at coffee.lang.reflect.Method.invoke(Method.coffee:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.coffee:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject field.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.coffee:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.cadre.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46)
at org.apache.catalina.core.ApplicationFilterChain$one.run(ApplicationFilterChain.java:148)
at org.apache.catalina.core.ApplicationFilterChain$i.run(ApplicationFilterChain.java:144)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:xxx)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at sun.reflect.GeneratedMethodAccessor853.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[SNIP]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677)
at blackboard.tomcat.valves.LoggingRemoteIpValve.invoke(LoggingRemoteIpValve.java:44)
at org.apache.catalina.cadre.StandardEngineValve.invoke(StandardEngineValve.coffee:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.coffee:1110)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.procedure(AbstractProtocol.java:785)
at org.apache.tomcat.util.cyberspace.NioEndpoint$SocketProcessor.doRun(NioEndpoint.coffee:1425)
at org.apache.tomcat.util.internet.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.coffee:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.coffee:745)
Acquired by: org.opensaml.common.SAMLException: Response effect time is either too quondam or with engagement in the time to come, skew sixty, time 2016-11-29T14:03:16.634Z
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:126)
at blackboard.auth.provider.saml.customization.consumer.BbSAMLWebSSOProfileConsumerImpl.processAuthenticationResponse(BbSAMLWebSSOProfileConsumerImpl.coffee:40)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
... 230 more than

The trouble occurs when the ADFS server and the Blackboard Learn application server have a time drift close to or beyond the default of 60 seconds.

Resolution

In that location are two options to resolve the event:

  1. Manually syncing the clocks of the Blackboard Larn application servers and the ADFS server. For Blackboard Learn, the electric current time and time zone of the server can be viewed in a web browser by adding /webapps/portal/healthCheck to the cease of a Blackboard Learn URL.

    Case: https://mhtest1.blackboard.com//webapps/portal/healthCheck

    Hostname: ip-10-145-49-eleven.ec2.internal
    Status: Active - Database connectivity established
    Running since: Sat, Dec 3, 2016 - 05:39:xi PM EST
    Fourth dimension of request: Thu, Dec 8, 2016 - 05:12:43 PM EST

    An institution may use the higher up URL to compare the Blackboard Learn system time zone and clock with that of their ADFS server and so adapt those items equally necessary on the ADFS server and then that they are in-sync with the Blackboard Learn site.

Problem #four

After inbound the login credentials on the ADFS login page, an error may exist displayed later on being redirected to the Blackboard Acquire GUI: The specified resources was not plant, or you exercise not take permission to access information technology or Sign On Error!

With the following exceptions in the bb-services log:

2016-11-01 12:47:xix -0500 - unsuccessfulAuthentication - org.springframework.security.authentication.AuthenticationServiceException: Fault validating SAML bulletin
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.coffee:100)
at org.springframework.security.hallmark.ProviderManager.cosign(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.hallmark.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.coffee:346)
at org.springframework.spider web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at lord's day.reflect.GeneratedMethodAccessor929.invoke(Unknown Source)
at dominicus.reverberate.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reverberate.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$ane.run(SecurityUtil.coffee:282)
at org.apache.catalina.security.SecurityUtil$i.run(SecurityUtil.java:279)
at coffee.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Field of study.coffee:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.coffee:46)
at org.apache.catalina.cadre.ApplicationFilterChain$i.run(ApplicationFilterChain.java:148)
at org.apache.catalina.core.ApplicationFilterChain$ane.run(ApplicationFilterChain.coffee:144)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.coffee:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:30)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[SNIP]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.mutual.SAMLException: Response has invalid status code urn:haven:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at blackboard.auth.provider.saml.customization.consumer.BbSAMLWebSSOProfileConsumerImpl.processAuthenticationResponse(BbSAMLWebSSOProfileConsumerImpl.java:twoscore)
at org.springframework.security.saml.SAMLAuthenticationProvider.cosign(SAMLAuthenticationProvider.java:87)
... 230 more
2016-11-01 12:47:19 -0500 - BbSAMLExceptionHandleFilter - javax.servlet.ServletException: Unsuccessful Authentication
at blackboard.auth.provider.saml.customization.filter.BbSAMLProcessingFilter.unsuccessfulAuthentication(BbSAMLProcessingFilter.java:31)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.coffee:235)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.spider web.FilterChainProxy.doFilter(FilterChainProxy.coffee:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.asking.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.coffee:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sun.reflect.GeneratedMethodAccessor929.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.coffee:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$i.run(SecurityUtil.coffee:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at coffee.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.coffee:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.coffee:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148)
at org.apache.catalina.core.ApplicationFilterChain$one.run(ApplicationFilterChain.coffee:144)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:xxx)
[SNIP]

Resolution
  1. Navigate to the Admin Panel.
  2. Under Building Blocks, select Edifice Blocks.
  3. Select Installed Tools.
  4. Locate Hallmark Provider - SAML in the list. Open the menu and select Settings.
  5. Nether Signature Algorithm Settings, cull SHA-256 in the listing. Later on you select the Signature Algorithm Type, restart the SAML building block to utilize the new settings.
  6. Select Submit to save your changes.

