Critical action required before June 30, 2021

Bryna Gleich
Bryna Gleich Blackbaud Employee
Tenth Anniversary Kudos 3 Name Dropper Participant
in Blackbaud K–12 Education Solutions™ General Discussions

To continue supporting schools who still have applications based on the "legacy" ON API, we must ensure that we provide the most secure environment for each school's data. A critical update is necessary to help ensure schools know who accesses their data via "legacy" ON API endpoints.

To keep your "legacy" ON API applications and integrations running, you must act before June 30, 2021.

To summarize briefly:

Users with the ON API Access Manager role should use this release's new task to view a list of users' accounts who are currently (or were previously) able use "legacy” ON API endpoints to access your data.

  1. Go to Core.

  2. Select Security.

  3. Select Authentication settings.

  4. Select ON API Access.

  5. Generate an authentication token for each user account on the list that should maintain access. The token includes both a Key and a Secret. Copy this information and provide it to the application or partner. For security purposes, this information will not be visible after you save and return to the list. Remember to copy it and save it to a secure location, or else you’ll need to regenerate tokens with new information.

  6. Contact each active developer and provide them with their Key and Secret for their authentication token.

  7. Update the user accounts’ roles to ensure they have the relevant security roles that grant them access to the necessary endpoints.

  8. Make the keys for user accounts Active to enable the user account to access your data with "legacy" ON API endpoints.

  9. Developers must update their application's configuration setup to use the authentication token (Key and Secret) before June 30, 2021. Until then, both the legacy and new token authentication methods will work.

    Developers can either:

    • update their POST method

    • or use the user interface (UI) of their application to update their app's setup.

    Enter the Key in place of the "legacy" username value and the Secret in place of the "legacy" password value.

As a best practice, we recommend using separate user accounts for website login access from the API integration. Consider enabling developers to login to the Blackbaud Education Management user interface with a different user account via Blackbaud ID.

Be aware that authentication tokens (Key and Secret) periodically expire and must be regenerated.


For details, review the the online help and the ON API site used by developers,

Reminder

We recommend all new development use SKY API for schools instead of ON API. The newer SKY API has parity with the "legacy” ON API. Both are REST APIs. We continue to support the "legacy” ON API, however it is no longer being expanded. For comparison of the APIs, see API & SDK.
Tagged:

Comments

  • Julie Horvath
    Julie Horvath
    Tenth Anniversary Kudos 2 Name Dropper Participant
    Hello Bryna,

    For schools using the SchoolDude integration, I assume BBK12 will take care of that since you handle the integration. I just want to verify.

    Thanks,

    Julie
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Thanks for asking!


    SchoolDude is not affected by this change. You don't need to do anything to keep SchoolDude running.
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant

    You are affected by this change if:

    • Your school had someone develop your own applications or integrations using ON API.

    • User accounts appear in a new list at Core, Security, Authentication settings, ON API Access. You must have the ON API Access Manager role to view this task.

    • Your school uses an application by one these partners:

    • BoardingWare

    • BrightArrow

    • CampBrain

    • CrisisGo

    • Connect Raiser’s Edge (RE)

    • EdTech

    • Finalsite

    • Industry Weapon

    • Magnus

    • PickATime

    • Ravenna

    • REACH

    • rSchoolToday

    • Ruvna

    • SchoolAdmin

    • SchoolDoc

    • SchoolPass

    • Studyo / Intuitic

    • TextBookHub

    • Vidigami

  • Bryan Lorenzo
    Bryan Lorenzo Blackbaud Employee
    Tenth Anniversary Kudos 5 Name Dropper Participant
    Hi Bryna Gleich‍ -


    Who do we provide this information to for Connect RE?
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Bryan Lorenzo:

    Who do we provide this information to for Connect RE?
    https://webfiles.blackbaud.com/files/support/helpfiles/education/k12/full-help/content/bb-connect-re-setup.html

    I think it's the screen shown in step 6 here.


    In Edit Setup (settings: gear icon) for the plugin, the integration manager or Connect RE manager gives the plugin info about where the data is and then determines how the plugin should handle the data for parents and grandparents.


    The original steps didn't mention username and password, but it's at the top of the same screen. I'm updating the online help to call this out now.


    Replace the values for username and password with the values for key and secret.
  • Yifeng Jin
    Yifeng Jin
    Fourth Anniversary Facilitator 1
    Hi Bryna,


    Does this change affect sandbox? If so, how to get the Key and Secrect?
  • Boyd Reilly
    Boyd Reilly
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Bryna:


    I have DyKnow listed as one of On API Access vendors. Are they affected by htis change?


    Thanks.


