Skip to end of metadata
Go to start of metadata


The UMass Amherst Library currently provides access to digital media (film and television) to students enrolled in blended classroom courses hosted in SPARK. Access (authentication and authorization) to this copyrighted material is provided through the integration of the UMass Amherst SPARK environment and the UMass Amherst Library's Media Server and enforced through a cookie set at login into SPARK. UMass Amherst would like to extend this service managed through the Library's media server to include fully online (UMOL/CPE) faculty.


Currently SPARK is able to set a cookie (see below) at the domain level that can be read by the UMass Amherst Library's media server. In order to authenticate UMassOnline users as well as authorize them to see specific content (e.g. a film associated with their course) UMassOnline will need to assert to the Library media server a request is from a valid student in a course.

UMA CPE has requested this functionality be available for Spring 2011, however as we have not yet been able to define a solution, this request may not be fulfilled. UMOL is working with both Blackboard and the Blackboard user groups to see if other schools have any experience in this.


Aaron Addison
Unix Administrator, UMass Amherst Library
ph: (413) 577-2104

Bret Holloway
Manager, eLearning Programs
Division of Continuing & Professional Education, UMass Amherst
ph: (413) 545-5210

Timothy Lambert
Integration Support, UMassOnline
ph: (774) 455- 7605

Raveendra (Ravi) Mekala
Principle Software Administrator, University Information Technology Services
ph: (774) 455-7815

Brian DeKemper
Solutions Engineer, NAHE Sales
Blackboard Learn
ph: (317) 426-0235


At this point no solution has been defined to provide the secure integration required.

UPDATE: Please refer to  BBLEARN-1302 - Getting issue details... STATUS  for the most recent updates on this integration.

UPDATE: The Basic LTI configuration is complete and set in Production. Information on using this can be found here. UMass Amherst Library Media Server

Previous Activity

UMOL and the UMA Library have explored the following candidate solutions to date:

