What is SSO?

SSO - or single sign-on - is a method of allowing users to sign into different applications or websites using one set of credentials. With Brightspace SSO, users can sign into an external app using their Brightspace username and password. The app can then create an account for the user if this is their first time signing in or match the user with an existing account.

Brightspace supports two different SSO methods that apps can use to sign Brightspace users into their platform: SSO through the Brightspace API (OAuth 2.0) and SSO through LTI® launch.


Why Would Your Application Implement Brightspace SSO?

Many schools that use Brightspace are interested in vendors that offer content that can integrate with the school's LMS.  Third-party content that supports integrated functions, like SSO, can make life easier for teachers, students, and administrators. In fact, LMS integration is commonly requested in RFPs that are sent out to edtech vendors.

By implementing Brightspace SSO, you allow admins at the schools you work with to manage accounts and passwords through Brightspace rather than your platform. This means you don't have to build or manage a database containing sensitive passwords. Since tech admins are responsible for managing Brightspace passwords, you won't receive as many support tickets from teachers and students who are having trouble figuring out how to sign in.

By building SSO solutions into your platform, you'll also be able to build deeper integrations like syncing courses and sending grades to the Brightspace gradebook. In fact, once a user is signed in with Brightspace you can build upon almost any functionality that their account has access to.


What to Know When Getting Started With Implementing Brightspace SSO

D2L (the company behind Brightspace) requires edtech developers who are interested in implementing SSO (or developing any integration with Brightspace) to register for a Brightspace developer account. Once your account is registered, you can use the Manage Extensibility tool to register your app (which is required to create any Brightspace application) and to retrieve OAuth 2.0 credentials (which are required to implement SSO). Developers can use SDK packages that are provided by D2L to create development environments for testing.


Brightspace SSO Through API Integration

The first way that Brightspace facilitates SSO integration is through the Brightspace API. The Brightspace REST-like API implements OAuth 2.0 to authenticate users. With this style of integration, users can start on your website or mobile app and click a "Sign In With Brightspace" button. Brightspace will then prompt the user for their username and password (if they are not already logged into Brightspace). Your app, itself, never sees the password the user entered.

After the user has signed into Brightspace, they are redirected back to your website with a code that corresponds to their account. After exchanging this code, your website or app can ask Brightspace for more details about the user, such as their personal information, their course enrollments, or their homework assignments.

Note that Brightspace requires users to log into the Brightspace environment specific to their school. Your "Sign In with Brightspace" button must direct the user to sign in at their school's custom Brightspace domain.

Doing an SSO integration through the Brightspace API is also the first step to developing deeper integrations. Once a user is authenticated by Brightspace, an app then has the ability to perform functions in Brightspace on behalf of a user, like gathering a list of their courses or sending grades back to their gradebook in the LMS.

It's important to keep in mind that there are several versions of Brightspace API. Some of these versions overlap and some are only supported in certain versions of Brightspace. This can create issues if you are working with multiple clients who are all running different versions of Brightspace, as you have to make sure that your API calls are valid for each instance.


Brightspace SSO Through LTI

Brightspace supports LTI 1.1, LTI 1.3, and the LTI Advantage services. LTI apps are designed to be accessed within a course in the LMS. LTI apps must be configured by a teacher or administrator so that students in the course can access the app. Students and teachers can then launch into the application by selecting the tool from their course in Canvas. The process of launching the tool will let the app verify the user's identity and grant the user access.

Note that the sign in is always initiated from the LMS (i.e. students won't visit your website or mobile app to access the resource). After the LTI launch, the developer receives a set of URLs that can be used to perform a limited set of functions, like grade syncing.


What are the challenges of SSO in Brightspace?

There are some issues that app developers commonly encounter when trying to integrate an SSO solution into their platform.

For example, many apps try to identify users who sign in through Brightspace by their email address. Doing this can lead to unforeseen problems and leave users vulnerable.

We also see many developers try to assign a universal role to students, teachers, and administrators in their app based on their role in the LMS. Many LMSs, including Brightspace, allows users to have multiple roles depending on the context.

Furthermore, LTI integration can cause several headaches if you're not prepared. There are several versions of LTI and each LMS handles LTI integrations differently, even if they technically support the same version. Just because you already wrote an LTI app for another LMS, like Moodle, doesn't always mean the app is going to work the same way in Brightspace. You can also run into trouble if you are converting a mobile app into an LTI-accessible resource.

Note that large schools and universities may be running different versions of Brightspace on their own in-house servers. Others may use a cloud service, like Brightspace Cloud. An API or LTI app that works for one district's Brightspace environment might appear or work differently in another's.


‌As you can probably tell, implementing SSO is more challenging than it may sound at first. If you'd like someone else to handle these problems so you can better focus your efforts on your core product, you should check out Edlink.

We can integrate your apps with platforms like Canvas, Google Classroom, Schoology, Blackboard, Microsoft Teams, and more. Our integrations also support LMS functions like roster syncing, assignment creation, and grade passback. If you're interested in learning more, email us at accounts@ed.link or at our support page.

Learning Tools Interoperability® (LTI®) is a trademark of the IMS Global Learning Consortium, Inc. (www.imsglobal.org)