    Boyd
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Yifeng Jin:

    Does this change affect sandbox? If so, how to get the Key and Secret?

    Yes. Sandboxes are affected. The steps are basically the same as for non-sandboxes. The only difference is to make sure you're in the sandbox instead of the live environment.

    1. Log into the sandbox environment as a user who has the ON API Access Manager role (or impersonate someone with that role).
    2. Go to Core, Security, Authentication settings, ON API Access.
    3. Generate tokens for sandbox user accounts and make sure they're Active.
    4. Developers with user accounts to the sandbox should then use the authentication token values Key and Secret in place of their "legacy" Username and Password values.
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Boyd Reilly:

    I have DyKnow listed as one of On API Access vendors. Are they affected by this change?
    Good question.

    For this situation, contact the vendor (DyKnow). They should know exactly how their integration is built to connect and thus whether it's affected. If they have direct access via the SDK, they're probably affected.

    If they aren't sure, contact Blackbaud Customer Support as the next step.
  • Yigeng Jin
    Yigeng Jin
    Seventh Anniversary Participant Facilitator 1
    Looks like we do not have a user with ON API Access Manager role for our sandbox(https://30450.myschooldemo.com/), so I used the API user to login, and there is no 'ON API Access' under Authentication settings, please see the attached screenshot.


    And I tried to find a user with ON API Access Manager role, but could not find.
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Yifeng Jin:

    Looks like we do not have a user with ON API Access Manager role for our sandbox.

    And I tried to find a user with ON API Access Manager role, but could not find.

    A user with the Platform Manager role can grant the ON API Access Manager role to whoever needs the role.

    For example:

    • A Platform Manager can give you the ON API Access Manager role, if they want you to manage the tokens for all ON API users.
    • If you're a Platform Manager, you can give yourself the ON API Access Manager role.

    The process for granting the ON API Access Manager role is the same as the process for granting any other roles.

    1. The Platform Manager should log into the sandbox.
    2. Use the People Finder to open the user's Core profile.
    3. Go to the Access tab.
    4. Select to edit the user's Role Membership.
    5. Enable the ON API Access Manager Role for the user.

    The user with the ON API Access Manager role can then login and set up authentication tokens (Key and Secret) for the sandbox users. The new task/page ON API Access only appears for people with the ON API Access Manager role when they go to Authentication Settings. Users without the role can't see the task/page called ON API Access.

  • Alex Roberts
    Alex Roberts
    Ninth Anniversary Facilitator 1 Loyalty Badge
    Hi,

    If I don't have anyone in the on api access manager role, are we ok? Even if we use magnus?


    For example we have a custom app where the end user's username and password are submitted to blackbaud's https api page to authenticate. It's been a while so not sure what api this is. That's unaffected? I think it's the SDK's web service api.


    Best Regards,

    Alex
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Thanks for the question Alex!
    Alex Roberts:

    If I don't have anyone in the on api access manager role, are we ok? Even if we use magnus?
    A Platform Manager will need to grant the ON API Access Manager role to a user or to themselves. Then that ON API Access Manager can complete the required steps for this change.


    For example:
    • A Platform Manager can give you the ON API Access Manager role, if they want you to manage the tokens for all ON API users.
    • If you're a Platform Manager, you can give yourself the ON API Access Manager role.
    The process for granting the ON API Access Manager role is the same as the process for granting any other roles.
    1. The Platform Manager should log into Blackbaud Education Management.
    2. Use the People Finder to open the user's Core profile.
    3. Go to the Access tab.
    4. Select to edit the user's Role Membership.
    5. Enable the ON API Access Manager Role for the user.
    The user with the ON API Access Manager role can then
    1. Login to Blackbaud Education Management.
    2. In Core, go to Authentication Settings.
    3. The new task/page called ON API Access will appear. Go there.
    4. Set up authentication tokens (Key and Secret).
    Alex Roberts:

    For example we have a custom app where the end user's username and password are submitted to blackbaud's https api page to authenticate. It's been a while so not sure what api this is. That's unaffected? I think it's the SDK's web service api.
    That custom app will be probably affected by this change. Before June 30, the app must be updated to use tokens -- Keys and Secrets -- instead of legacy usernames and passwords.


    The API most associated with the SDK is ON API, which is the API affected by this change.


    The API that is not affected by this change is known as SKY API, and is recommended for all new development. As a long term plan, you may want to convert custom apps to SKY API instead of ON API, however there is no deadline to do so at this time. The SKY API documentation includes a migration reference for schools who are ready to switch APIs.
  • Alex Roberts
    Alex Roberts
    Ninth Anniversary Facilitator 1 Loyalty Badge
    Hi,

    Thanks, re the sdk, we're using https://schoolname.myschoolapp.com/app/sso/custom (obviously our school name) along with an encryption key, via post. How can we confirm this is affected or unaffected. It's a lot of work to update and redeploy 2 apps just for probably.


