Background, how it works, and what is required
Institutional Authentication is a single-sign-on service for Anthology Illuminate that provides seamless authentication between Blackboard Learn SaaS and Anthology Illuminate. This gives an increased level of security and control over the Anthology Illuminate Account authentication methods (See FAQ below) and enables additional features in Anthology Illuminate.
The following is a description of Institutional Authentication, what is required, and changes in login/authentication workflows.
Anthology Illuminate currently offers two methods for sign-in: an Anthology Illuminate Account that authenticates via an email address and password, and requires accounts to be managed via support ticket, and Institutional Authentication that uses your existing institutional credentials and can be self-managed by an institutional administrator.
Institutional Authentication provides you with greater control over who can access Anthology Illuminate, and what they can see. Institutional Authentication uses your existing usernames and passwords, and your existing name directory or identity provider, as well as authentication groups and/or system roles in Learn to drive access to Anthology Illuminate Developer and Reporting.
Institutional Authentication supports two authentication providers or “Connectors”:
- Our SAML Connector: Any SAML-based identification provider (SAML IdP: Shibboleth, ADFS, etc.)
- SAML Connectors always use your Web Based credential page as provided by you or your SAML IdP.
- The SAML Connector requires the use of SAML groups to control who has access to Anthology Illuminate Reporting and Developer.
- Our Learn Connector: For those who use LDAP or the Blackboard Learn Default Authentication Provider.
- Learn Connectors always use a campus branded sign-in page.
- The Learn Connector uses the password stored in Learn for a user, which usually doesn’t exist if you’re using SSO into Learn, so this approach may add to the administrative load for the system administrator who would have to set and manage passwords on users’ behalf.
- A combination of our SAML and Learn Connector.
Anthology’s recommended authentication path is based on SAML. This is because the information and security for web application authentication as provided by SAML exceeds that provided by the older LDAP and Learn default authentication providers.
- Campus’ who are not using SAML as their identity provider should consider doing so to see the full security benefits of Institutional Authentication.
- Additionally, campuses who currently separate their users between their SAML identity provider and Blackboard Learn-only accounts will need to reconsider their Learn only user management.
Access per role
This applies to both Learn and SAML connectors:
|Reporting||Developer||Settings||Custom Reports1||Data Q&A2|
- Custom Reports (Author) and Data Q&A Features are available only to clients with the relevant upgrade.
- Restricted Viewers will only see content that has role-based access applied. Find out more about Role-Based Access.
- The Author role is expected to be used in combination with another role, preferably BbDataDeveloper.
Setting Up Institutional Authentication
We recognize that change can be a concern and have put our best thinking forward in making the adoption of Institutional Authentication as easy as possible.
To request Institutional Authentication setup, submit a support ticket requesting "Institutional Authentication for Anthology Illuminate”. A support representative will contact you to guide you through the adoption process.
The setup process can be significantly sped up if you are able to provide in your initial request:
- Confirmation of which identity provider you will use (SAML with groups or Learn Connector).
- The contact details of an authentication expert at your institution.
Logging In with Institutional Authentication
To login with Institutional Authentication in Anthology Illuminate:
- Go to https://data.blackboard.com and select the Sign In button on the main page or in the top-right corner of any page.
- Select Sign in with your institutional account. You are then taken to the Anthology sign-in site.
- In the search bar, enter the name of your institution, and select it from the search results.
- Your institution’s login page will appear (either Blackboard Learn or your SAML login page). Sign in with your institutional credentials.
Does Institutional Authentication replace my institution’s SSO?
No. Institutional Authentication uses your institution’s SSO for accessing Anthology Illuminate, but does not replace it.
Does Institutional Authentication disrupt my ability to log into Blackboard Learn?
No. Institutional Authentication is designed to be as transparent to users as possible while adhering to industry best practices. While users will see some redirection on initial login they will use the same usernames and passwords as they do now.
Will support be provided by Anthology?
Yes. Any issues with Institutional Authentication sign in and related product access may be addressed by filing a support ticket via Behind the Blackboard.
Note that username and password assistance is provided by your campus or, provided you have a contract, by Anthology Student Services.
Is Institutional Authentication secure?
Absolutely! Institutional Authentication is built on a tech stack based on security industry best of breed solutions and practices which are also implemented by many well-known vendors: Okta™, Microsoft 365™, Azure™, and Amazon™ to name just a few.
Additionally, by not exposing name directories to external applications on the internet or requiring external application specific usernames and passwords we are creating a more secure authentication environment for you and your Faculty, Students, and Staff.
Example of Blackboard Single Sign-On (BbSSO) workflow.
Do Logins time out?
Yes, to comply with security and legal requirements, your Anthology Illuminate session times out after 15 minutes. However, this will not log you out of other SSO-connected applications.
Who at your campus needs to be involved in Institutional Authentication Adoption?
In addition to understanding how your users accounts are managed in Blackboard Learn, Institutional Authentication adoption requires an understanding of your name directory or identity provider systems. At a minimum the following staff should be engaged in completing the questionnaire and be available for testing Connectors: If using the Learn Connector: your Blackboard Learn Administrator. If using SAML: your Blackboard Learn Administrator and your institution’s SAML administrator or security officer.
What is the level of effort?
For Learn Connector clients your effort is virtually nothing – we do most all the heavy lifting; your Blackboard Learn Administrator just needs to turn on the Institutional Authentication process and future logins through Learn will be handled via Institutional Authentication.
Clients using SAML will be asked to complete a short survey and be guided through the adoption process by Anthology staff. Once Anthology has configured your SAML connection in Institutional Authentication you will need to update your IdP configuration with the information we will provide. After this step is completed the process of testing the connection may continue. Upon completion, the Learn Administrators will need to turn on the Institutional Authentication process and future logins through Learn will be handled via Institutional Authentication.
How long does the onboarding process take?
If you are not using SAML and are using the Blackboard Learn Connector, the process from request to use may take as little as two business days from start to finish. In most cases, this change may be near immediate and dependent only on enabling the feature in Blackboard Learn.
If you are using SAML the process will take longer due to the complexities of SAML configuration and testing – this time varies greatly from case to case. A minimum expectation should be on the order of seven to ten days from start to finish. We understand the time involved here and are expecting that as we continue to improve our SAML processes the time required will be reduced.
Will the aervice account be affected?
No. Institutional Authentication will not affect the service account, as it is not configured to use any SSO method. Service account credentials are managed on the Settings page by those with appropriate access.