  1. Set a cookie with UMOL Vista users replicating the current functionality in the SPARK/UMA Library integration. This will not work as first-party cookies can only be set and read within the same domain.
  2. Embed links to the Library via a perl script (see below), that would allow access to the Library, but as this would need to be installed on each node to make the resources available despite where the user's session, anyone who had the URL, despite the campus they were coming from could access the media--the Library is not comfortable with a "private link" level of security.
  3. Pass a token:* UMass Amherst Library suggested passing something on the url like and offered a schematic\. The token would need to change daily. While the above MD5 module was supplied to UITS, it was unclear to UITS how the Amherst Vista cluster was implementing it or what action was needed to enable it and no further action was taken.
  4. Use the same process currently in use by OWL for authentication and authorization. This will not work as each OWL user is defined by a separate batch upload from UMOL to OWL.
  5. Install an identity management Blackboard Powerlink to try and connect UMOL and the UMA Library. As of last Friday (11/19), the Amherst Library indicated this would not work upon initial evaluation, but would review further to assess if any options are possible.
  6. Piggy backing on the the SSO/LDAP connection UMOL and UMA are working on. (moving to production SP11). If Bb Vista can authenticate against an external source, then perhaps the Media Server can too?
  7. BBased on the difficulty we have encountered with identifying a solution for this issue, Blackboard Professional Services has been engaged to assess development options and costs for the UMOL VIsta to Library connector.
    • Blackboard professional services was available to meet on Dec.21.
    • While a tentative time (2:00 pm, Dec. 21st, 2010) for a call to discuss the integration issues with Blackboard and Amherst was selected by Bb, UMOL, UMA CPE and UITS, the UMA Library did not confirm until after this meeting was canceled.
  8. Meet with Blackboard
    UMass Amherst Library, UMassOnline and UITS met with Blackboard Professional Services to discuss contracting for the development of the UMA Library/UMOL integration on Jan. 6, 2011. The meeting focused on introducing the integration issue(s) and project goals to Blackboard's Professional Services group and Brian DeKemper.
  9. Recommendation: Central Authentication Services (January 25, 2011)
    After initial review, Brian DeKemper of Blackboard Professional Services has suggested the best way to connect the larger UMOL Vista instance to the Amherst Library media server would be through Central Authentication Service (CAS)or other standard authentication solution.
    • According to Bb, Vista natively lacks some of the core API functionality that would allow the integration to be built out of the box.
    • Brian DeKemper would like to set up a quick call to discuss CAS and possibly take a look at other alternatives?
    • In parallel, Bb's consulting team is putting together a CAS proposal if that would be something that could be utilized in this case.
  10. Meeting with Blackboard: A conference call was scheduled on for Feb 1, 2011 at 11:30 with UMOL/UITS, the UMass Amherst Library and Brian DeKemper of Blackboard Professional Services to discuss CAS.
    • Due to the lack of experience with CAS within UMOL/UITS and the UMass Amherst Library, Bb determined that a meeting would not be beneficial and that they will work on finding another solution.
  11. Feb 1, 2011: Blackboard is seeking an alternative approach for authentication/authorization due to the lack of experience with CAS in UMOL/UITS and the UMass Amherst Library. While there may be a lack of experience with CAS, UMOL is willing to investigate the requirements and resources to implement this option as a solution, however before any promises can be made UMOL and UITS would need to better understand our role and responsibilities for implementation and ongoing maintenance.
  12. Feb. 4, 2011: UMOL reached out to the UMA Library to assess if the library would be able to use CAS. "I understand that the Library does not have any experience with CAS, neither does UMassOnline nor UITS, however I am thinking that this might be the project that gets us going, if that is what the ultimate recommendation is from Blackboard. CAS could provide UMassOnline with other opportunities for SSO, so it might be the time for us to invest. I can understand, however, that this may not be the case for the Library. Also I imagine that perhaps the Library and you may not actually have access to the campuses IdM (LDAP, AD, etc.) and have to work through OIT or another office, thus limiting your ability to commit."
    • The UMA Library responded that CAS would not be an option. "The Library currently has no experience with CAS. What we were hoping for was some token or proof of authentication. You are correct that we do not have access to campus authentication sources so we would be unable to verify any login credentials. It may be that if Blackboard is unable to suggest any options other than CAS, we may need to look at another approach and close this line of inquiry.
  13. Feb. 16, 2011: Kate Kreager of Blackboard followed up indicating, that the only option would be CAS. "The first option would be core code modifications, our consulting team refuses to sign off on this option understandably due to the risk involved. The second is CAS as SSO but we're aware that your team doesn't have much experience with CAS which also presents risk. So, at this stage, unless we pursue the CAS seems as though we can't find a way to help regrettably."
  14. Feb. 18, 2011: UMOL informed UMA CPE that "unfortunately the recommendation [nifti:from Blackboard] is the same, using Central Authentication Service (CAS) is the only option. UMOL also conveyed that Blackboard's conclusions make sense, "It's clearly not advisable to invest development efforts to core Vista, not only does that compromise the application, but as the system will soon be retired, we wouldn't realize much return on our investment." While UMOL could see a benefit as, "investing in CAS could provide greater return as it would be available for other services as well, as UMassOnline extends our service portfolio... this project would provide the motivation to move forward with an implementation." UMOL also informed UMA CPE that while UMOL may be willing to investigate CAS further other departments would be required to participate: The Library would need to re-write their authentication processes to use CAS and UMA OIT would need to actually deploy (and administer) CAS as they manage Identify Management at UMA. Finally a recommendation was made to UMA CPE to work within UMA, "The issues to CAS are internal to the Amherst campus and not UMassOnline or Blackboard. At this point, unless Amherst can implement CAS, there is no solution that would make the library's videos available to UMassOnline students."
    1. All stake holders have been informed that there is currently no defined solution, other than CAS and that such an implementation would require deployment efforts through UMA OIT. Once that was done UMA Library would need to rewrite their existing authentication mechanisms.
  15. March 11, 2011: Bret Holloway from UMass Amherst CPE has introduced the following:
    Do the typical links in UMassOnline courses already in high usage for eReserves or electronic journal articles provie a model for integration? Since this method already exists ( and already works for UMOL online instructors - is there any way to apply that approach to the Library's Media Server? Students would have to provide their NetIDs and passwords to authenticate and view content.
    1. Potential issues:
      • students could in theory pass out their credentials to view digitized content.
  16. March 11, 2011: UMass Amherst Library informed UMass Amherst CPE that the suggested solution of re-authenticating like already implemented in ereserves, will not resolve any of their issues. That approach would only verify (authenticate) that the user is a UMass student or faculty, but not that they are enrolled in the course and authorized to see the content.
  17. March 15, 2011: UMass Library continues to look into using local user cookies to verify enrollment in specific sections and has requested a DNS entry be associated with a UMass Amherst IP address so the entry can be utilized for authorization purposes.
    1. Awaiting additional information from UMass Amherst Library before opening ticket with UITS systems for DNS entry.

