Blackboard Learn SSO with MojoAuth
Connect Blackboard Learn (SaaS) to MojoAuth using SAML 2.0. MojoAuth acts as the Identity Provider (IdP); Blackboard Learn acts as the Service Provider (SP). Once configured, students, faculty, and staff can sign in through Blackboard's authentication provider chooser (SP-initiated) or launch straight from MojoAuth's hosted login page (IdP-initiated).
How it works
Prerequisites
- A MojoAuth project (test or live) with admin access to Developers → Applications.
- A Blackboard Learn SaaS environment with System Admin access to the Administrator Panel, and permission to manage Authentication Providers (typically requires an Anthology/Blackboard support case to enable a new authentication provider type on your environment if SAML isn't already available).
- Existing Blackboard user records (created via SIS integration, Snapshot/Batch, or manually) whose Username or Batch UID you can reliably match to a MojoAuth user attribute — Blackboard's SAML provider authenticates existing accounts and does not fully replace your SIS provisioning process.
- Decide the NameID/attribute you'll send from MojoAuth (email vs. a username/Batch UID value) before configuring either side, since both must agree.
Changing authentication providers affects every user, including administrators. Keep your existing default/system (Learn local) provider active and do not mark the new SAML provider as Default until you've fully tested it with a non-admin account — see the lockout note in Troubleshooting.
Step 1 — Create the MojoAuth SAML connection
- In the MojoAuth dashboard, go to Developers → Applications → New Application → SAML 2.0 SSO.
- Enter a connection name (e.g.
Blackboard Learn – Production) and click Create connection. This creates a draft connection and auto-issues a signing certificate. - Leave this tab open — you'll come back to copy the IdP metadata URL and, later, paste Blackboard's SP Entity ID and ACS URL.
See SAML SSO Connections for the full concept walkthrough.
Step 2 — Configure Blackboard Learn
Open the Authentication Providers list
In the Administrator Panel, go to Security → Authentication (under the Security module). This lists every authentication provider configured on your environment (Blackboard local/system login, LDAP, CAS, SAML, etc.).
Create a new provider
Click Create Provider, then choose SAML from the provider type list (if SAML doesn't appear, open a support case with Anthology/Blackboard to enable it for your environment first). Give the provider a Name and Description, leave Active set to Yes, and leave Default set to No for now — you'll flip this only after testing.
Configure the SAML settings from MojoAuth's IdP metadata
On the provider's SAML Configuration section, either:
-
Upload/paste IdP metadata — the fastest path. Provide MojoAuth's IdP metadata URL:
{BASE}/saml/{projectId}/sps/{spId}/metadataBlackboard fetches (or parses the pasted XML) and fills in the IdP Entity ID, SSO Service URL, and X.509 Certificate automatically.
-
Or configure manually, entering:
Blackboard field Value IdP Entity ID / Issuer {BASE}/saml/{projectId}/sps/{spId}/metadataSSO Service URL (Login URL) {BASE}/saml/{projectId}/sps/{spId}/ssoSingle Logout (SLO) Service URL {BASE}/saml/{projectId}/sps/{spId}/sloX.509 Certificate Paste the PEM from Copy PEM (or upload the downloaded .crt) on the MojoAuth connection page
Set the NameID mapping
In the NameID Format / NameID Policy field, choose the format that matches what you'll send from
MojoAuth (emailAddress, persistent, or unspecified) and set the NameID / Subject attribute
Blackboard should read the identifying value from. This choice drives the user mapping in Step 4, so
pick it based on whether you'll match users by email or by Batch UID/username.
Save to generate Blackboard's SP details
Click Submit/Save. Blackboard generates a unique provider alias and exposes the SP metadata for this provider — either a View/Download SP Metadata link or explicit SP Entity ID and Assertion Consumer Service (ACS) URL fields on the saved provider record, typically in the form:
https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1 (SP Entity ID)
https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1 (ACS URL)Copy both — you'll paste them into MojoAuth in Step 3.
Step 3 — Give Blackboard's SP details back to MojoAuth
Back on the MojoAuth SAML connection page:
- Use Import from metadata if you downloaded Blackboard's SP metadata XML in Step 2, or choose
Manual configuration and enter:
- SP Entity ID:
https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1 - ACS URL:
https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1
- SP Entity ID:
- Set NameID format to match what you selected in Blackboard (Step 2) —
emailAddressif matching on email, orunspecified/persistentif matching on username/Batch UID. - Click Save.
