The Blackboard Learn authentication framework enables users providing ID and password credentials to validate and initiate a session in Blackboard Learn. The framework also enables integrating Blackboard Learn with one or more external authentication providers.
The Blackboard Learn Authentication Framework is provided using Building Block technology with full user interface installation, management, and logging. This use of Building Blocks to provide authentication integration removes barriers and issues with system management related to custom authentication. The Authentication Framework improves the authentication integration experience by moving configuration and management of authentication providers to a user interface eliminating the need for command line authentication management. Custom authentication implementations no longer require 'special' maintenance for upgrades because all authentication now uses Blackboard Building Blocks technology.
By default, Blackboard Learn supports Central Authentication Service (CAS) and Lightweight Directory Access Protocol (LDAP), and Security Assertion Markup Language (SAML).
Lightweight Directory Access Protocol (LDAP) is an Internet standard that provides access to information from different computer systems and applications. LDAP uses a set of protocols to access information directories and retrieve information. A directory is like a database, but contains information that is more descriptive and attribute-based. Information in a directory is generally read more often than it is written or modified. LDAP allows an application, running on an institution's computer platform, to obtain information such as usernames and passwords.
Centralizing this type of information simplifies your job by providing a single point of administration. User information is provided in a single location, reducing the storage of duplicate information. This, in turn, reduces maintenance needs. LDAP authentication also enables users to have a single login and password to access a number of different applications.
Blackboard Learn supports Secure LDAP (LDAPS).
Central Authentication Service (CAS) is the most common centralized web authentication Single Sign On (SSO) protocol for intra-organization authentication.
SunGardHE Luminis 5 supports CAS, simplifying Luminis to Blackboard Learn SSO.
Security Assertion Markup Language (SAML) is an XML-based data format that can be used to authenticate and authorize users between separate systems. SAML is frequently used as a Single Sign-On (SSO) solution, including for Blackboard Learn. When properly installed and configured, SAML allows Blackboard Learn users to log in using their username and password from another institution or application. SSO saves time for both administrators and users by providing a seamless integration for logging in.
User information is passed between systems in a SAML assertion. The identity provider is the third-party host of the user's account and your Blackboard Learn instance acts as the service provider. The identity provider sends attributes that Blackboard Learn uses to create or update an account for the user. These attributes can include information such as the username, first name, last name, and email address, and are packaged in a security token such as a SAML assertion. The identity provider sends this SAML assertion to Blackboard Learn when the user enters their login information using single sign-on. If their username doesn't match anything in the system, Blackboard Learn creates a new account with the user attributes contained in the SAML assertion.
Blackboard Learn ships with an internal authenticator. This feature is oftentimes used by institutions that have not fully integrated with a third party authenticator such as LDAP or as a secondary authenticator for external users such as visiting faculty or parents.
User passwords are stored by default with the salted SHA-512 standard from the SHA-2 family as defined in the National Institute for Standards and Technology (NIST) Special Publication 180-4 Secure Hash Standard. Blackboard Learn adds the best practice of "salting" using a secure random seed of HMAC-SHA-512. The practice of salting is important because it requires greater computing requirements to crack a password, in the event user password hashes are exposed to unauthorized actors.
Blackboard Learn also supports an alternative password hashing methodology that uses the Key Derivation Function (PBKDF2) Approach. PBKDF2 is part of a family of "adaptive hashes" that have gained popularity amongst the security industry for use with hashing passwords. This approach has a "slowness" factor about them that help provide resistance from password cracking. PBKDF2 is noted by the National Institute for Standards and Technology (NIST) Special Publication 800-132 Recommendation for Password-based Key Derivation.
Authentication attempts are logged into the standardized security log. Password storage scheme configurations and user password migrations to a new password storage scheme are also logged to the standardized security log.