Set Up Single Sign-on (SSO) Using OpenID Connect (OIDC)

OIDC is an authentication protocol that enables third-party applications to verify end users. You can use OIDC to set up an SSO connection that lets users sign in to your Blackbaud solutions through an identity provider (IdP). An organisation admin or a user with admin rights must claim your organisation's email domains, configure the OIDC connection, test the connection, and then turn on SSO.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organisation's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Blackbaud doesn't support IdP-initiated connections. If you need to enable users to connect to Blackbaud solutions through an app in your IdP's portal, then after you turn on SSO, you must configure that app to use the redirect URL for your live connection.

Configure SSO

To set up your SSO connection using OIDC, use the instructions in the following sections:

Note: We also have setup instructions for some of the most common IdPs used with OIDC, including Active Directory Federation Services, Entra ID, and Okta.

  1. In Security, select Authentication.

  2. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.

  3. On the Single sign-on page, select OIDC.

  4. Under Claim your email domains, select Claim domains or Edit claimed domains and claim the email domains that your organisation uses. This allows you to recognise and redirect users to your IdP when they sign in through those domains.

Note: You receive a confirmation email after we verify your domains. This process usually takes minutes, but in rare cases, it can take up to two days. After your domains are verified, continue to the next section to configure your connection.

  1. Under Configure your connection on the Authentication settings page, select Get started or Edit connection.

  2. On the Configure OIDC connection screen, select Copy beside the Redirect URI field to copy the redirect URI (https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp).

  3. In a different browser tab, go to your IdP portal to register a new application or select an existing one on your OIDC domain. If your application requires a redirect URL, use the URI you just copied.

    Warning: For an existing application, don't overwrite existing redirect URLs. If you remove the redirect URLs when you add the provided redirect URI, it can disrupt your existing SSO connection.

  4. Return to Blackbaud's Configure OIDC connection screen, and in the fields under Enter your connection details, configure the details for your OIDC connection.

    1. In the Connection name field, enter a name to identify your organisation's OIDC connection.

    2. In the Metadata URL field, enter the URL for the OIDC metadata document that contains information that is required during sign-in, such as the URLs to use and the location of the service's public signing keys. The metadata document is always located at an endpoint that ends in ".well-known/openid-configuration."

    3. In the Response type field, select a response type. This determines the type of information that is sent back in the initial call to the authorization endpoint of your IdP.

      • To pass a token directly, select "ID Token." The ID token handles the generation of the client secret for SSO.

      • To pass a code that can then be exchanged for a token, select "Code." This does not handle the client secret generation, so you'll need to provide the client secret during configuration and then remember to update it before it expires.

    4. In the Client ID field, enter the client ID for your OIDC project.

    5. If you set the response type to "Code," enter the client secret for your OIDC project in the Client secret field.

    6. If your metadata URL starts with "https://login.microsoftonline.com/" and you set the response type to "Code," enter the expiration date of your client secret in the Expiration date field.

  5. In the fields under Confirm how your IdP identifies the following, specify where you store the data that your IdP uses to identify your organisation's users. Enter field names or unique identifiers.

    Warning: You can only pass mapping fields if they are included under "claims_supported" in the OIDC metadata document that you provided in the Metadata URL field. That document, which ends in ".well-known/openid-configuration," contains information that is required during sign-in, such as the fields where you store data that identifies your users.

    1. In the NameID field, specify where you store the unique IDs that your IdP uses to identify your users. The field for this data varies depending on your IdP, but the values are typically not email addresses or employee IDs. Instead, the values should be unique IDs that your IdP creates to distinguish users across all accounts.

      We recommend against using email addresses to identify users. If you identify users by email address and need to change a user's email address, then you must re-invite the user at the new email address, which means you lose all history associated with the original one.

    2. In the Email address field, specify where you store user email addresses.

      For successful connections, email addresses must be unique.

    3. In the First name field, specify where you store first names.

    4. In the Last name field, specify where you store last names.

  6. Select the checkbox that acknowledges the need to wait before testing your SSO connection.

    • If you are setting up SSO for the first time, select I acknowledge these settings require 24 hours to take effect. A notification will let you know when your SSO connection is ready to test.

    • If you are editing an existing SSO connection, select I acknowledge these changes can take up to 30 minutes to take effect. We recommend waiting 30 minutes before you test the connection.

  7. Select Save.

When you save your configuration settings, test mode is turned on automatically. Before you can enable your SSO connection, at least one user must successfully sign in using test mode.

To verify that your organisation can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Then copy the URL under Blackbaud ID redirect and test your connection in a private or incognito browser window.

Note: A consent screen in test mode means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application, and not for new permissions or access. It seeks read-access to the information that you configured during your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

After you turn off test mode, you can select Erase all single sign-on settings under Configure your connection to clear your configuration settings and start over. For example, you can select this option to change your connection method. The option is not available after you turn on SSO, but you can turn off SSO to restore it.

To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your OIDC SSO screen, select Connect with OIDC.

Users are then redirected to your IdP when they sign in with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:

  • Automatically redirect them to your organisation's login for future sign-ins. From there, they are redirected to their Blackbaud profiles unless you edit the redirect URL to specify a Blackbaud solution.

    Tip: Don't forget that if your users use an app in your IdP's portal to connect to Blackbaud solutions, you must configure that app to use the redirect URL for your live connection.

  • Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.

Tip: For a visual reference of the OIDC setup that uses Okta as the IdP, see OIDC setup.