SAML 2.0 Setup

Note: This help topic describes new single sign-on (SSO) setup options for SAML 2.0. To enhance security and stability, Blackbaud has switched to a new SSO authentication service. Organizations that already use SSO will now see a New single sign-on tab on the Authentication settings page in Security and must set up new SSO connections by Oct. 31.

Tip: Don't want to manage certificates for your SSO connection? Then leave SAML behind and set up your connection through OpenID Connect instead. For details, see OpenID Connect (OIDC) Setup.

Security Assertion Markup Language (SAML) 2.0 is a standard protocol to exchange authentication data between security domains. To set up an SSO connection for users to sign in to Blackbaud solutions through a SAML 2.0 IdP, such as Google Workspace, OneLogin, Shibboleth, and Central Authentication Service (CAS), an organization admin (or another user with the necessary admin rights) must claim the organization's email domains, create a SAML 2.0 connection and configure its settings, test the connection, and then turn on SSO.

To prevent inadvertent lockouts, make sure to:

  • Complete the setup during a maintenance window for your organization's network.

  • Create a Blackbaud ID outside of your claimed domains with access to the Authentication settings page in Security.

Tip: If you are migrating an existing SSO connection to connect through SAML, we already pulled over any domains you previously claimed from your existing connection. This means you can proceed directly to configure your connection and then test that your organization can use your IdP to sign in to Blackbaud solutions.

After you save your SSO configuration settings and turn off test mode, an Erase all single sign-on settings option appears after the SSO configuration steps. This option allows you to clear your configuration settings and start over. For example, you can select Erase all single sign-on settings if you need to select a different connection method or start over after you troubleshoot an issue. The option is only available after you save your configuration settings in step 2 and turn off test mode in step 3. When you turn on SSO, the option is no longer available, but you can turn off SSO to make it available again. For more information, see Single Sign-on Setup

Tip: For a visual reference of the SAML 2.0 setup that uses Okta as the IdP, see SAML 2.0 setup.