Trouble #5

After inbound the login credentials on the ADFS login folio, an error may be displayed afterward being redirected to the Blackboard Learn GUI: The specified resource was not found, or you do non take permission to access it or Sign On Error!

With the following exceptions in the bb-services log:

2017-01-04 22:52:58 -0700 - unsuccessfulAuthentication - org.springframework.security.authentication.AuthenticationServiceException: Mistake validating SAML message
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:100)
at org.springframework.security.hallmark.ProviderManager.authenticate(ProviderManager.coffee:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.spider web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.coffee:64)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.asking.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.coffee:262)
at sun.reflect.GeneratedMethodAccessor935.invoke(Unknown Source)
at sunday.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$one.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject area.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.coffee:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46)
at org.apache.catalina.cadre.ApplicationFilterChain$one.run(ApplicationFilterChain.java:148)
at org.apache.catalina.core.ApplicationFilterChain$i.run(ApplicationFilterChain.java:144)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:thirty)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[SNIP]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.coffee:61)
at java.lang.Thread.run(Thread.coffee:745)
Caused by: org.opensaml.mutual.SAMLException: NameID element must be nowadays equally part of the Subject area in the Response bulletin, delight enable it in the IDP configuration
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:252)
at blackboard.auth.provider.saml.customization.consumer.BbSAMLWebSSOProfileConsumerImpl.processAuthenticationResponse(BbSAMLWebSSOProfileConsumerImpl.coffee:forty)
at org.springframework.security.saml.SAMLAuthenticationProvider.cosign(SAMLAuthenticationProvider.java:87)
... 214 more than

As stated in the above SAML exception, the NameID chemical element is missing from the Subject in the Response message. The trouble typically occurs when the NameID is non setup as an Outgoing Claim Type in a Claims Rule for the Relying Party Trust on the institution's ADFS IdP or the Claims Rule for the NameID is not in the proper order for the Relying Political party Trust on the institution'southward ADFS IdP, which in plough causes the missing NameID element in the Subject in the Response message.

Example: NameID element is missing

<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="a22ai8iig0f75ae22hd28748b12da50"
NotOnOrAfter="2017-01-03T05:57:58.234Z"
Recipient="https://yourschool.blackboard.com/auth-saml/saml/SSO"
/>
</SubjectConfirmation>
</Subject area>

Example: NameID element is present

<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.i:nameid-format:emailAddress">testadfs</NameID>
<SubjectConfirmation Method="urn:haven:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="a5903d39if463ea87ieiab5135j9ji"
NotOnOrAfter="2017-01-05T04:33:12.715Z"
Recipient="https://yourschool.blackboard.com/auth-saml/saml/SSO"
/>
</SubjectConfirmation>
</Discipline>

You tin can use the Firefox SAML tracer Improver to view the Subject in the Response bulletin.

Resolution

There are three methods to resolving this consequence.

  1. Ostend the steps from the SAML B2 Setup Guide for ADFS were properly followed and brand changes as needed to transform an incoming claim for the Relying Party Trust for their ADFS IdP:
    1. Select Edit Claims Rule.
    2. Select Add Dominion.
    3. On the Select Rule Template page, select Transform an Incoming Claim for the Claim rule template so select Next.
    4. On the Configure Dominion page, in the Claim dominion proper noun field, type Transform Email to Name ID.
    5. Incoming claim type should exist SamAccountName (it must match the Outgoing Merits Blazon created initially in the Transform Username to NameID rule).
    6. The Outgoing claim type is Name ID.
    7. The Approachable name ID format is Email.
    8. Ostend Pass through all claim values is selected and select Stop.
    9. Select OK to save the rule and OK again to consummate the attribute mappings.
  2. Ensure for the order of the Claims Rules used for their ADFS IdP that the dominion which has the NameID element does non have any optional rules occurring earlier it.
  3. If using a custom attribute, ensure the NameID chemical element is in the Relying Party Trust since Learn still expects that their ADFS IdP release a NameID value.

Problem #6

When logged into Blackboard Learn via SAML authentication, the user attempts to log out by clicking on the Sign Out button on the left side of the page then clicks the End SSO Session button, a Sign On Fault! is immediately displayed.

Sign On Error!
Blackboard Learn is currently unable to log into your account using single sign-on. Contact your ambassador for assistance.
For reference, the Error ID is [error ID].

With the post-obit exception in the bb-services log:

2017-05-08 15:x:46 -0400 - BbSAMLExceptionHandleFilter Mistake Id: f3299757-8d4e-4fab-98cf-49cd99f4891e - javax.servlet.ServletException: Incoming SAML message failed security validation
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.coffee:145)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:104)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.spider web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.coffee:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.coffee:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
[SNIP]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Acquired past: org.opensaml.ws.security.SecurityPolicyException: Validation of request simple signature failed for context issuer
at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.doEvaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:139)
at org.opensaml.common.bounden.security.BaseSAMLSimpleSignatureSecurityPolicyRule.evaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.coffee:103)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.bulletin.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.bulletin.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.coffee:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:131)
... 244 more

The error occurs because of the Single Logout Service Type setting on the SAML Settings folio.

