Best Practices to Change Email Addresses or Domains

For OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) 2.0 single sign-on (SSO) connections where user IDs include email addresses, you must schedule changes to the email addresses during a maintenance window. This isn't necessary for Microsoft Entra ID or Google Workspace connections because those connection methods don't use email addresses as unique IDs, so changes to email addresses are automatically updated for Blackbaud.

If you change email addresses for OIDC or SAML connections outside of a maintenance window, you create new Blackbaud IDs that don't have access to Blackbaud solutions or user history. Changes to email addresses are necessary when organizations change domains, such as changing from "josmith@blackbaud.com" to "josmith@bb.com," or change formats, such as changing from "josmith@domain.com" to "john.smith@domain.com." Individual users can also make changes such as updating email addresses to reflect name changes. To avoid creating new Blackbaud IDs and losing user access to Blackbaud solutions, only change email addresses during a maintenance window.

  1. Identify all users who need to maintain their account history.

  2. Designate a time period for users to modify email addresses.

  3. Communicate the scheduled maintenance window of downtime for SSO logins.

  4. When the maintenance window starts, turn off the SSO connection with Blackbaud.

    Note: Users can't access Blackbaud solutions through SSO while the connection is turned off.

  5. Instruct users to reset their passwords, sign in to their user profiles, and select Edit email address to change their email addresses.

  6. If your organization is changing domains, claim the new domain. For instructions, see Claimed Email Domains.

  7. Turn the Blackbaud SSO connection back on.

Note: When users manually change email addresses, they need access to both the old and new email addresses. They need access to the old email address to reset the password, and then they need access to the new email address to verify and confirm it with Blackbaud because their account reflects the new email address before the SSO connection is turned back on.