UPDATE: Status of LDAP integration and Google Apps SSO

Options
Janet Wittenberg
Janet Wittenberg
Ninth Anniversary Facilitator 2 Photogenic
in Blackbaud ID
As of August 31st, the Google Apps SSO integration settings (under Core > Settings > Integration Settings > Google Apps SSO) has been removed.

LDAP integration status:

LDAP integration shut down extended until Tuesday, October 1st. 


Schools with passwords in Active Directory that do not meet the password criteria of Education Management ((at least 8 characters with at least 1 number) will find that some of their users need to reset their password when the LDAP integration is disabled.   

When we remove the LDAP integration, all user passwords must meet the password criteria of Education Management (at least 8 characters with at least 1 number). If the passwords currently managed in Active Directory do not meet these requirements, your users will be required to reset their password on their next login.  Because passwords are securely encrypted, there is no technical way to identify which users this will affect.  

When the user attempts to login they will be prompted to change their password: 

12a62c0ff92b41ba5ae23cf68cbd0f57-huge-pa

After the integration is shut down, password changes made in either Education Management or Active Directory will not synch to the other system.  If users update their passwords before the integration is shut down, passwords will be synchronized and users will be able to login with these updated credentials once the integration is disabled.  

With this additional time to prepare, please compare your Active Directory password criteria with the Education Management criteria.  We recommend these options: 

  1. At a time managed by you before 10/1, change your Active Directory requirements to enforce passwords be at least 8 characters and at least 1 number.  Make sure users change their passwords to meet the new criteria while the synchronization is still occurring.   

  1. Alternatively, configure Blackbaud ID with SSO and select users to switch before 10/1. This allows the existing password to continue to be managed in Active Directory with your school’s criteria.  This option can be implemented for users of Education Management on a per user basis.  Get started here: https://community.blackbaud.com/forums/viewtopic/502/44627 


As of 10/1, LDAP integration will be shut down. No further extensions will be granted and Support is unable to reactivate LDAP for you. 

Because the LDAP integration cannot be re-enabled, we recommend you do not turn it off on your own.  Please notify Paul.Bielawski@blackbaud.com when your SSO users have been successfully migrated to Blackbaud ID or password criteria is enforced.  If we do not hear back from you, we will assume you are ready for the integration to be shut off on 10/1. 

Additional Information:

You are not required to replace the single-sign-ON capability until you are ready. 

The new approach for single sign on is described here, but is entirely optional.  If you want users to continue having a single password and single-sign on experience, we recommend you begin the process of implementing Blackbaud ID through SSO.

How do users who previously used Google Apps SSO reset their passwords? 

Users previously using Google Apps SSO will continue to reset their passwords through Education Management as they did before. The only change is that their new passwords will no longer synch to Google. 

How do users who previously signed in with LDAP reset their Education Management passwords going forward?

Users can request a password reset link using the Forgot Login link on your myschoolapp sign in page. If you’ve disabled that link and need to enable it or update the text, you can make the necessary changes in Core > Security > Authentication Settings > Authentication Rules.


You’ll also want to review your Sign In Help/Request Login Instructions text to remove any references to LDAP you may have added with custom text. You can see this in Core > Settings > Custom Labels & Text > Custom text/messages.

What if I try to access my Gmail and I get an error after it sends me to the myschoolapp login page?

A G Suite administrator at your school must remove the SSO setup to third party authentication in your G Suite Admin Console under Security.  Third party authentication to Blackbaud is no longer supported.

Why am I being redirected to Education Management when I try to reset my Gmail password?

A G Suite administrator needs to remove your myschoolapp URL from the Change password URL field in your G Suite Admin Console under Security > Set up single sign on.

Without Google Apps SSO, what happens to my omni nav link to Gmail?

The link will still be available in the omni nav for users in selected roles as it was previously configured.  However, this link will no longer provision the user account at Google on their first login, it just provides a convenient link to navigate into Google.

The new Core > Security > Authentication > Domain Settings task is where you should configure the Inbox URL and Inbox URL Label for any users who authenticate with Blackbaud ID SSO going forward.

Categories