Resolution

The setting needs to exist configured in Blackboard Learn and on the ADFS server.

For ADFS as the IdP, select the Post setting just and remove the Redirect endpoint for the Learn instance'due south Relying Party Trust on the ADFS server.

  1. In Learn, navigate to Admin > Authentication > (Provider Name) > SAML Settings > Single Logout Service Type.
  2. Select Post and clear the Redirect checkbox.
  3. In the ADFS Server, go into the Relying Party Trust for your Learn Instance.
  4. Select Properties > Endpoints. Ii SAML logout endpoints are listed.
  5. Remove the Redirect endpoint. Select Remove Endpoint to remove it, then Use and OK.

After making the above changes in Learn and the ADFS server, the End SSO Session logout push volition work to properly sign out the user.

Problem #7

After entering the login credentials on the ADFS login page, a Sign On Error! bulletin is displayed when redirected to Larn.

With the following SAML exception in the bb-services log:

2017-05-26 07:39:thirty -0400 - unsuccessfulAuthentication - org.springframework.security.hallmark.AuthenticationServiceException: Error validating SAML message
at org.springframework.security.saml.SAMLAuthenticationProvider.cosign(SAMLAuthenticationProvider.coffee:100)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at blackboard.auth.provider.saml.customization.filter.BbSAMLProcessingFilter.attemptAuthentication(BbSAMLProcessingFilter.java:46)
at org.springframework.security.spider web.hallmark.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.coffee:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.coffee:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.coffee:91)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.coffee:176)
at org.springframework.spider web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.spider web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at dominicus.reflect.GeneratedMethodAccessor380.invoke(Unknown Source)
at sun.reverberate.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.coffee:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$one.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:46)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:148)
at org.apache.catalina.cadre.ApplicationFilterChain$1.run(ApplicationFilterChain.java:144)
at coffee.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.coffee:37)
[SNIP]
at coffee.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.coffee:61)
at java.lang.Thread.run(Thread.java:745)
Acquired by: org.opensaml.common.SAMLException: Response has invalid status lawmaking urn:oasis:names:tc:SAML:two.0:condition:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at blackboard.auth.provider.saml.customization.consumer.BbSAMLWebSSOProfileConsumerImpl.processAuthenticationResponse(BbSAMLWebSSOProfileConsumerImpl.java:56)
at org.springframework.security.saml.SAMLAuthenticationProvider.cosign(SAMLAuthenticationProvider.java:87)
... 247 more

Resolution

First in Blackboard Learn 3200.0.0, at that place is at present an selection to regenerate the SAML encryption document by navigating to System Admin > Building Blocks > Authentication Provider - SAML > Settings > Regenerate Certificate. The Sign On Error! trouble may occur if the Regenerate document push button is selected afterwards the SP metadata is already uploaded to the Relying Party Trust for the Learn site on the ADFS server. To resolve the issue:

  1. Navigate to System Admin > Authentication > [SAML Provider Name] > SAML Settings.
  2. Select Generate side by side to Service Provider Metadata to save the new metadata file.
  3. Admission your ADFS server and upload the new SP metadata to the Relying Party Trust for your Learn site.

If you generate a new document under the B2 settings, you need to toggle the SAML B2 to Inactive and then back to Active to force the change. After, you tin can return to the provider settings and generate the new metadata to import into the IDP. If you don't toggle the settings, the old certificate may yet be included when you generate new metadata. The IDP won't exist updated and the next fourth dimension Learn restarts it volition present the new certificate. SAML hallmark will break considering of this mismatch.

Federation Metadata

With Agile Directory Federation Services (ADFS), since the metadata for an ADFS federation typically located in https://[ADFS Server Hostname]/FederationMetadata/2007-06/FederationMetadata.xml includes an element that is incompatible with SAML 2.0, the metadata needs to exist edited to delete the incompatible element before it is uploaded to the Identity Provider Settings section on the SAML Hallmark Settings page in the Blackboard Acquire GUI. If the metadata with the incompatible element is uploaded, an error will occur when selecting the SAML login link on the Blackboard Learn login page: Metadata for entity [entity] and role {} wasn't found. For reference, the Fault ID is [mistake ID].

