OpenID Connect (OIDC) Setup

OIDC is an authentication protocol that enables third-party applications to verify end users. You can use OIDC to set up an SSO connection that lets users sign in to your Blackbaud solutions through an identity provider (IdP). An organization admin (or another user with the necessary admin rights) must claim your organization's email domains, configure the OIDC connection, test the connection, and then turn on SSO.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organization's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Blackbaud doesn't support IdP-initiated connections. If you need to enable users to connect to Blackbaud solutions through an app in your IdP's portal, then after you turn on SSO, you must configure that app to use the redirect URL for your live connection. For information about the redirect URL, see Redirect Settings.

After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup

Tip: For a visual reference of the OIDC setup that uses Okta as the IdP, see OIDC setup.