Step 4 — User mapping and attributes
Blackboard's SAML provider authenticates against existing user records — it looks up the incoming NameID (or a mapped attribute) against the Blackboard Username or Batch UID field you configure on the provider record. Most institutions still provision the underlying accounts through SIS Integration (Snapshot/Batch) rather than relying on SAML to create them; some newer Blackboard Learn SaaS releases support limited Just-in-Time (JIT) provisioning for SAML, but check your release notes and enable it explicitly if you want Blackboard to auto-create accounts on first login.
| Blackboard expects | MojoAuth saml_name | MojoAuth source | name_format |
|---|---|---|---|
| NameID (subject) | — | email or identifier (matches Blackboard's Username/Batch UID) | — |
User.Email | User.Email | email | basic |
User.FirstName | User.FirstName | firstName | basic |
User.LastName | User.LastName | lastName | basic |
Configure on the MojoAuth connection's Attribute mappings section:
- If Blackboard is set to match on Batch UID, map
source: identifier(oruserId, whichever your directory populates Blackboard's Batch UID with) to the NameID, and set NameID format tounspecifiedorpersistent. - If Blackboard is set to match on Username directly, map
source: identifierto the NameID the same way, using whatever value equals the Blackboard username. - If matching on email, map
source: emailto the NameID and set NameID format toemailAddress. - Add the
User.Email/User.FirstName/User.LastNamerows above only if your Blackboard release and provider configuration support updating profile fields from SAML attributes on login.
Blackboard's SIS Framework (Snapshot/Batch UID) is usually the source of truth for enrollments and role assignments. Treat MojoAuth's SAML assertion as authentication only unless you've explicitly enabled and tested JIT provisioning for your Blackboard release.
Step 5 — Test
- From the MojoAuth SAML connection page, click Test SSO to run an IdP-initiated login and confirm a valid signed assertion is accepted (Blackboard should redirect straight into a session).
- Trigger SP-initiated login from Blackboard: visit your institution's login page and, if more than one authentication provider is active, choose the new SAML provider from the provider chooser page (or browse directly to the provider's SSO entry point if your environment routes there automatically).
- Test with a non-admin account first, in a private/incognito browser window, while keeping your own admin session on the existing local provider.
- Only after a successful end-to-end login (and after confirming username/Batch UID matching resolves the correct Blackboard user) should you consider setting the SAML provider's Default flag to Yes.
Troubleshooting
Blackboard can't fetch/parse the IdP metadata
Blackboard couldn't reach or parse MojoAuth's metadata URL. Re-check
{BASE}/saml/{projectId}/sps/{spId}/metadata loads a valid XML document in a browser, or download the
XML and upload it directly instead of pointing Blackboard at the URL (useful if outbound access from your
Blackboard environment is restricted).
"No user found" / login succeeds at MojoAuth but Blackboard rejects the user
The NameID or mapped attribute MojoAuth sends doesn't match an existing Blackboard Username or
Batch UID. Confirm which field the Blackboard provider is configured to match against, confirm the
connection's NameID format agrees, and confirm the source mapped in Step 4 actually contains that exact
value for the test user (case-sensitive in most configurations).
Certificate / signature validation errors The X.509 certificate stored on the Blackboard provider record doesn't match MojoAuth's current signing certificate (certificates rotate periodically). Re-copy the PEM from Copy PEM on the MojoAuth connection page and update the Blackboard provider, or re-run the metadata import to refresh it automatically.
Locked out of Blackboard after enabling the new provider If the SAML provider is marked Default and misconfigured, admins can get routed into a broken SSO loop. Keep the built-in local/system provider Active, and never set a new provider to Default until you've verified it end-to-end with a non-admin test account — this is exactly why Step 5 tests before flipping that flag. If you're already locked out, use another admin session (or Anthology/ Blackboard support) to disable/deactivate the SAML provider from Security → Authentication.
ACS URL / alias mismatch ("Destination" or "Recipient" errors)
The ACS URL saved in MojoAuth doesn't exactly match the alias Blackboard generated for this specific
provider record (https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1). Each provider gets its
own unique alias — re-copy it from the saved Blackboard provider record (or its SP metadata) rather than
reusing an alias from a different provider or environment (test vs. production instances have different
aliases).
Entity ID / audience mismatch
The SP Entity ID saved in MojoAuth doesn't exactly match what Blackboard sends as the audience
(https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1). Copy it directly from Blackboard's
SP metadata rather than typing it by hand, and double-check for trailing slashes or http vs https.