And the corresponding Java stack trace for the Error ID in the bb-services log has the following:

2016-06-21 eleven:42:51 -0700 - Metadata for entity https://<Acquire Server Hostname>/adfs/ls/ and function {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn&#39;t found<P><span class="captionText">For reference, the Error ID is c99511ae-1162-4941-b823-3dda19fea157.</span> - org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity https://ulvsso.laverne.edu/adfs/ls/ and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found
at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity(SAMLContextProviderImpl.java:319)
at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext(SAMLContextProviderImpl.coffee:216)
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:126)
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146)
at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.spider web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.coffee:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.spider web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.coffee:346)
at org.springframework.spider web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at dominicus.reflect.GeneratedMethodAccessor1652.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.coffee:43)
at java.lang.reflect.Method.invoke(Method.coffee:498)
[SNIP]

Resolution

Since the default metadata location for an ADFS federation is https://[ADFS server hostname]/FederationMetadata/2007-06/FederationMetadata.xml:

  1. Download this file and open it in a text editor. Advisedly delete the section starting <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... </X509Data></KeyInfo> and ending </ds:Signature>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/x/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ds:Reference URI="#_43879f32-9a91-4862-bc87-e98b85b51158">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/ten/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://world wide web.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue>z1H1[SNIP]jaYM=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue> FVj[SNIP]edrfNKWvsvk5A==
    </ds:SignatureValue>
    <KeyInfo xmlns="http://world wide web.w3.org/2000/09/xmldsig#">
    <X509Data>
    <X509Certificate>
    FDdd[SNIP]qTNKdk5F/vf1AocDaX
    </X509Certificate>
    </X509Data>
    </KeyInfo>
    </ds:Signature>

  2. Upload the updated metadata XML file in the Blackboard Learn GUI on the SAML Authentication Settings page in the Identity Provider Settings department.
  3. Toggle the SAML authentication provider and SAML B2 Inactive/Available, while having the SAML hallmark provider in 'Active' status.

If an establishment is testing SAML hallmark on a Blackboard Learn site and has multiple SAML authentication providers that share the aforementioned underlying ADFS IdP metadata XML file on the Blackboard Learn site, even if the other SAML hallmark providers are set to Inactive, they will too need to take the updated metadata XML file uploaded in the Blackboard Learn GUI on the SAML Authentication Settings page in the Identity Provider Settings department. The SAML B2 should then be toggled Inactive/Bachelor, while having the SAML authentication provider in 'Agile' status, to ensure the updated metadata XML file is recognized system-wide.

Wrong user lookup method

After inbound the login credentials on the ADFS login page, the user is redirected to the Blackboard Acquire GUI, but not logged into Blackboard Learn.

The ONLY SAML authentication related consequence in the bb-services log is:

2016-10-xviii 13:03:28 -0600 - userName is null or empty

Resolution

  1. Login to Blackboard Acquire as administrator using the default Blackboard Learn Internal authentication.
  2. Navigate to System Admin > "SAML Hallmark Provider Proper noun" > Edit.
  3. Change the User Lookup Method from Batch Uid to Username.

Extra End SSO Session logout button

ADFS tries to add together an extra End SSO Session logout button on the End all sessions? page that is displayed after first selecting the logout push button at the top right in the Blackboard Larn GUI.

This is washed by adding an actress SingleLogoutService to the IdP Metadata file:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your.server.proper noun/adfs/ls/"/>
<SingleLogoutService Bounden="urn:oasis:names:tc:SAML:two.0:bindings:HTTP-POST" Location="https://your.server.name/adfs/ls/"/>

Since that is an optional SAML B2 IdP configuration and the signature being provided in the Redirect Endpoint is not correct, an error will occur when selecting the extra End SSO Session push button on the Cease all sessions? page: Incoming SAML message failed security validation. Validation of request simple signature failed for context issuer. For reference, the error Id is [fault ID].

The corresponding Java stack trace for the Mistake ID in the bb-services log has:

2016-10-17 16:57:44 -0400 - Incoming SAML message failed security validation Validation of request unproblematic signature failed for context issuer<P><bridge grade="captionText">For reference, the Error ID is 930c7767-8710-475e-8415-2077152280e0.</span> - org.opensaml.ws.security.SecurityPolicyException: Validation of request unproblematic signature failed for context issuer
at org.opensaml.common.bounden.security.BaseSAMLSimpleSignatureSecurityPolicyRule.doEvaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:139)
at org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule.evaluate(BaseSAMLSimpleSignatureSecurityPolicyRule.java:103)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.bounden.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.coffee:131)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.coffee:104)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.spider web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.spider web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sun.reflect.GeneratedMethodAccessor1652.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.coffee:43)
at java.lang.reflect.Method.invoke(Method.coffee:498)
[SNIP]

Resolution

  1. Access the ADFS Server and get into the Relying Political party Trust for the Blackboard Acquire Instance.
  2. Select Backdrop > Endpoints tab.
  3. In the Endpoints tab at that place will be 2 SAML Logout Endpoints.
  4. Remove the Redirect endpoint.
  5. Select Remove Endpoint to remove it, then Apply and OK.

Later on removing the Redirect endpoint, the Stop SSO Session button will piece of work properly signing out the user.

Viewing application logs with event viewer

When troubleshooting an ADFS SAML authentication result, it may be necessary to likewise have an institution review the ADFS awarding logs in the Event Viewer on their ADFS server for further insight. This is particularly necessary when the SAML response from the ADFS server has a Request Denied status as seen below:

<samlp:Status>
<samlp:StatusCode Value="urn:haven:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:two.0:status:RequestDenied" />
</samlp:StatusCode>
</samlp:Condition>

The SAML response tin can exist viewed by using the Firefox browser SAML tracer Addition.

