Google Workspace Setup
Your organization can use Google Workspace and its APIs to securely connect its users to technology. To set up an SSO connection that lets users sign in to Blackbaud solutions through Google, an organization admin (or another user with the necessary admin rights) must create a Google web application in your Google API Console and configure the following settings on the Authentication settings page in Security:
-
Your organization's primary Google domain or domain alias. (To view your domains in the Google API Console, select Credentials, Domain verification.)
-
The client ID and client secret generated when you create your application.
To prevent inadvertent lockouts, make sure to:
-
Complete the setup during a maintenance window for your organization's network.
-
Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.
Blackbaud doesn't support IdP-initiated connections. If you need to enable users to connect to Blackbaud solutions through an app in your IdP's portal, then after you turn on SSO, you must configure that app to use the redirect URL for your live connection. For information about the redirect URL, see Redirect Settings.
-
In Security, select Authentication.
-
Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.
-
On the Single sign-on page, select Google Workspace.
-
Under Claim your email domains, select Claim domains or Edit claimed domains to specify the email domains that your organization uses. This allows you to recognize and redirect members to your IdP when they sign in. For instructions, see Claimed Email Domains.
-
Under Configure your connection, select Get started or Edit connection.
-
On the Configure Google Workspace connection screen, enter your organization's primary Google domain to use with SSO for your Blackbaud IDs in the Google Workspace primary domain field.
-
In a different browser tab, sign in to your Google API Console as the admin for your Google Workspace connection to create a web application project or select an existing one on the domain.
-
For a new project, select Create project, enter a name, browse to a folder location, and select Create.
-
For an existing project, select Select project, search for it, and select Open.
-
-
To set up your consent screen, select Configure consent screen:
-
Select whether to register internal or external users, and then select Create. In most cases, you want to select Internal.
-
Configure the OAuth consent screen.
-
Under App information, enter an app name to display when users sign in to Blackbaud solutions through Google and a support email.
-
Under App domain, enter "blackbaud.com" as the authorized domain. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Select Save and continue.
-
-
Under Scopes, select Save and continue without specifying scopes.
-
Under Test users, select Save and continue.
-
Under Summary, review your selections and select Back to dashboard.
-
-
Select Credentials under APIs & Services, and then select Create credentials, OAuth client ID.
-
Create your application and its OAuth client ID.
-
For the application type, select "Web application."
-
Enter a unique name to identify the application.
-
Under Authorized Javascript origins, enter "https://id.blackbaud.com" as Blackbaud's origin URI. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Under Authorized redirect URIs, enter "https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp" as Blackbaud's callback URL. You can copy and paste this value from the Configure Google Workspace connection screen.
-
Select Create.
-
Under OAuth client created, copy the client ID and client secret for your project, and select OK.
-
-
Back on the Configure Google Workspace connection screen, enter the client ID and client secret for your project in the Client ID and Client secret fields.
If you didn't copy the project's client ID and secret, go back to the Google API Console, select Credentials, and select the project under OAuth 2.0 client IDs.
-
Return to your Google API Console to enable the Admin SDK API service.
-
From your project, select Library.
-
Search for and select Admin SDK API.
-
Select Enable.
-
-
Back on the Configure Google Workspace connection screen, select I acknowledge these changes can take up to 30 minutes to take effect. We recommend waiting 30 minutes before you test your SSO connection.
-
Select Save.
When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.
To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect and then test your connection in a in a private or incognito browser. For more information, see Test Mode.
Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.
To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your Google Workspace SSO screen, select Connect with Google Workspace.
After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:
-
Automatically redirect them to your organization's login for future sign-ins.
After users sign in through your organization's login, they are redirected to their Blackbaud ID profiles unless you edit the redirect to specify a Blackbaud solution. For more information, see Redirect Settings.
Tip: Don't forget that if your users use an app in your IdP's portal to connect to Blackbaud solutions, then you must configure that app to use the redirect URL for your live connection. For information about the redirect URL, see Redirect Settings.
-
Use your IdP for password updates, lockouts, and other authentication management.
Note: After you enable SSO, resend any pending invitations.
After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup