OpenID Connect (OIDC) Setup for ADFS

Microsoft Active Directory Federation Services (ADFS) can be installed on Windows server operating systems to enable single sign-on access to an organization's applications. To set up an SSO connection that lets users sign in to your Blackbaud solutions through an ADFS identity provider (IdP), you must use the OIDC protocol that enables third-party applications to verify end users. An organization admin (or another user with the necessary admin rights) must claim your organization's email domains, create an ADFS application, configure app claims, configure the OIDC connection, test the connection, and then turn on SSO.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organization's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Blackbaud doesn't support IdP-initiated connections. If you need to enable users to connect to Blackbaud solutions through an app in your IdP's portal, then after you turn on SSO, you must configure that app to use the redirect URL for your live connection. For information about the redirect URL, see Redirect Settings.

  1. In Security, select Authentication.

  2. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.

  3. On the Single sign-on page, select OIDC.

  4. Under Claim your email domains, select Claim domains or Edit claimed domains and specify the email domains that your organization uses. This allows you to recognize and redirect members to your IdP when they sign in. For instructions, see Claimed Email Domains.

  1. In a different browser tab, go to Server Manager in your ADFS account in Azure AD B2C.

  2. Select Tools and then select AD FS Management

  3. Right-click Application Groups and then select Add Application Group. The Add Application Group Wizard appears.

  4. On the Welcome step:

    1. In the Name field, enter a name for your ADFS application.

    2. In the Templates box, select "Web browser accessing a web application" under Client-Server applications.

    3. Select Next.

  5. On the Native application step:

    1. In the Client Identifier field, copy and save your application ID so that you can provide it as the client ID when you configure your OIDC connection.

    2. In the Redirect URI field, enter "https://id.blackbaud.com/bbid.onmicrosoft.com/oauth2/authresp" and then select Add.

    3. Select Next.

  6. To complete the wizard, select Next on the remaining steps and then select Close.

  1. In Application Groups, select your ADFS application.

  2. In the application properties, select the web application in the Applications box.

  3. Select Edit.

  4. On the Issue Transformation Rules tab, select Add Rule. The Add Transform Claim Rule Wizard appears.

  5. On the Choose Rule Type step:

    1. In the Claim rule template field, select "Send LDAP attributes as claims."

    2. Select Next.

  6. On the Configure Claim Rule step:

    1. In the Claim rule name field, enter a name.

    2. In the Attribute store field, select "Active Directory."

    3. In the grid, enter mapping pairs in the LDAP Attribute and Outgoing Claim Type columns similar to the following list. The mapping pairs specify where you store the data that your IdP uses to identify your organization's users. The LDAP Attribute column must match the list, but the Outgoing Claim Type column may be different because it must match the values that you specify later when you configure your OIDC connection:

      • "User-Principal-Name" and "upn"

      • "Surname" and "family_name"

      • "Given-Name" and "given_name"

      • "E-Mail-Addresses" and "email"

      Tip: You need to manually enter any values that don't appear in the dropdown for outgoing claim types.

    4. Select Finish.

  7. Select Apply and then OK.

  8. Select OK again to complete the process.

  1. Return to the Authentication settings page and under Configure your connection, select Get started or Edit connection.

  2. On the Configure OIDC connection screen, enter a name to identify your organization's OIDC connection in the Connection name field.

  3. In the Metadata URL field, enter the URL for the OIDC metadata document that contains information that is required during sign-in, such as the URLs to use and the location of the service's public signing keys. The metadata document is always located at an endpoint that ends in ".well-known/openid-configuration."

  4. In the Response Type field, accept the default "ID Token" response type that handles the generation of the client secret for SSO. This is the only available response type when you use ADFS.

  5. In the Client ID field, enter the application ID that you saved when you created your ADFS application.

  6. In the fields under Confirm how your IdP identifies the following, specify where you store the data that your IdP uses to identify your organization's users. These values must match the mapping values you entered in the Outgoing Claim Type column when you configured the app claims.

    Warning: You can only pass mapping fields if they are included under "claims_supported" in the OIDC metadata document that you provided in the Metadata URL field. That document, which ends in ".well-known/openid-configuration," contains information that is required during sign-in, such as the fields where you store data that identifies your users.

    1. In the NameID field, specify where you store the unique IDs that your IdP uses to identify your users. The field for this data varies depending on your IdP, but the values are typically not email addresses or employee IDs. Instead, the values should be unique IDs that your IdP creates to distinguish users across all accounts.

      We recommend against using email addresses to identify users. If you identify users by email address and need to change a user's email address, then you must re-invite the user at the new email address, which means you lose all history associated with the original one.

    2. In the Email address field, specify where you store user email addresses.

      For successful connections, email addresses must be unique.

    3. In the First name field, specify where you store first names.

    4. In the Last name field, specify where you store last names.

  7. Select the checkbox that acknowledges the need to wait before testing your SSO connection.

    • If you are setting up SSO for the first time, select I acknowledge these settings require 24 hours to take effect. A notification will let you know when your SSO connection is ready to test.

    • If you are editing an existing SSO connection, select I acknowledge these changes can take up to 30 minutes to take effect. We recommend waiting 30 minutes before you test the connection.

  8. Select Save.

When you save your configuration settings, test mode is turned on automatically. At least one user must successfully sign in using test mode before you can enable your SSO connection.

To verify that your organization can use your IdP to sign in to Blackbaud solutions, select Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect and then test your connection in a private or incognito browser. For more information, see Test Mode.

Note: If a consent screen appears in test mode, then that means your IdP is configured to require admin approval before users authenticate. This consent screen is for the Blackbaud SSO application and is not requesting new permissions or access. It is seeking read-access to the user information that you already configured as part of your SSO setup. To proceed, follow the instructions on your IdP's consent screen.

To complete the connection to your IdP, select Turn on SSO under Turn on. Then on the Connect your OIDC SSO screen, select Connect with OIDC.

After you turn on SSO, users are redirected to your IdP when they sign in to their Blackbaud IDs with one of your claimed domains. After they authenticate through your IdP, their Blackbaud IDs:

  • Automatically redirect them to your organization's login for future sign-ins.

    After users sign in through your organization's login, they are redirected to their Blackbaud ID profiles unless you edit the redirect to specify a Blackbaud solution. For more information, see Redirect Settings.

    Tip: Don't forget that if your users use an app in your IdP's portal to connect to Blackbaud solutions, then you must configure that app to use the redirect URL for your live connection. For information about the redirect URL, see Redirect Settings.

  • Use your IdP for password updates, lockouts, and other authentication management.

Note: After you enable SSO, resend any pending invitations.

After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup