Deprecated - SAML 2.0 Setup

Warning: The options to set up single sign-on (SSO) have changed. Organizations that use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31. This archived guidance for the now-obsolete configuration process will remain available to manage existing connections until the Oct. 31 deadline and will then be removed. For updated guidance to create or migrate SSO connections, see Updated - Single Sign-on Setup.

Security Assertion Markup Language (SAML) 2.0 is a standard protocol to exchange authentication data between security domains. To enable your organization's Blackbaud IDs to sign in to Blackbaud solutions through a SAML 2.0 identity provider (IdP), such as Google Workspace, OneLogin, Shibboleth or Central Authentication Service (CAS), create a SAML 2.0 connection and configure its settings on the Authentication settings page in Security:

  • Your organization's display name for when users sign in

  • The web address for your SAML 2.0 connection's login

  • The certificate for your SAML 2.0 connection

  • The field names or unique identifiers that your IdP uses to identify users

For details about how to set up a connection for Google Workspace, JumpCloud, or OneLogin, see Deprecated - SAML 2.0 Setup for Google Workspace, Deprecated - SAML 2.0 Setup for JumpCloud, or Deprecated - SAML 2.0 Setup for OneLogin.

To prevent inadvertent lockouts:

  • Complete configuration during a maintenance window for your organization's network.

  • Ensure that you have a Blackbaud ID outside of your claimed domains with access to the Authentication settings page.

  1. In Security, select Authentication, and then select Manage SSO settings under Single sign-on.

  2. Under Single sign-on, select Use SAML 2.0.

  3. Under Configure your connection, select Get started or Edit connection details.

  4. In the Organization name field, enter the organization name to display when users sign in.

  5. In the SAML sign-in URL field, enter the web address for your organization's login. Users are redirected here when they try to sign in with an email address that includes your domain.

  6. To set up a bookmark app for users to sign in to a Blackbaud solution directly from your IdP, enter the solution URL in the IdP-initiated SSO URL field.

    Your IdP-initiated SSO URL must use a Blackbaud ID-supported domain, such as blackbaud.com. For more information, see Redirect Settings.

  7. Under Signing certificate, select Choose file and then browse to and select the privacy-enhanced electronic mail (PEM) or certificate (CER) file for your SAML connection.

  8. Enter the field names or unique identifiers (UIDs) — as attribute names, not friendly names — that your IdP uses to permanently identify:

    • Name IDs, used to identify users when they sign in

      Warning: If you use email addresses to identify users and then change a user's email address, you need to re-invite them to their Blackbaud solutions at the new email address.

    • Email addresses

      Note: For successful connections, email addresses must be unique.

    • First names

    • Last names

  9. Select Save.

To configure your IdP, upload or manually enter the metadata that is required to connect to Blackbaud's secure authentication service. Under Single sign-on, select Continue under Configure your IdP, and provide the metadata.

Tip: Your metadata file is not available until you configure your SAML 2.0 connection in the previous step. The metadata is hosted through a direct link.

  • If your IdP supports metadata upload, select Blackbaud SAML metadata file and upload the downloaded file to your IdP.

  • If your IdP requires manual configuration, set the Assertion Consumer Service URL or Application Callback URL to https://blackbaudinc.auth0.com/login/callback and configure additional settings as requested.

    • Set Audience or Entity to your organization's uniform resource name (URN), as provided.

    • Set Request bindings to HTTP-Redirect for Authentication Requests.

    • Set Response bindings to HTTP-Post for Authentication Assertions.

After you configure your IdP with the metadata, select Save.

To properly recognize and redirect users to your IdP when they sign in, identify your organization's email domains. For more information, see Claimed Email Domains.

After you set up your SAML 2.0 connection and claim your email domains, test the connection to verify your organization can now use its IdP to sign in to Blackbaud solutions. For more information, see Test Mode.

After you set up your connection, you can turn on SSO through SAML 2.0. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your IdP. After they authenticate through your IdP, their Blackbaud ID:

  • Automatically redirects to your organization's login for future sign-ins

    Tip: By default, users redirect to their Blackbaud ID profile when they sign in through your organization's login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.

  • Uses your IdP for password updates, lockouts, and similar authentication management

To complete the connection to your IdP, select Learn about connecting SSO and Connect with SAML.

Note: After you enable SSO, resend any pending invitations sent before the connection to your IdP.

To clear your setup and start over, select Erase all single sign-on settings. For more information, see Deprecated - Single Sign-on Setup.

If you have issues with your SAML 2.0 connection, see SSO Connection Troubleshooting.