The Blackboard Learn authentication framework enables users providing ID and password credentials to validate and initiate a session in Blackboard Learn. The framework also enables integrating Blackboard Learn with one or more external authentication providers.

The Blackboard Learn Authentication Framework is provided using Building Block technology with full user interface installation, management, and logging. This use of Building Blocks to provide authentication integration removes barriers and issues with system management related to custom authentication. The Authentication Framework improves the authentication integration experience by moving configuration and management of authentication providers to a user interface eliminating the need for command line authentication management. Custom authentication implementations no longer require 'special' maintenance for upgrades because all authentication now uses Blackboard Building Blocks technology.

Authentication-related security events are logged in the security events framework.

By default, Blackboard Learn supports Central Authentication Service (CAS) and Lightweight Directory Access Protocol (LDAP), and Security Assertion Markup Language (SAML).


Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) is an Internet standard that provides access to information from different computer systems and applications. LDAP uses a set of protocols to access information directories and retrieve information. A directory is like a database, but contains information that is more descriptive and attribute-based. Information in a directory is generally read more often than it is written or modified. LDAP allows an application, running on an institution's computer platform, to obtain information such as usernames and passwords.

Centralizing this type of information simplifies your job by providing a single point of administration. User information is provided in a single location, reducing the storage of duplicate information. This, in turn, reduces maintenance needs. LDAP authentication also enables users to have a single login and password to access a number of different applications.

Secure LDAP (LDAPS)

Blackboard Learn supports Secure LDAP (LDAPS).


Single Sign On (SSO) and Central Authentication Service (CAS)

Central Authentication Service (CAS) is the most common centralized web authentication Single Sign On (SSO) protocol for intra-organization authentication.

SunGardHE Luminis 5 supports CAS, simplifying Luminis to Blackboard Learn SSO.


Shibboleth

Shibboleth allows organizations to exchange information about users securely and privately. Shibboleth is a single sign-on system that authenticates visitors to a website by accessing information stored on the user's security domain. This permits users to access controlled information securely from anywhere without additional passwords or needlessly compromising privacy. For example, if a student is taking classes at two universities, and both institutions use Shibboleth, the student may have a single username and password to access information at both institution websites.

The Shibboleth provider shipped with Learn cannot be configured in isolation like the other providers. You need additional software installed on the Learn server and additional configuration is required. This provider is considered a custom authentication provider.


Default internal authenticator

Blackboard Learn ships with an internal authenticator. This feature is oftentimes used by institutions that have not fully integrated with a third party authenticator such as LDAP or as a secondary authenticator for external users such as visiting faculty or parents.

User passwords are stored by default with the salted SHA-512 standard from the SHA-2 family as defined in the National Institute for Standards and Technology (NIST) Special Publication 180-4 Secure Hash Standard. Blackboard Learn adds the best practice of "salting" using a secure random seed of HMAC-SHA-512. The practice of salting is important because it requires greater computing requirements to crack a password, in the event user password hashes are exposed to unauthorized actors.

Blackboard Learn also supports an alternative password hashing methodology that uses the Key Derivation Function (PBKDF2) Approach. PBKDF2 is part of a family of "adaptive hashes" that have gained popularity amongst the security industry for use with hashing passwords. This approach has a "slowness" factor about them that help provide resistance from password cracking. PBKDF2 is noted by the National Institute for Standards and Technology (NIST) Special Publication 800-132 Recommendation for Password-based Key Derivation.

Authentication attempts are logged into the standardized security log. Password storage scheme configurations and user password migrations to a new password storage scheme are also logged to the standardized security log.


Custom authenticators

Custom Authentication Providers can be built using the Building Blocks framework. This removes the need to deploy custom jar files and manually edit Blackboard Learn configuration files between upgrades. The Blackboard Developer Community may also create and release open source Authentication Provider Building Blocks for use in Blackboard Learn. To learn more about the open source community, see http://www.oscelot.org/.