Claimed Email Domains

To use single sign-on (SSO) to redirect your users to sign in to Blackbaud solutions through the organization's identity provider (IdP), you must identify the email domains that your organization uses, such as @yourdomain.org or @yourdomain.edu. After you turn on SSO, users who try to sign in to Blackbaud ID with email addresses on those claimed domain are redirected to your IdP's login, where they use their organizational credentials. When you turn on SSO, users retain their existing permissions.

When you claim a domain, it takes up to two days for Blackbaud to verify ownership. To enable verification, update your domain name system (DNS) with the domain's text (TXT) record.

  1. In Security, select Authentication.

  2. Under Single sign-on, select Manage SSO settings.

  3. If you haven't started setting up SSO, select your connection method. For details, see Single Sign-on Setup.

  4. On the Single sign-on page under Claim your email domains or Claimed email domains, select Claim domains or Edit claimed domains.

  5. For each of your organization's email domains:

    1. Select Claim another domain.

    2. Enter the domain.

    3. Select Start domain verification.

  6. To enable verification of each domain:

    1. Copy the domain's TXT record value.

    2. On your DNS provider's website, add the domain to your configuration.

      Tip: You must enter the 41-digit value to your DNS provider's website as a TXT record. If you add any other information to the string, verification of the domain will fail.

      To verify you update the correct DNS, visit ICANN WHOIS, enter the email domain, and confirm its service provider in the Name server field.

      • For Type, choose TXT.

      • For Host, enter the root domain or subdomain.

        Tip: Your DNS provider may support '@' as a shortcut to the root domain. Otherwise, enter the root domain, such as your.org or your.edu.

      • For Value, Answer, or Definition, paste the domain's TXT record value.

      • For Time-to-live (TTL), enter 3600 s or 1 hour.

    3. Return to the Claim email domains screen and select Verify this domain.

      It takes up to two days to verify your domain. You'll receive an email when verification completes. After a domain is verified, you can remove its TXT record from your DNS.

  7. Select Close.

For a list of Blackbaud IDs included in a claimed email domain:

  1. In Security, select Authentication.

  2. Under Single sign-on, select Manage SSO settings.

  3. On the Single sign-on page under Claim your email domains or Claimed email domains, select View Blackbaud IDs.

    The list includes all Blackbaud ID email addresses on the claimed domain that signed in during the past two years, and the screen displays up to 1,000 of them. The list may include users who left your organization or are no longer valid. To copy all the email addresses in the list, select Copy all to clipboard.

  4. After you view or copy the list as necessary, select Close.

If your organization no longer uses a domain, you can remove it from your SSO configuration. After you delete a claimed domain, any users still on that domain will sign in through Blackbaud's secure authentication service instead of your IdP. They receive email to reset their passwords to ensure they meet Blackbaud's authentication requirements.

  1. In Security, select Authentication.

  2. Under Single sign-on, select Manage SSO settings.

  3. On the Single sign-on page under Claim your email domains or Claimed email domains, select Claim domains.

  4. For the domain to remove, select Delete.

  5. Select Close.