Applications (as IdP)
Integration Guides
Blackboard

Blackboard Learn SSO with MojoAuth

Connect Blackboard Learn (SaaS) to MojoAuth using SAML 2.0. MojoAuth acts as the Identity Provider (IdP); Blackboard Learn acts as the Service Provider (SP). Once configured, students, faculty, and staff can sign in through Blackboard's authentication provider chooser (SP-initiated) or launch straight from MojoAuth's hosted login page (IdP-initiated).

How it works

Prerequisites

  • A MojoAuth project (test or live) with admin access to Developers → Applications.
  • A Blackboard Learn SaaS environment with System Admin access to the Administrator Panel, and permission to manage Authentication Providers (typically requires an Anthology/Blackboard support case to enable a new authentication provider type on your environment if SAML isn't already available).
  • Existing Blackboard user records (created via SIS integration, Snapshot/Batch, or manually) whose Username or Batch UID you can reliably match to a MojoAuth user attribute — Blackboard's SAML provider authenticates existing accounts and does not fully replace your SIS provisioning process.
  • Decide the NameID/attribute you'll send from MojoAuth (email vs. a username/Batch UID value) before configuring either side, since both must agree.
⚠️

Changing authentication providers affects every user, including administrators. Keep your existing default/system (Learn local) provider active and do not mark the new SAML provider as Default until you've fully tested it with a non-admin account — see the lockout note in Troubleshooting.

Step 1 — Create the MojoAuth SAML connection

  1. In the MojoAuth dashboard, go to Developers → Applications → New Application → SAML 2.0 SSO.
  2. Enter a connection name (e.g. Blackboard Learn – Production) and click Create connection. This creates a draft connection and auto-issues a signing certificate.
  3. Leave this tab open — you'll come back to copy the IdP metadata URL and, later, paste Blackboard's SP Entity ID and ACS URL.

See SAML SSO Connections for the full concept walkthrough.

Step 2 — Configure Blackboard Learn

Open the Authentication Providers list

In the Administrator Panel, go to Security → Authentication (under the Security module). This lists every authentication provider configured on your environment (Blackboard local/system login, LDAP, CAS, SAML, etc.).

Create a new provider

Click Create Provider, then choose SAML from the provider type list (if SAML doesn't appear, open a support case with Anthology/Blackboard to enable it for your environment first). Give the provider a Name and Description, leave Active set to Yes, and leave Default set to No for now — you'll flip this only after testing.

Configure the SAML settings from MojoAuth's IdP metadata

On the provider's SAML Configuration section, either:

  • Upload/paste IdP metadata — the fastest path. Provide MojoAuth's IdP metadata URL:

    {BASE}/saml/{projectId}/sps/{spId}/metadata

    Blackboard fetches (or parses the pasted XML) and fills in the IdP Entity ID, SSO Service URL, and X.509 Certificate automatically.

  • Or configure manually, entering:

    Blackboard fieldValue
    IdP Entity ID / Issuer{BASE}/saml/{projectId}/sps/{spId}/metadata
    SSO Service URL (Login URL){BASE}/saml/{projectId}/sps/{spId}/sso
    Single Logout (SLO) Service URL{BASE}/saml/{projectId}/sps/{spId}/slo
    X.509 CertificatePaste the PEM from Copy PEM (or upload the downloaded .crt) on the MojoAuth connection page

Set the NameID mapping

In the NameID Format / NameID Policy field, choose the format that matches what you'll send from MojoAuth (emailAddress, persistent, or unspecified) and set the NameID / Subject attribute Blackboard should read the identifying value from. This choice drives the user mapping in Step 4, so pick it based on whether you'll match users by email or by Batch UID/username.

Save to generate Blackboard's SP details

Click Submit/Save. Blackboard generates a unique provider alias and exposes the SP metadata for this provider — either a View/Download SP Metadata link or explicit SP Entity ID and Assertion Consumer Service (ACS) URL fields on the saved provider record, typically in the form:

https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1   (SP Entity ID)
https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1        (ACS URL)

Copy both — you'll paste them into MojoAuth in Step 3.

Step 3 — Give Blackboard's SP details back to MojoAuth

Back on the MojoAuth SAML connection page:

  1. Use Import from metadata if you downloaded Blackboard's SP metadata XML in Step 2, or choose Manual configuration and enter:
    • SP Entity ID: https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1
    • ACS URL: https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1
  2. Set NameID format to match what you selected in Blackboard (Step 2) — emailAddress if matching on email, or unspecified/persistent if matching on username/Batch UID.
  3. Click Save.

Step 4 — User mapping and attributes

Blackboard's SAML provider authenticates against existing user records — it looks up the incoming NameID (or a mapped attribute) against the Blackboard Username or Batch UID field you configure on the provider record. Most institutions still provision the underlying accounts through SIS Integration (Snapshot/Batch) rather than relying on SAML to create them; some newer Blackboard Learn SaaS releases support limited Just-in-Time (JIT) provisioning for SAML, but check your release notes and enable it explicitly if you want Blackboard to auto-create accounts on first login.

Blackboard expectsMojoAuth saml_nameMojoAuth sourcename_format
NameID (subject)email or identifier (matches Blackboard's Username/Batch UID)
User.EmailUser.Emailemailbasic
User.FirstNameUser.FirstNamefirstNamebasic
User.LastNameUser.LastNamelastNamebasic

Configure on the MojoAuth connection's Attribute mappings section:

  • If Blackboard is set to match on Batch UID, map source: identifier (or userId, whichever your directory populates Blackboard's Batch UID with) to the NameID, and set NameID format to unspecified or persistent.
  • If Blackboard is set to match on Username directly, map source: identifier to the NameID the same way, using whatever value equals the Blackboard username.
  • If matching on email, map source: email to the NameID and set NameID format to emailAddress.
  • Add the User.Email / User.FirstName / User.LastName rows above only if your Blackboard release and provider configuration support updating profile fields from SAML attributes on login.

Blackboard's SIS Framework (Snapshot/Batch UID) is usually the source of truth for enrollments and role assignments. Treat MojoAuth's SAML assertion as authentication only unless you've explicitly enabled and tested JIT provisioning for your Blackboard release.

Step 5 — Test

  1. From the MojoAuth SAML connection page, click Test SSO to run an IdP-initiated login and confirm a valid signed assertion is accepted (Blackboard should redirect straight into a session).
  2. Trigger SP-initiated login from Blackboard: visit your institution's login page and, if more than one authentication provider is active, choose the new SAML provider from the provider chooser page (or browse directly to the provider's SSO entry point if your environment routes there automatically).
  3. Test with a non-admin account first, in a private/incognito browser window, while keeping your own admin session on the existing local provider.
  4. Only after a successful end-to-end login (and after confirming username/Batch UID matching resolves the correct Blackboard user) should you consider setting the SAML provider's Default flag to Yes.

Troubleshooting

Blackboard can't fetch/parse the IdP metadata Blackboard couldn't reach or parse MojoAuth's metadata URL. Re-check {BASE}/saml/{projectId}/sps/{spId}/metadata loads a valid XML document in a browser, or download the XML and upload it directly instead of pointing Blackboard at the URL (useful if outbound access from your Blackboard environment is restricted).

"No user found" / login succeeds at MojoAuth but Blackboard rejects the user The NameID or mapped attribute MojoAuth sends doesn't match an existing Blackboard Username or Batch UID. Confirm which field the Blackboard provider is configured to match against, confirm the connection's NameID format agrees, and confirm the source mapped in Step 4 actually contains that exact value for the test user (case-sensitive in most configurations).

Certificate / signature validation errors The X.509 certificate stored on the Blackboard provider record doesn't match MojoAuth's current signing certificate (certificates rotate periodically). Re-copy the PEM from Copy PEM on the MojoAuth connection page and update the Blackboard provider, or re-run the metadata import to refresh it automatically.

Locked out of Blackboard after enabling the new provider If the SAML provider is marked Default and misconfigured, admins can get routed into a broken SSO loop. Keep the built-in local/system provider Active, and never set a new provider to Default until you've verified it end-to-end with a non-admin test account — this is exactly why Step 5 tests before flipping that flag. If you're already locked out, use another admin session (or Anthology/ Blackboard support) to disable/deactivate the SAML provider from Security → Authentication.

ACS URL / alias mismatch ("Destination" or "Recipient" errors) The ACS URL saved in MojoAuth doesn't exactly match the alias Blackboard generated for this specific provider record (https://<blackboard-host>/auth-saml/saml/SSO/alias/_<id>_1). Each provider gets its own unique alias — re-copy it from the saved Blackboard provider record (or its SP metadata) rather than reusing an alias from a different provider or environment (test vs. production instances have different aliases).

Entity ID / audience mismatch The SP Entity ID saved in MojoAuth doesn't exactly match what Blackboard sends as the audience (https://<blackboard-host>/auth-saml/saml/metadata/alias/_<id>_1). Copy it directly from Blackboard's SP metadata rather than typing it by hand, and double-check for trailing slashes or http vs https.

Related docs