Google Workspace Setup
Note: This help topic describes new single sign-on (SSO) setup options for Google Workspace. To enhance security and stability, Blackbaud has switched to a new SSO authentication service. Organizations that already use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31.
Your organization can use Google Workspace and its APIs to securely connect its users to technology. To set up an SSO connection that lets users sign in to Blackbaud solutions through Google, an organization admin (or another user with the necessary admin rights) must create a Google web application in your Google API Console and configure the following settings on the Authentication settings page in Security:
-
Your organization's primary Google domain or domain alias. (To view your domains in the Google API Console, select Credentials, Domain verification.)
-
The client ID and client secret generated when you create your application.
To prevent inadvertent lockouts, make sure to:
-
Complete the setup during a maintenance window for your organization's network.
-
Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.
Tip: If you are migrating an existing Google Workspace SSO connection, we already pulled over any domains you previously claimed from your existing connection along with most of the configuration details for your application. To complete the process, you just need to add a couple new authorized paths to your Google Workspace SSO application and then test the SSO connection to verify that your organization can use your identity provider (IdP) to sign in to Blackbaud solutions.
-
In Security, select Authentication.
-
Under New single sign-on (SSO) on the New single sign-on tab of the Authentication settings page, select Manage SSO settings.
-
On the Single sign-on page, select Google Workspace.
-
Under Configure your connection, select Get started or Edit connection to copy Blackbaud's origin URI and callback URL.
-
In a different browser tab, sign in to your Google API Console as the admin for your Google Workspace connection to select the web application project for your existing connection.
-
Edit your application's OAuth client ID. You can copy and paste values from the Configure Google Workspace connection screen.
-
Under Authorized Javascript origins, add "https://id.blackbaud.com" as Blackbaud's origin URI. Don't overwrite the existing values.
-
Under Authorized redirect URIs, add "https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp" as Blackbaud's callback URL. Don't overwrite the existing values.
-
Save the changes.
-
When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.
To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect and then test your connection in a in a private or incognito browser. For more information, see Test Mode.
Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.
To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Google Workspace SSO screen, select Connect with Google Workspace.
After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:
-
Automatically redirect them to your organization's login for future sign-ins.
After users sign in through your organization's login, they are redirected to their Blackbaud ID profiles unless you edit the redirect to specify a Blackbaud solution. For more information, see Redirect Settings.
-
Use your IdP for password updates, lockouts, and other authentication management.
Note: After you enable SSO, resend any pending invitations.
For detailed guidance on the steps that are necessary when setting up an SSO connection that doesn't inherit previously claimed domains or configuration settings, see the following instructions.
When migrating an existing SSO connection, you don't need to claim your email domains because the new connection inherits the existing settings.
-
In Security, select Authentication.
-
Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.
If you are migrating an existing SSO connection, this option appears on the New single sign-on tab. Before you migrate, you can mange your existing connection on the Active single sign-on tab. After you migrate, the tabs no longer appear and you can no longer manage the old connection.
-
On the Single sign-on page, select Google Workspace.
-
Under Claim your email domains, select Claim domains or Edit claimed domains to specify the email domains that your organization uses. This allows you to recognize and redirect members to your IdP when they sign in. For instructions, see Claimed Email Domains.
When migrating an existing SSO connection, you don't need to configure your primary domain because the new connection inherits the existing settings.
-
Under Configure your connection, select Get started or Edit connection.
-
On the Configure Google Workspace connection screen, enter your organization's primary Google domain to use with SSO for your Blackbaud IDs in the Google Workspace primary domain field.
-
In a different browser tab, sign in to your Google API Console as the admin for your Google Workspace connection to create a web application project or select an existing one on the domain.
-
For a new project, select Create project, enter a name, browse to a folder location, and select Create.
-
For an existing project, select Select project, search for it, and select Open.
-
-
To set up your consent screen, select Configure consent screen:
-
Select whether to register internal or external users, and then select Create. In most cases, you want to select Internal.
-
Configure the OAuth consent screen.
-
Under App information, enter an app name to display when users sign in to Blackbaud solutions through Google and a support email.
-
Under App domain, enter "blackbaud.com" as the authorized domain. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Select Save and continue.
-
-
Under Scopes, select Save and continue without specifying scopes.
-
Under Test users, select Save and continue.
-
Under Summary, review your selections and select Back to dashboard.
-
-
Select Credentials under APIs & Services, and then select Create credentials, OAuth client ID.
-
Create your application and its OAuth client ID.
-
For the application type, select "Web application."
-
Enter a unique name to identify the application.
-
Under Authorized Javascript origins, enter "https://id.blackbaud.com" as Blackbaud's origin URI. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Under Authorized redirect URIs, enter "https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp" as Blackbaud's callback URL. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Select Create.
-
Under OAuth client created, copy the client ID and client secret for your project, and select OK.
-
-
Back on the Configure Google Workspace connection screen, enter the client ID and client secret for your project in the Client ID and Client secret fields.
If you didn't copy the project's client ID and secret, go back to the Google API Console, select Credentials, and select the project under OAuth 2.0 client IDs.
-
Return to your Google API Console to enable the Admin SDK API service.
-
From your project, select Library.
-
Search for and select Admin SDK API.
-
Select Enable.
-
-
Back on the Configure Google Workspace connection screen, select I acknowledge these changes can take up to 30 minutes to take effect. We recommend waiting 30 minutes before you test your SSO connection.
-
Select Save.
When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.
To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect and then test your connection in a in a private or incognito browser. For more information, see Test Mode.
Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.
To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Google Workspace SSO screen, select Connect with Google Workspace.
After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:
-
Automatically redirect them to your organization's login for future sign-ins.
After users sign in through your organization's login, they are redirected to their Blackbaud ID profiles unless you edit the redirect to specify a Blackbaud solution. For more information, see Redirect Settings.
-
Use your IdP for password updates, lockouts, and other authentication management.
Note: After you enable SSO, resend any pending invitations.
After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup