...
In the federated scenario, usernames are often supplied by Shibboleth to consuming applications in a form that includes a security domain qualifier, e.g. 'smithj@example.org', such as recommended by the eduPerson specification's eduPersonPrincipalName. Use of this scoped principal name within Blackboard directly as the Blackboard username is a possibility. However many or most existing Blackboard deployments utilize unscoped usernames for existing local users.
To facilitate use of allow both existing local users and new federated, non-local users within a given Blackboard deployment, an option would be supplied to map the Shibboleth-supplied principal name to the username that will be used by Blackboard. A plugin class which implements a defined interface could be supplied in the Blackboard config which performs the translation according to an institution's local requirements.
...
- Deny - The user is denied access to the Blackboard system.
- Create - The user is created within the Blackboard systems based on Shibboleth-supplied attribute data.
- Provision - The user is both created within in Blackboard (if necessary) and provisioned into courses based on Shibboleth-supplied attribute data.
...
- Would local policy allow enrollments to be provisioned solely on the basis of information asserted by a user's home IdP?
- Would verification of enrollments need to be verified against local systems of record, such as based on registrar data or the Student Information System.?
- Need for agreement between Identity Providers and the Blackboard hosting institution on the exact manner in which courses are represented and asserted by the IdP. Is there a need to support different representations on IdP-specific basis?
- Are users auto-deprovisioned in any manner, such as when the attribute data states that they are no longer in a particular course? (could be dangerous...) Or after a certain period time?
Additional Issues and Questions
- Is there a need to support both Shibboleth authentication and other mechanisms (e.g. LDAP) simultaneoulysimultaneously?
- Possibly differentiated along the lines of local users vs. non-local/federated users
- Some Blackboard components are not web based and assume/require the use of of a username and password. Options for handling for federated users?