Background, how Institutional Authentication works, and what is required  

Institutional Authentication is a single sign-on service for Anthology Illuminate that provides seamless authentication between Blackboard SaaS and Anthology Illuminate. This gives an increased level of security and control over the Anthology Illuminate Account authentication methods and additional features in Anthology Illuminate. 

The following is a description of Institutional Authentication, what is required, changes in login/authentication workflows, and frequently asked questions. 


Background  

Anthology Illuminate currently offers two methods for sign-in: an Anthology Illuminate Account that authenticates via an email address and password, and requires accounts to be managed via support ticket, and Institutional Authentication that uses your existing institutional credentials and can be self-managed by an institutional administrator.  

Institutional Authentication provides you with greater control over who can access Anthology Illuminate, and what they can see. Institutional Authentication uses your existing usernames and passwords, and your existing name directory or identity provider, as well as authentication groups and/or system roles in Blackboard to drive access to Anthology Illuminate Developer and Reporting. 

Institutional Authentication supports two authentication providers or connectors:  

  1. Our SAML Connector: Any SAML-based identification provider (SAML IdP: Shibboleth, ADFS, and others.)  
    • SAML Connectors always use your web-based credential page as provided by you or your SAML IdP.
    • The SAML Connector requires the use of SAML groups to control who has access to Anthology Illuminate Reporting and Developer.
  2. Our Blackboard Connector: For those who use LDAP or the Blackboard Learn Default Authentication Provider. 
    • Blackboard Connectors always use a campus branded sign-in page. 
    • The Blackboard Connector uses the password stored in Blackboard for a user, which usually doesn’t exist if you’re using single sign-on into Blackboard, so this approach may add to the administrative load for the system administrator who would have to set and manage passwords on users’ behalf. 
  3. A combination of our SAML and Blackboard Connector. 

Anthology’s recommended authentication path is based on SAML. This is because the information and security for web application authentication as provided by SAML exceeds that provided by the older LDAP and Blackboard default authentication providers.  

  • Campus’ who are not using SAML as their identity provider should consider doing so to see the full security benefits of Institutional Authentication.  
  • Additionally, campuses who currently separate their users between their SAML identity provider and Blackboard-only accounts will need to reconsider their Blackboard-only user management.

Access per role

This applies to both Blackboard and SAML connectors:

 ReportingDeveloperSettingsCustom Reports1Data Q&A2
BbDataDeveloperYYYNY
BbDataReportViewerYNNNY
BbDataRestrictedViewerY2NNNY2
BbDataAuthor3InheritedInheritedInheritedYInherited
  1. Custom Reports (Author) and Data Q&A Features are available only to clients with the relevant upgrade.
  2. Restricted Viewers will only see content that has role-based access applied. Find out more about Role-Based Access.
  3. The Author role is expected to be used in combination with another role, preferably BbDataDeveloper.

 


Setting Up Institutional Authentication   

To request Institutional Authentication setup, submit a support ticket requesting "Institutional Authentication for Anthology Illuminate." A support representative will contact you to guide you through the adoption process.   

The setup process can be significantly sped up if you're able to provide in your initial request: 

  1. Confirmation of which identity provider you will use (SAML with groups or BlackboardConnector). 
  2. The contact details of an authentication expert at your institution.

Logging In with Institutional Authentication

To login with Institutional Authentication in Anthology Illuminate:

  1. Go to https://illuminate.blackboard.com and select the Sign In button on the main page or in the top-right corner of any page.
  2. Select Sign in with your institutional account. You are then taken to the Anthology sign-in site.
  3. In the search bar, enter the name of your institution, and select it from the search results.
  4. Your institution’s login page will appear (either Blackboard or your SAML login page). Sign in with your institutional credentials.

Frequently asked questions

Does Institutional Authentication replace my institution’s single sign-on?

No. Institutional Authentication uses your institution’s single sign-on for accessing Anthology Illuminate, but does not replace it.

Does Institutional Authentication disrupt my ability to log into Blackboard?

No. Institutional Authentication is designed to be as transparent to users as possible while adhering to industry best practices. While users will see some redirection upon their initial login, they will use the same usernames and passwords as they do now.

Will support be provided by Anthology?

Yes. Any issues with Institutional Authentication sign-in and related product access may be addressed by filing a support ticket via Anthology Global Support.

Note that username and password assistance is provided by your campus or, provided you have a contract, by Anthology Student Services.

Is Institutional Authentication secure?

Institutional Authentication is built on a tech stack based on security industry best of breed solutions and practices which are also implemented by many well-known vendors: Okta™, Microsoft 365™, Azure™, and Amazon™ to name just a few.

Additionally, by not exposing name directories to external applications on the internet or requiring external application specific usernames and passwords we are creating a more secure authentication environment for you and your faculty, students, and staff.

Image describing the Institutional Authentication Single Sing-on process described in the page.

Example of Blackboard Single Sign-On (BbSSO) workflow.

Do logins time out?

Yes, to comply with security and legal requirements, your Anthology Illuminate session times out after 15 minutes. However, this will not log you out of other SSO-connected applications.

Who at your campus needs to be involved in Institutional Authentication Adoption?

In addition to understanding how your users accounts are managed in Blackboard, Institutional Authentication adoption requires an understanding of your name directory or identity provider systems. At a minimum, the following staff should be engaged in completing the questionnaire and be available for testing connectors.

Blackboard Connector: your Blackboard Administrator. 

SAML: your Blackboard Administrator and your institution’s SAML administrator or security officer.

What is the level of effort?

Your Blackboard Administrator just needs to turn on the Institutional Authentication process and future logins through Blackboard will be handled via Institutional Authentication.

Clients using SAML will be asked to complete a short survey and be guided through the adoption process by Anthology staff. Once Anthology has configured your SAML connection in Institutional Authentication you will need to update your IdP configuration with the information we will provide. After this step is completed, the process of testing the connection can continue. Upon completion, the Blackboard Administrators will need to turn on the Institutional Authentication process and future logins through Blackboard will be handled via Institutional Authentication.

How long does the onboarding process take?

If you are not using SAML and are using the Blackboard Connector, the process from request to use may take as little as two business days from start to finish. In most cases, this change may be near immediate and dependent only on turning on the feature in Blackboard.

If you are using SAML, the process will take longer due to the complexities of SAML configuration and testing. This time varies greatly from case to case. A minimum expectation should be on the order of seven to ten days from start to finish. 

Will the service account be affected?

No. Institutional Authentication will not affect the service account, as it is not configured to use any single sign-on method. Service account credentials are managed on the Settings page by those with appropriate access.