Current Activity

March 28, 2011: Heat ticket (ticket #22756) has been opened with UITS to have a cname record for pointing to (

  • Heat ticket was completed and closed. now resolves to Aaron has been updated.

May 29, 2013: Library streaming server is integrated with BbL using LTI standard.

One sheet instruction for participating faculty here. Adding streaming media reserve content to your online course1[18].pdf

Additional Resources

use Digest::MD5 qw(md5_hex);

@theJulianDate = ( 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 );

#****   Return 1 if we are after the leap day in a leap year.       *****

sub leapDay
   my($year,$month,$day) = @_;

   if (year % 4) {

if (!(year % 100)) {             # years that are multiples of 100
     # are not leap years
if (year % 400) {            # unless they are multiples of 400
   if (month < 2) {
   } elsif ((month == 2) && (day < 29)) {
   } else {

#****   Pass in the date, in seconds, of the day you want the       *****
#****   julian date for.  If your localtime() returns the year day  *****
#****   return that, otherwise figure out the julian date.          *****

sub julianDate
   my($dateInSeconds) = @_;
   my($sec, $min, $hour, $mday, $mon, $year, $wday, $yday);

   ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday) =
   if (defined($yday)) {
   } else {
return($theJulianDate[$mon] + $mday + &leapDay($year,$mon,$mday));



print md5_hex($token);


  1. During a 11-1-2-10 conference call the pearl script was discussed and decided that this is not a workable solution as this would need to go on all nodes in the Vista cluster and would not therefore restrict access to only UMAmherst Sections, but theoretically anyone enrolled in the 15 UMOL hosted campuses.

    A second option was discussed regarding potentially coding content pages with a link to media content using ajax to fetch a token from the Amherst media server. A suggested downside to this how Vista reworks coded urls for tracking purposes.

    With the understanding that Amherst is flexible and open to alternative solutions, it occurred to me that OWL evaluations already have a way of verifying a users identity against Vista. This will be investigated for possible re-purposing.

    I will also query Blackboard to see if they have any bright ideas, but my suspicion is they will tell us to write and code a Bb Vista Powerlink.

    Bret suggested that they want to have something in place for Spring 11.

    1. Additional thoughts...

      After some investigation into the OWL system and its authentication method, it is not going to be a viable solution here as we provide reports of users from Bb Vista to the OWL system so they know who exists in the system.

      Another potential solution to this would be to piggy back on the the SSO/LDAP connection UMOL and UMA are working on. (moving to production SP11) If Bb Vista can authenticate against an external source, then pehaps the Media Server can too?

      The other solution currently under investigation is the design, build and use of a Powerlink.

  2. This could be a potential solution to this.

    Under investigation.

  3. What about if we served up the content ourselves (securely)?

  4. It's almost summer and it's time for us to field angry requests about the library server still being unavailable to our user population.

    So it's been about a year and we're moving to Bb Learn. Are there any architectural changes that are to our advantage now?
    It seemed in training that the content server for Learn might possibly be Xythos. And Xythos manages permissions via a token
    as I understand... does that mean Learn can potentially set cookies or tokens? 

    My feelings wouldn't be hurt if the library explored authentication on their end. Like I mentioned with eReserves some time ago
    I see in the activity stream above. Would it be difficult to present a login page on the Library side that verifies a user is in a particular class?
    And that's not what the eReserve system is doing?

    1. If my understanding of the issue is correct, I do not think moving to a new platform offers any additional options. Remember the issue is that the security is managed through cookie set by Spark and authenticated against by the Library within the UMass Amherst domain ( and therefore not cannot be used outside the domain ( As I assume this authentication mechanism will still be in sue, Learn (or any other service outside the domain will not be able to use the cookie).

      Any other thoughts?