Best Practices for Changing Email Addresses

Organisations change their users' email addresses for a variety of reasons, including new domains and updated email formats. For example, a new domain can change an email address from "josmith@old-domain.com" to "josmith@new-domain.com," while a new format can change it from "josmith@domain.com" to "john.smith@domain.com."

After organisations enable single sign-on (SSO), they must follow best practices for changing email addresses to ensure that they don't accidentally create duplicate Blackbaud IDs or new Blackbaud IDs that don't have user history and can't access Blackbaud solutions.

• If user IDs include email addresses, schedule email address changes during maintenance windows. This is only possible for SSO connections that use OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) 2.0.

• If the domain changes in email addresses, take prior action in your identity provider (IdP). This applies to all SSO connections, including Microsoft Entra ID and Google Workspace connections as well as OIDC and SAML connections.

• For all other changes, such as updates to email formats, just update the email addresses in your IdP. The next time users log in, the new email addresses will populate. This applies to OIDC and SAML connections as long as they don't use email addresses as unique IDs.

Update Email Addresses When User IDs Include Email Addresses

If user IDs include email addresses, update email addresses for your organisation's users during a maintenance window. This is only possible for OIDC and SAML connections.

1. Identify the users who need to maintain their account histories.

2. Designate the maintenance window when your users need to update their email addresses.

3. Communicate to users when the maintenance window occurs and explain that they need to follow prompts to reset their passwords and then go to their profiles to change their email addresses.

   Note: Users need access to both their old and new email addresses. They use the old email address to reset the password, and then they need to confirm the new email address with Blackbaud because their account will reflect the new email address before the SSO connection is turned back on.

4. When the maintenance window starts, turn off the SSO connection with Blackbaud. If users try to sign in to Blackbaud solutions while the SSO connection is off, they are prompted to set up credentials for Blackbaud's authentication service because they can't sign in through SSO until you turn it back on.

5. For domain changes, claim the new domain.

6. Turn your Blackbaud SSO connection back on.

Update Email Addresses When Domains Change

If your organisation is changing domains, claim the new domain before making changes in your IdP. After you claim the domain, update the email addresses in your IdP. The next time users log in, the new email addresses will populate. This applies to all SSO connections.

Update Email Addresses for All Other Changes

If your organisation doesn't use email addresses as unique IDs, you can just update the email addresses in your IdP for changes that don't include new domains, such as changing email formats from "josmith@domain.com" to "john.smith@domain.com." The next time users log in, the new email addresses will populate.

This applies to Entra ID and Google Workspace connections, and it also applies OIDC and SAML connections that don't use email addresses as unique IDs. For OIDC or SAML connections where user IDs include email addresses, schedule email address changes during maintenance windows.