Session management in Blackboard Learn
When a user logs into Blackboard Learn, a session is created. This session is what allows the user to continue to access the application uninterrupted.
The user's session will be timed out if they are inactive for a certain timeframe or under certain other conditions set by their institution. When the user attempts to access the Blackboard Learn system again, they will be prompted to log in. Institutions have the option of enforcing a re-authorization after a certain period of time or restricting user logins from multiple devices.
On this page, learn about:
Session control
Inactive session timeout
You can configure the maximum time a user’s session can be inactive before they are logged out. The inactive time can be configured between 15 to 480 minutes. Session cleanup is a background task, so the ending of a session will be approximately the configured time, typically within a minute or two. By default, when a user is idle for over three hours, the session ends.
The inactive session timeout configured in Learn governs the parameters of the mobile application as well as the desktop version. This means the time specified in Inactive Session Timeout in Learn overrides the Mobile Session Timeout specification configured in Building Blocks if they come into conflict.
More on setting up session timeout in mobile Blackboard App
There can be times a user is working but considered idle. This happens because the browser is not sending data to Learn. Some examples are when a user is:
- authoring a Discussion Board post (in Learn Original)
- authoring an Assignment submission in the text editor in Learn
- creating a Content Item (in Learn Original) or Ultra Document (in Learn Ultra)
A user must login again to continue to use Learn. If a user saves a page or selects a button, the session refreshes and stays active for three more hours.
Users whose session is ending soon will receive a warning at least six minutes before the session times out. Close the warning and continue working to refresh the session.
A user away from the computer for an extended time will receive the warning. Yet the user will not be able to extend their session. When the user closes the warning, they will return to the current page instead of returning to the login page. This allows the user to copy anything authored before it is lost. A user in this situation will be redirected to the login page when they select any link or button on the page.
Active session termination
Active session termination enhances data security and is in compliance with the Federal Risk and Authorization Management Program (FedRAMP).
Institutions have the option to enable active session termination to enforce user re-authentication. If enabled, users are required to log in again during their Learn session after a specified amount of time, regardless of activity. Before the session ends, users receive a warning and have the option to save their work. Once logged out, users can log in again and continue their work.
The feature is enabled by default for FedRAMP institutions and disabled for others. This setting is managed in the Administrator Tools panel > Security module > Account Lock Settings option. When enabled, you can configure active session termination to occur between three and 24 hours. The default value is 12 hours.
This feature is available for all users of the Mobile App. No action is needed from users who have enabled automatic updates on their devices. Users who have turned off automatic updates on their devices must download the update.
Concurrent session control
Based on your institution’s needs, you have the option to restrict a user from concurrently accessing Learn on multiple devices. You can allow unlimited concurrent sessions for a user but also restrict a user to two or three concurrent sessions, or only a single session. At login, a user receives a notification that they will be logged out if they exceed the number of concurrent sessions set by the institution from devices with the oldest sessions. This option enhances security and meets IL4 certification requirements.
This feature can benefit institutions that would like to increase academic honesty during assessments by restricting the number of devices used by a single user. If a user logs into a device that exceeds the number of allowed concurrent sessions, they receive the message, “You are permitted to have only X active sessions and have been logged out from another device.”
Define your institution’s preference in the Administrator Tool Panel > Security module > Account Lock Settings option. The default value for the IL4/FedRAMP boundary is two sessions allowed. Every other institution continues to have "Unlimited" as a default value.
This feature is available for all users of the Mobile App. No action is needed from users who have enabled automatic updates on their devices. Users who have turned off automatic updates on their devices must download the update.
Special considerations for custom single sign-on (SSO) authentication providers
If you use custom single sign-on (SSO) authentication providers such as CAS or SAML for your Blackboard Learn environment, two separate sessions are created and used when a user logs in with that provider: one for the SSO session and one for the Blackboard Learn session. These sessions are independent and may have different expiration timeframes. The SSO session is commonly configured to have a longer lifetime than the Blackboard Learn session, but this could vary depending on the installation.
You can configure a Blackboard Learn logout to trigger a SSO session logout. This is known as a single logout. Without this configuration, when a user logs out of Blackboard Learn, that action will only stop the Blackboard session. The SSO session remains active, so the user's web browser may still have access to other SSO applications or even Blackboard Learn again. If single logout is configured, both sessions will be destroyed at the time of logout and the user will need to log in again to access any SSO application.
Most SSO solutions are configured to destroy the session token and effectively stop the user's session when the browser is closed. To protect user security, we recommend that you advise your users to close their browsers when using any SSO solution, regardless of whether you use one with Blackboard Learn.
