Deprecated - ADFS Setup

Warning: The options to set up single sign-on (SSO) have changed. Organizations that use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31. This archived guidance for the now-obsolete configuration process will remain available to manage existing connections until the Oct. 31 deadline and will then be removed. For updated guidance to create or migrate SSO connections, see Updated - Single Sign-on Setup.

Microsoft Active Directory Federation Services (ADFS) can be installed on Windows server operating systems to enable single sign-on access to an organization's applications. On the Authentication settings page in Security, you can configure the connection so everyone at your organization can sign in to Blackbaud solutions through your ADFS identity provider (IdP).

To prevent inadvertent lockouts:

  • Complete configuration during a maintenance window for your organization's network.

  • Ensure that you have a Blackbaud ID outside of your claimed domains with access to the Authentication settings page.

  1. In Security, select Authentication, and then select Manage SSO settings.

  2. Under Single sign-on, select ADFS.

  3. Under Configure your connection, select Get started or Edit connection details.

  4. In the Organization name field, enter your organization's name. Do not use spaces. This field only accepts alphanumeric characters and hyphens.

  5. Provide your organization's connection details to redirect users when they sign in using email addresses on your domain.

    • We recommend that you enter the web address to your organization's log-in in the ADFS URL field. This option uses the ADFS URL to pull your ADFS certificate so that metadata automatically updates when you update your ADFS certificate.

    • You can select Choose file to upload your ADFS metadata, but keep in mind that this option means you must update your ADFS metadata manually whenever your ADFS certificate expires. For more information, see Deprecated - ADFS Metadata.

  6. Select Save.

To configure your IdP, select Continue or View instructions under Configure your identity provider (IdP), and run these commands as an administrator in the ADFS Powershell Snapin to connect to Blackbaud's secure authentication service:

  • (new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/adfs-auth0/master/adfs.ps1") | iex

  • AddRelyingParty "urn:auth0:blackbaudinc" "https://blackbaudinc.auth0.com/login/callback"

Tip: To quickly and accurately enter a command, select its copy button on the Configure ADFS IdP screen, and paste it into your ADFS Powershell Snapin.

When you run these commands, you create:

  • The relying party on ADFS

  • Rules to output the most common attributes, such as email address or name

After you run these commands, select Save.

Tip: If you prefer, you can manually set up the connection in the ADFS Management Console, such as to alleviate any security concerns. For more information, see Deprecated - ADFS Manual Configuration.

To properly recognize and redirect members to your IdP when they sign in, identify which email domains your organization uses. For more information, see Claimed Email Domains.

After you set up your ADFS connection and claim your email domains, test the connection to verify your organization can now use its IdP to sign in to Blackbaud solutions. For more information, see Test Mode.

After you set up your connection, you can turn on SSO through ADFS. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your IdP. After they authenticate through your IdP, their Blackbaud ID:

  • Automatically redirects to your organization's login for future sign-ins

    Tip: By default, members redirect to their Blackbaud ID profile when they sign in through your organization's login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.

  • Uses your IdP for password updates, lockouts, and similar authentication management

To complete the connection to your IdP, select Learn about connecting SSO and Connect with ADFS.

Note: After you enable SSO, resend any pending invitations sent before the connection to ADFS.

To clear your setup and start over, select Erase all single sign-on settings. For more information, see Deprecated - Single Sign-on Setup.

If you have issues with your ADFS application, see SSO Connection Troubleshooting.