Set up single sign-on (SSO) using Google Workspace

Your organization can use Google Workspace and its APIs to securely connect its users to technology. To set up an SSO connection that lets users sign in to Blackbaud solutions through Google, an organization admin (or another user with the necessary admin rights) must create a Google web application in your Google API Console and configure the following settings on the Authentication settings page in Security:

  • Your organization's primary Google domain or domain alias. (To view your domains in the Google API Console, select Credentials, Domain verification.)

  • The client ID and client secret generated when you create your application.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organization's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Blackbaud doesn't support IdP-initiated connections. If you need to enable users to connect to Blackbaud solutions through an app in your IdP's portal, then after you turn on SSO, you must configure that app to use the redirect URL for your live connection.

Configure SSO

To set up your SSO connection using Google Workspace, follow the steps in the following sections:

  1. In Security, select Authentication.

  2. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.

  3. On the Single sign-on page, select Google Workspace.

  4. Under Claim your email domains, select Claim domains or Edit claimed domains and identify the email domains that your organization uses. This allows you to recognize and redirect users to your IdP when they sign in through your claimed email domains.

  1. Under Configure your connection, select Get started or Edit connection.

  2. On the Configure Google Workspace connection screen, enter your organization's primary Google domain to use with SSO for your Blackbaud IDs in the Google Workspace primary domain field.

  3. In a different browser tab, sign in to your Google API Console as the admin for your Google Workspace connection to create a web application project or select an existing one on the domain.

    • For a new project, select Create project, enter a name, browse to a folder location, and select Create.

    • For an existing project, select Select project, search for it, and select Open.

  4. To set up your consent screen, select Configure consent screen:

    1. Select whether to register internal or external users, and then select Create. In most cases, you want to select Internal.

    2. Configure the OAuth consent screen.

      1. Under App information, enter an app name to display when users sign in to Blackbaud solutions through Google and a support email.

      2. Under App domain, enter "blackbaud.com" as the authorized domain. You can copy and paste this value from the Configure Google Workspace connection screen.

      3. Select Save and continue.

    3. Under Scopes, select Save and continue without specifying scopes.

    4. Under Test users, select Save and continue.

    5. Under Summary, review your selections and select Back to dashboard.

  5. Select Credentials under APIs & Services, and then select Create credentials, OAuth client ID.

  6. Create your application and its OAuth client ID.

    1. For the application type, select "Web application."

    2. Enter a unique name to identify the application.

    3. Under Authorized Javascript origins, enter "https://id.blackbaud.com" as Blackbaud's origin URI. You can copy and paste this value from the Configure Google Workspace connection screen.

    4. Under Authorized redirect URIs, enter "https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp" as Blackbaud's callback URL. You can copy and paste this value from the Configure Google Workspace connection screen.

    5. Select Create.

    6. Under OAuth client created, copy the client ID and client secret for your project, and select OK.

  7. Back on the Configure Google Workspace connection screen, enter the client ID and client secret for your project in the Client ID and Client secret fields.

    If you didn't copy the project's client ID and secret, go back to the Google API Console, select Credentials, and select the project under OAuth 2.0 client IDs.

  8. Return to your Google API Console to enable the Admin SDK API service.

    1. From your project, select Library.

    2. Search for and select Admin SDK API.

    3. Select Enable.

  9. Back on the Configure Google Workspace connection screen, select the checkbox that acknowledges the need to wait before testing your SSO connection.

    • If you are setting up SSO for the first time, select I acknowledge these settings require 24 hours to take effect. A notification will let you know when your SSO connection is ready to test.

    • If you are editing an existing SSO connection, select I acknowledge these changes can take up to 30 minutes to take effect. We recommend waiting 30 minutes before you test the connection.

  10. Select Save.

When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.

To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Then copy the URL under Blackbaud ID redirect and test your connection in a private or incognito browser window.

Note: If a consent screen appears in test mode, that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

When you turn off test mode, an Erase all single sign-on settings option appears under Configure your connection page so that you can clear your configuration settings and start over. For example, you can select the option if you decide to use a different connection method or if you need to troubleshoot an issue and start over. The option is no longer available when you turn on SSO, but you can turn off SSO to make it available again.

To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Google Workspace SSO screen, select Connect with Google Workspace.

After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:

  • Automatically redirect them to your organization's login for future sign-ins.

    After users sign in through your organization's login, they are redirected to their Blackbaud profiles unless you edit the redirect URL to specify a Blackbaud solution.

    Tip: Don't forget that if your users use an app in your IdP's portal to connect to Blackbaud solutions, you must configure that app to use the redirect URL for your live connection.

  • Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.