The Request Denied status in a response typically indicates a problem occurred when the IdP (ADFS) attempted to understand the response and process the result the SP (Blackboard Learn) provided.

To view the ADFS application logs with the Upshot Viewer:

  1. Open the Issue Viewer on the ADFS server.
  2. On the View menu, select Show Analytic and Debug Logs.
  3. In the console tree, navigate to Application and Service Logs > Advertisement FS Tracing > Debug.

Azure Active Directory

Azure AD is Microsoft'due south (MS) cloud based directory and identity management service.

Send first role of email

If an institution is using Azure AD as their IdP and wishes to only have the first part of the Azure AD email username used for the Blackboard Learn username, they can configure their Azure AD IdP to use the special ExtractMailPrefix() function to remove the domain suffix from either the email or the user principal proper name resulting in just the first part of the username existence passed through (e.thou. "joesmith" instead of joesmith@example.com).

If the Blackboard Learn Remote User ID is urn:oid:1.three.6.one.4.1.5923.1.1.i.vi, the Attribute setting for the Azure IdP would await similar this:

Attribute Proper name:        urn:oid:i.3.vi.1.4.1.5923.1.1.1.6
Aspect Value:    ExtractMailPrefix()
Mail:            user.userprincipalname

And so with the example joesmith@example.com email username, it would be passed like this in the SAML exclamation from the Azure IdP to Blackboard Learn:

<Aspect Name="urn:oid:ane.3.6.one.4.1.5923.1.1.i.6">
<AttributeValue>joesmith</AttributeValue>

Boosted info virtually using the ExtractMailPrefix() function is available on the MS Azure documentation page.

Azure AD IdP updating certificate

Afterwards entering the login credentials on the MS Azure AD login page, a Sign On Error! may exist displayed subsequently beingness redirected to the Blackboard Learn GUI.

With the following exception in the bb-services log:

2016-x-13 12:03:23 +0800 - unsuccessfulAuthentication - org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:100)
at org.springframework.security.hallmark.ProviderManager.cosign(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.spider web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.coffee:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.spider web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.spider web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.coffee:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sunday.reflect.GeneratedMethodAccessor854.invoke(Unknown Source)
at sun.reverberate.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at coffee.lang.reflect.Method.invoke(Method.coffee:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.coffee:279)
at coffee.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Bailiwick.doAsPrivileged(Subject.coffee:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.cadre.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)
at org.apache.catalina.cadre.ApplicationFilterChain.access$000(ApplicationFilterChain.coffee:46)
at org.apache.catalina.cadre.ApplicationFilterChain$1.run(ApplicationFilterChain.coffee:148)
at org.apache.catalina.cadre.ApplicationFilterChain$1.run(ApplicationFilterChain.coffee:144)
at coffee.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.coffee:143)
at blackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:xxx)
[SNIP]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.coffee:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused past: org.opensaml.common.SAMLException: Response doesn't accept whatever valid assertion which would pass bailiwick validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at blackboard.auth.provider.saml.customization.consumer.BbSAMLWebSSOProfileConsumerImpl.processAuthenticationResponse(BbSAMLWebSSOProfileConsumerImpl.java:40)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
... 230 more than
Caused by: org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.coffee:272)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.coffee:292)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 232 more

This is caused by the MS Azure AD IdP updating the certificate, but the metadata XML used by the Blackboard Acquire SP not being adjusted to reverberate the new certificate.

Resolution

  • The new metadata XML file with the new certificate will need to be updated on the SAML Settings page in the Blackboard Learn GUI for the authentication provider.
  • The SAML B2 and the authentication provider will then need to be toggled Inactive/Available, while having the SAML hallmark provider in 'Agile' condition, to have the updated metadata with the new certificate applied.
  • If a Blackboard Learn site has multiple authentication providers that share the same underlying certificate for the same underlying IdP Entity ID, ALL those hallmark providers will need to be updated.

Microsoft has indicated that that they will be updating certificates every six weeks from now on, and that such updates will exist unannounced.

IdP-initiated single sign on

If a user first logs into their user portal and and then selects the app for their Blackboard Learn site, a new browser tab opens to brandish a bulletin: The specified resource was not constitute, or you practise not have permission to access it.

