Deprecated - SAML 2.0 Setup for Google Workspace
Warning: The options to set up single sign-on (SSO) have changed. Organizations that use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31. This archived guidance for the now-obsolete configuration process will remain available to manage existing connections until the Oct. 31 deadline and will then be removed. For updated guidance to create or migrate SSO connections, see Updated - Single Sign-on Setup.
To enable users to sign in to their Blackbaud IDs with their managed Google account credentials, set up a custom Security Assertion Markup Language (SAML) 2.0 app in your Google Workspace admin console, and configure its connection on the Authentication settings page in Security.
Warning: To prevent an inadvertent lockout, ensure you have a Blackbaud ID outside of your claimed domains with access to the Authentication settings page.
Tip: If users sign in with multiple Google accounts or share browsers, rather than a SAML connection, we recommend you set up a custom web app in your Google API Console for single sign-on (SSO) through Google Workspace. For more information, see Deprecated - Google Workspace Setup.
-
In Security, select Authentication and then select Manage SSO settings.
-
Under Single sign-on, select SAML 2.0 .
-
Under Configure your connection, select Get started or Edit connection.
-
Enter the organization name to display when users sign in.
-
In a separate browser tab, sign in your Google Workspace admin console with an administrator account.
-
Select Apps, Web and mobile apps.
-
Select Add app, Add custom SAML app.
-
Under App details, enter a name and description to identify your app.
-
To upload an image, select Choose file and browse to a PNG or GIF to use as the app's icon.
Warning: To ensure a consistent connection, upload the logo now. If you add or change the logo after you set up the connection, Google Workspace requires you to recreate the app.
-
Select Continue.
-
Under Option 2, select the button in the Certificate field to download a certificate (CER) file.
-
-
Return to the Authentication settings page in Security:
-
In the SAML sign-in URL field, enter the SSO URL from your Google IdP information.
-
To set up a bookmark app that lets users sign in to their Blackbaud solutions directly from Google Workspace, enter the URL for your Blackbaud solution in the IdP initiated SSO URL field. The URL must use a Blackbaud ID-supported domain, such as blackbaud.com. For more information, see Redirect Settings.
-
Under Signing certificate, select Choose file, and browse to and select the certificate (CER) file you downloaded from your Google IdP information.
-
Enter the attributes Google will use to permanently identify user details:
-
In the NameID and Email address fields, enter emailAddress.
-
In the First name field, enter given_name.
-
In the Last name field, enter sur_name.
Note: You'll create these attributes when you configure your Google IdP.
-
-
Select Save.
-
-
On the Authentication settings page:
-
Under Configure your identity provider (IdP), select View instructions.
-
Copy the Assertion Consumer Service (ACS) URL.
-
-
In your Google Workspace admin console, go to Service provider details and paste the ACS URL in the ACS URL field.
-
Return to the Authentication settings page and copy the entity ID.
-
Back in your Google Workspace admin console:
-
Under Service provider details, paste the entity ID in the Entity ID field.
-
Under Name ID, accept the defaults. For the name ID format, you want "UNSPECIFIED," and for the NameID. you want "Basic information > Primary email."
-
Select Continue.
-
Select Finish because no attribute mapping is required.
-
On your newly created dashboard, under User access, select ON for everyone.
-
-
Return to the Authentication settings page and select Save.
To properly recognize and redirect users to Google Workspace when they sign in, identify which email domains your organization uses. For more information, see Claimed Email Domains.
After you set up your SAML 2.0 connection and claim your email domains, test the connection to verify your organization can now use Google Workspace to sign in to Blackbaud solutions. For more information, see Test Mode.
After you set up your connection, you can turn on SSO. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your organization's Google login. After they authenticate with their managed Google account credentials, their Blackbaud ID:
-
Automatically redirects to your organization's Google login for future sign-ins
Tip: By default, users redirect to their Blackbaud ID profile when they sign in through your Google login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.
-
Uses your Google Workspace admin console for password updates, lockouts, and similar authentication management
To complete the connection to Google, select Learn about connecting SSO and Connect with SAML.
Note: After you enable SSO, resend any pending invitations sent before the connection to Google.
Warning: After you set up your connection, if you change a user's email address, you'll need to re-invite them to their Blackbaud solutions at the new email address.
Tip: To clear your setup and start over, select Erase all single sign-on settings. For more information, see Deprecated - Single Sign-on Setup.