The Blackboard Learn authentication framework enables users providing ID and password credentials to validate and initiate a session in Blackboard Learn. The framework also enables integrating Blackboard Learn with one or more external authentication providers.
The Blackboard Learn Authentication Framework is provided using Building Block technology with full user interface installation, management, and logging. This use of Building Blocks to provide authentication integration removes barriers and issues with system management related to custom authentication. The Authentication Framework improves the authentication integration experience by moving configuration and management of authentication providers to a user interface eliminating the need for command line authentication management. Custom authentication implementations no longer require 'special' maintenance for upgrades because all authentication now uses Blackboard Building Blocks technology.
By default, Blackboard Learn supports Central Authentication Service (CAS) and Lightweight Directory Access Protocol (LDAP), and Security Assertion Markup Language (SAML).
Lightweight Directory Access Protocol (LDAP) is an Internet standard that provides access to information from different computer systems and applications. LDAP uses a set of protocols to access information directories and retrieve information. A directory is like a database, but contains information that is more descriptive and attribute-based. Information in a directory is generally read more often than it is written or modified. LDAP allows an application, running on an institution's computer platform, to obtain information such as usernames and passwords.
Centralizing this type of information simplifies your job by providing a single point of administration. User information is provided in a single location, reducing the storage of duplicate information. This, in turn, reduces maintenance needs. LDAP authentication also enables users to have a single login and password to access a number of different applications.
Secure LDAP (LDAPS)
Blackboard Learn supports Secure LDAP (LDAPS).
Central Authentication Service (CAS) is the most common centralized web authentication Single Sign On (SSO) protocol for intra-organization authentication.
SunGardHE Luminis 5 supports CAS, simplifying Luminis to Blackboard Learn SSO.
Security Assertion Markup Language (SAML) is an XML-based data format that can be used to authenticate and authorize users between separate systems. SAML is frequently used as a Single Sign-On (SSO) solution, including for Blackboard Learn. When properly installed and configured, SAML allows Blackboard Learn users to log in using their username and password from another institution or application. SSO saves time for both administrators and users by providing a seamless integration for logging in.
User information is passed between systems in a SAML assertion. The identity provider is the third-party host of the user's account and your Blackboard Learn instance acts as the service provider. The identity provider sends attributes that Blackboard Learn uses to create or update an account for the user. These attributes can include information such as the username, first name, last name, and email address, and are packaged in a security token such as a SAML assertion. The identity provider sends this SAML assertion to Blackboard Learn when the user enters their login information using single sign-on. If their username doesn't match anything in the system, Blackboard Learn creates a new account with the user attributes contained in the SAML assertion.
Blackboard Learn ships with an internal authenticator. This feature is oftentimes used by institutions that have not fully integrated with a third-party authenticator such as LDAP or as a secondary authenticator for external users such as visiting faculty or parents.
User passwords are stored by default with the salted SHA-512 standard from the SHA-2 family as defined in the National Institute for Standards and Technology (NIST) Special Publication 180-4 Secure Hash Standard. Blackboard Learn adds the best practice of "salting" using a secure random seed of HMAC-SHA-512. The practice of salting is important because it requires greater computing requirements to crack a password, in the event user password hashes are exposed to unauthorized actors.
Authentication attempts are logged into the standardized security log. Password storage scheme configurations and user password migrations to a new password storage scheme are also logged to the standardized security log.
Some institutions enforce Multi-Factor Authentication (MFA) to fulfill security policies and best practices. You can use a second authentication factor provided by Anthology for the internal authentication method (where a user provides a username and password).
Once you enable MFA, users begin the MFA registration process after providing a correct username and password. They can use an authenticator app of their preference or the one suggested by your institution. Instructions for logging in are the same for instructors and students and can be found in Setting up and logging in using multi-factor authentication.
Users are asked for a 6-digit code generated by the authentication app on their trusted device(s) each time they log in.
If a user loses access to their trusted device, they can request a reset of their MFA via normal institution-defined support channels. This allows the user to start the registration process of a new device.
To set MFA to active, go to the Administrator Tool panel:
- Select Integrations
- Select Authentication
- Select Default, then Edit
- Under Multifactor Authentication, switch to Active.
To reset a user’s MFA, go to the Administrator Tool panel:
- Select Users
- Search for the user by username
- Select the menu for that user, then Reset MFA
- A pop up will ask you to confirm this is the task you wish to perform. Select OK.
MFA is only compatible with the Force to Web authentication method in the mobile App. If the institution has the native authentication method activated, the users won’t be asked to enter the TOTP code when logging in the mobile app. Compatibility with the native authentication method will be available in a future release.