With the corresponding SAML related events in the stdout-stderr.log:

INFO   | jvm 1    | 2016/08/sixteen 10:49:22 | - /saml/SSO at position i of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO   | jvm ane    | 2016/08/sixteen 10:49:22 | - HttpSession returned null object for SPRING_SECURITY_CONTEXT
INFO   | jvm 1    | 2016/08/16 ten:49:22 | - No SecurityContext was available from the HttpSession: [email protected] A new one will exist created.
INFO   | jvm 1    | 2016/08/16 ten:49:22 | - /saml/SSO at position 2 of x in additional filter concatenation; firing Filter: 'WebAsyncManagerIntegrationFilter'
INFO   | jvm 1    | 2016/08/16 ten:49:22 | - /saml/SSO at position 3 of 10 in boosted filter concatenation; firing Filter: 'HeaderWriterFilter'
INFO   | jvm 1    | 2016/08/16 10:49:22 | - /saml/SSO at position iv of x in additional filter concatenation; firing Filter: 'FilterChainProxy'
INFO   | jvm one    | 2016/08/16 10:49:22 | - Checking match of asking : '/saml/sso'; against '/saml/login/**'
INFO   | jvm one    | 2016/08/sixteen 10:49:22 | - Checking match of asking : '/saml/sso'; confronting '/saml/logout/**'
INFO   | jvm 1    | 2016/08/16 10:49:22 | - Checking match of request : '/saml/sso'; against '/saml/bbsamllogout/**'
INFO   | jvm one    | 2016/08/16 10:49:22 | - Checking match of request : '/saml/sso'; against '/saml/sso/**'
INFO   | jvm one    | 2016/08/xvi 10:49:22 | - /saml/SSO at position 1 of 1 in additional filter chain; firing Filter: 'SAMLProcessingFilter'
INFO   | jvm 1    | 2016/08/sixteen 10:49:22 | - Forwarding to /
INFO   | jvm 1    | 2016/08/sixteen ten:49:22 | - DispatcherServlet with name 'saml' processing POST request for [/auth-saml/saml/SSO]
INFO   | jvm 1    | 2016/08/16 x:49:22 | - No mapping found for HTTP request with URI [/auth-saml/saml/SSO] in DispatcherServlet with name 'saml'
INFO   | jvm ane    | 2016/08/sixteen x:49:22 | - SecurityContext is empty or contents are anonymous - context volition not be stored in HttpSession.
INFO   | jvm 1    | 2016/08/sixteen 10:49:22 | - Successfully completed asking
INFO   | jvm 1    | 2016/08/xvi ten:49:22 | - Skip invoking on
INFO   | jvm 1    | 2016/08/sixteen 10:49:22 | - SecurityContextHolder now cleared, every bit request processing completed

The Service Provider Settings section of the SAML Authentication Settings page has changed and the Enable automatic SSO selection should be checked to permit a user to admission Blackboard Learn from their portal. If it is enabled, the ACS URL will besides be changed to include an alias.

Incorrect certificate error

After entering the login credentials on the SAML authentication provider login page, a Sign On Error! may be displayed after existence redirected to the Blackboard Larn GUI.

With the post-obit DOMException and WRONG_DOCUMENT_ERR in the bb-services log:

2016-xi-18 12:27:31 -0600 - WRONG_DOCUMENT_ERR: A node is used in a unlike certificate than the i that created it.<P><bridge class="captionText">For reference, the Fault ID is 86ebb81d-d3a3-4da5-95ab-1c94505f4281.</span> - org.w3c.dom.DOMException: WRONG_DOCUMENT_ERR: A node is used in a unlike document than the 1 that created information technology.
at org.apache.xerces.dom.ParentNode.internalInsertBefore(Unknown Source)
at org.apache.xerces.dom.ParentNode.insertBefore(Unknown Source)
at org.apache.xerces.dom.NodeImpl.appendChild(Unknown Source)
at org.opensaml.xml.encryption.Decrypter.parseInputStream(Decrypter.java:832)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:610)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.coffee:535)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.coffee:453)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.coffee:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.cosign(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.spider web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.spider web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.coffee:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.coffee:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.coffee:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at sun.reflect.GeneratedMethodAccessor1209.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reverberate.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$i.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Discipline.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.coffee:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.admission$000(ApplicationFilterChain.coffee:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.coffee:191)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at blackboard.platform.servlet.DevNonceFilter.doFilter(DevNonceFilter.java:68)
[SNIP]

The reason the problem occurs is some other B2/Project changed the arrangement holding javax.xml.parsers.DocumentBuilderFactory value from org.apache.xerces.jaxp.DocumentBuilderFactoryImpl to com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl.

Temporary resolution

Until a fix is released, the temporary resolution options are:

  1. Restart Bb services on each node.
  2. Plough off SAML response encryption on the IdP side. Equally the whole communication is over SSL, this will not reduce the security of the authentication.

No option to add SAML to Provider Order

When configuring SAML authentication, an institution may observe there is not an option to add a SAML authentication provider in the Provider Order section in Blackboard Learn GUI when navigating to System Admin > Edifice Blocks: Authentication > Provider Order.

The reason there is non an choice to add a SAML authentication provider to the Provider Club is that redirect blazon providers such as CAS and SAML hand off hallmark to the remote hallmark source. Those are not listed in the Provider Order every bit they are considered the administrative source for authentication and handle their own authentication failures.