    Also, my understanding is there is no post option with sky, AND that sky requires blackbaud id's, which we don't use for parents. Has this changed, and if so where can we find the migration information to update our post connection for authenticating our apps? These are ios and android apps, so the existing tutorials of using a web browser aren't really applicable.


    Best Regards,

    Alex
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Alex Roberts:

    Re the sdk, we're using https://schoolname.myschoolapp.com/app/sso/custom (obviously our school name) along with an encryption key, via post. How can we confirm this is affected or unaffected. It's a lot of work to update and redeploy 2 apps just for probably.
    Full details about the ON API are at https://docs.blackbaud.com/on-api-docs/

    Developer instructions for post authentication for the new tokens is described at https://docs.blackbaud.com/on-api-docs/docs/basics#authentication


    The best way to know if the app is affected is to follow the steps in the online help. Have you granted a user the ON API Access Manager role and has that person looked at the ON API Access task in Core? If not, start there. https://webfiles.blackbaud.com/files/support/helpfiles/education/k12/full-help/content/bb-core-on-api.html

    If the manager sees accounts listed in the task, then they need to update the accounts and the corresponding apps to use tokens instead. Instructions for post authentication for the new tokens is included in this online help too.
    Alex Roberts:

    These are ios and android apps, so the existing tutorials of using a web browser aren't really applicable.
    The steps should be the same for web browsers and iOS and Android Apps. For example, if the apps include a user interface for username and password, you can use the UI to update the authentication, instead of changing the code directly. The plugin for Connect Raiser's Edge (screenshot included earlier in this community discussion) is an example of using the UI instead of making a code change.
    Alex Roberts:

    Also, my understanding is there is no post option with sky, AND that sky requires blackbaud id's, which we don't use for parents. Has this changed, and if so where can we find the migration information to update our post connection for authenticating our apps?
    You don't have to migrate to SKY API at this time. However, if you want to check it out, full details are at https://developer.blackbaud.com/skyapi/apis/school

    The site includes the migration reference, endpoints, and more. For SKY API, the admin user must authenticate with Blackbaud ID. Parents, who are not admin users, are not required to use Blackbaud ID.
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Alex Roberts:

    Even if we use magnus?
    Contact information for Magnus is included at https://kb.blackbaud.com/knowledgebase/Article/195400

    Magnus is ready to receive the new tokens that your ON API Access manager generates.

    Email Magnus directly at clientservices@magnushealthportal.com

  • Alex Roberts
    Alex Roberts
    Ninth Anniversary Facilitator 1 Loyalty Badge
    Hi,

    Thanks! I've checked that area and only see Magnus and Titan, so we've gotten in touch with them.


    Re SSO via post, is there anyone I can check in with just to confirm there are no changes that would affect it? No accounts or details are listed in the on api access manager re sso.


    Also, who can I get in touch with re using sky for sso via post? I've checked the tutorials and there's no details for it, just details that walk through doing it via a browser which doesn't really work for an ios app. Thanks.


    Best Regards,

    Alex
  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant
    Alex Roberts:

    Hi,

    Thanks! I've checked that area and only see Magnus and Titan, so we've gotten in touch with them.


    Re SSO via post, is there anyone I can check in with just to confirm there are no changes that would affect it? No accounts or details are listed in the on api access manager re sso.


    Also, who can I get in touch with re using sky for sso via post? I've checked the tutorials and there's no details for it, just details that walk through doing it via a browser which doesn't really work for an ios app. Thanks.


    Best Regards,

    Alex

    I don't think the SSO process for ON API has changed.
    https://docs.blackbaud.com/on-api-docs/tutorials/jwt-sso


    For SKY API, the SSO process is https://developer.blackbaud.com/skyapi/apis/school/sso-tutorial


    My understanding is that it's the basically the same for browsers as for ios. However, I've asked a developer to double check.

  • Alex Roberts
    Alex Roberts
    Ninth Anniversary Facilitator 1 Loyalty Badge

    Hi Bryna,

    I never heard back about the sso. Today it's not functioning. Who can I check in with about this?

    Best Regards,

    Alex

  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant

    Alex Roberts:

    Hi Bryna,

    I never heard back about the sso. Today it's not functioning. Who can I check in with about this?

    Best Regards,

    Alex

    Last I heard the SSO is the same for Browsers as for Apps. I'd recommend starting a customer support case if it's not working right now.

Categories