Test SAML connection

Beginning with the Q4 2016 release of Blackboard Acquire, there is at present an option to test the connection for a SAML provider in the Authentication section in the Blackboard Learn GUI. The connection exam will check the following items:

  • Parse IdP metadata
  • Connect to IdP
  • Receive SAML response
  • Parse SAML response
  • Remote User ID match
  • Log in to Blackboard Learn

To test the connection for a SAML authentication provider:

  1. Login to Blackboard Larn as an ambassador.
  2. Navigate to System Admin > Building Blocks: Authentication > "SAML Provider Name" > Examination Connection.
  3. Enter the IdP login credentials if prompted.

The Test Connection characteristic can be used in lieu of manually enabling SAML debug logging in Blackboard Learn for multiple reasons.

The Identity Provider Entity ID value that is displayed on the Exam Connection output folio is pulled from the Issuer chemical element in the SAML POST from the IdP to Blackboard Learn after the user has been authenticated:

<Issuer xmlns="urn:haven:names:tc:SAML:ii.0:assertion">http://bbpdcsi-adfs1.bbpdcsi.local/a...services/trust</Issuer>

The SAML Attribute values displayed on the Test Connection output page in the SAML Response section are pulled from the Subject area and AttributeStatement elements in the SAML POST from the IdP to Blackboard Learn after the user has been authenticated:

<Discipline>
<NameID Format="urn:oasis:names:tc:SAML:i.1:nameid-format:emailAddress">luke.skywalker</NameID>
[SNIP]
</Subject area>
<AttributeStatement>
<Aspect Name="SamAccountName">
<AttributeValue>luke.skywalker</AttributeValue>
</Attribute>
<Attribute Name="urn:oid:ii.five.4.42">
<AttributeValue>Luke</AttributeValue>
</Attribute>
<Attribute Proper name="urn:oid:2.5.4.4">
<AttributeValue>Skywalker</AttributeValue>
</Attribute>
</AttributeStatement>

Create a SAML hallmark provider and IdP for testing

Employ the steps beneath to create an Identity Provider (IdP) using Centrify'southward gratis SSO authentication solution.

That IdP tin can then be configured as the SAML hallmark provider in a Blackboard Learn Service Provider (SP):

Blackboard Acquire Service Provider

  1. Login to the Blackboard Learn GUI as an administrator and navigate to System Admin > Authentication.
  2. Select Create Provider > SAML.
  3. Input the following settings:
    • Name > SAML or anything yous want.
    • Authentication Provider > Inactive (for now).
    • User Lookup Method > Username
    • Restrict by Hostname > Use this provider for whatsoever hostnames
    • Link Text > SAML Centrify Login
  4. Select Save and Configure.
  5. In the Entity ID field, set this to anything you want (but if you modify it you must provide the updated Service Provider Metadata to the Identity Provider). Simply copy/paste the ACS URL.
  6. Nether Service Provider Metadata, select Generate and save the file to your desktop.
  7. Under Data Source, it is recommended to create a new Information Source for this named CENTRIFY, otherwise apply SYSTEM or whatever y'all choose
  8. Adjacent to Enable JIT Provisioning, check this box and so that an account is automatically created when attempting to login via this SAML hallmark provider if the user does not be. If JIT Provisioning is non selected, the user in Blackboard Larn will need to exist created manually.
  9. In the Compatible Data Sources listing, exist sure to select the data sources that this authentication provider should exist compatible with.
  10. Select Bespeak Identity Provider for the Identity Provider Type.
  11. Skip the Identity Provider Metadata for now, you lot will upload the file after it has been created in the Centrify IdP section.
  12. For the Map SAML Attributes section, use NameID for the Remote User ID.
  13. Select Submit.

Centrify Identity Provider

  1. Go to the Centrify website and select Beginning Now.
  2. Enter your data to sign up and select Showtime Now.
  3. You will receive a welcome email with your admin credentials. Utilize them to log in to https://deject.centrify.com.
  4. Select Skip on the Welcome to Centrify Identify Service window.
  5. In the Apps tab at the top of the page, select the Add Spider web Apps push button.
  6. In the Custom tab, scroll downwards and select the Add button for SAML. Select Yep.
  7. Select Shut at the bottom of the Add Web Apps window.
  8. Go to the Apps tab. In the Application Settings section, select the Upload SP Metadata button and upload the file that was created in Step vi of the Blackboard Larn SP section.
  9. The Assertion Consumer Service URL should automatically populate after uploading the SP Metadata.
  10. Uncheck Encrypt Assertion. This allows the attributes beingness released from the IdP and sent to Blackboard Larn to be viewed using the Firefox browser SAML tracer Addition or Chrome SAML Message Decoder. Equally the whole advice is over SSL this will not reduce the security of the authentication.
  11. Curl downwardly and select Download Identity Provider SAML Metadata. Save the file to your desktop.
  12. Select Relieve and become to the adjacent section.
  13. Enter a proper noun for the Description section. Select Relieve and go to the adjacent section.
  14. In the User Access section, select Everybody and System Administrator. Select Save.
  15. Do not make whatsoever selections in the Policy section.
  16. For the Account Mapping section, confirm that userprincipalname is entered for the Directory Service field proper name.
  17. For the Avant-garde department, add the post-obit line to the bottom of the script used to generate a SAML assertion for the application:

    The complete script will be:

    setIssuer(Issuer);
    setSubjectName(UserIdentifier);
    setAudience('https://YourLearnServer.blackboard.c...saml/saml/SSO');
    setRecipient(ServiceUrl);
    setHttpDestination(ServiceUrl);
    setSignatureType('Assertion');
    setNameFormat('emailaddress');
    setAttribute("NameID", LoginUser.Get("userprincipalname"));

    Which volition permit the Centrify IdP to release an AttributeStatement with the User ID in the SAML POST.

    Example:

    <AttributeStatement>
    <Attribute Proper name="NameID"
    NameFormat="urn:haven:names:tc:SAML:2.0:attrname-format:bones"
    >
    <AttributeValue>luke.skywalker@blackboard.com.47</AttributeValue>
    </Attribute>
    </AttributeStatement>

    More than on specifying assertion elements in the Centrify SAML script

  18. Select Salvage.
  19. No changes should demand to be fabricated to the remaining sections (App Gateway, Changelog and Workflow).
  20. In the Apps tab, confirm the SAML app was automatically deployed.
  21. In the Users tab, select Add Users, enter the account info for a user, and select Create User.
  22. Log dorsum into the Blackboard Learn GUI every bit an administrator, navigate to Organisation Admin > Authentication > SAML Authentication Provider Proper noun > SAML Settings > Identity Provider Settings, upload the IdP Metadata file that was saved to your desktop in Step 13 and select Submit.

The Centrify IdP user that was created can now login to Blackboard Learn via SAML by selecting that authentication provider on the login page, and logout of Blackboard Larn using the extra Terminate SSO Session logout button on the Terminate all sessions? page that is displayed later selecting the logout push at the superlative right of Blackboard Learn.

Change text on End SSO Session logout folio

An institution may inquire if it is possible to change the text on the Stop SSO Session logout page. Information technology is possible to change the text on the End SSO Session logout folio by editing the Language Pack:

  1. Open up the Language Pack file.
  2. Navigate to auth-provider-saml/src/main/webapp/Spider web-INF/bundles/bb-manifest-en_US.backdrop.
  3. Update the Bulletin Keys:

    saml.single.logout.alarm.conent.clarification // the beginning line
    saml.single.logout.warning.conent.recommend // second line
    saml.single.logout.warning.endsso.title // third line
    saml.single.logout.warning.endsso.push // the button
    saml.unmarried.logout.warning.backtolearn // the abolish push

Redirect users to the IdP login page

The standard Blackboard Learn login page presents username and password fields for the default Learn Internal authentication provider. When yous enable SAML authentication, a small "Sign in using..." link for SAML appears at the bottom of this folio, so you lot may desire to redirect users to the IdP's authentication server automatically when they admission the Learn login page.

One pick to attain this is to navigate to System Admin > Hallmark and set the default Larn Internal authentication to Inactive, which ways a login page is no longer displayed, and immediately the user is redirected to the SAML login. The problem with that option is that it overrides the default login URL and prevents any not-SAML user to login.

To avoid this effect and provide almost the same result, utilise a Custom Login Page. Users are redirected to the SAML authentication provider's IdP login folio, but the default login link is besides usable.

  1. Ensure the default Learn Internal authentication is active
  2. On the default login folio, copy the location of the provider redirect east.g. Sign in using... SAML. Right-click on the link and select Copy Link Location.
  3. Navigate to Organisation Admin > Communities > Brands and Themes > Customize Login Page.
  4. Select Download side by side to Default Login Page to download the default login JSP file.
  5. Open the JSP file with a text editor. Add the following sample HTML to the login JSP file and replace the URL text with the URL that was copied in Pace 2.

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML iv.0 Transitional//EN">
    <html>
    <head>
    <championship>Blackboard Learn - Redirect</championship>
    <meta http-equiv="REFRESH" content="0;url=https://URL_Goes_Here"></Caput>
    <BODY style="font-family: arial,sans-serif;font-size: small-scale; colour: grey; padding: 1em; ">
    Redirecting... <a style="color:grey" href="https://URL_Goes_Here">Get to login page</a> if you are not automatically redirected.
    </BODY>
    </HTML>

  6. Navigate to Customize Login Page in Learn once more. Select Use Custom Folio and then upload the updated login JSP file.
  7. Later making the changes, select Preview on the Customize Login Page to confirm the redirect is working properly.

Users going to the main URL volition now be redirected to the login page for the SAML authentication provider. Administrators can all the same log in using the Acquire internal authentication via the default login page: /webapps/login/?action=default_login or/webapps/login/login.jsp).

More on customizing the login page in the Ultra experience

hindsstrons.blogspot.com

Source: https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type/Common_Issues_with_SAML_Authentication

Post a Comment for "Aws Login Your Authentication Information Is Incorrect Please Try Again"