Set Up Single Sign-on (SSO)

On the Authentication settings page in Security, organization admins (or other users with the necessary admin rights) can enable SSO to require users to sign in to Blackbaud solutions through their organization's identity provider (IdP) instead of Blackbaud's secure authentication service or a social sign-in. Blackbaud ID supports SSO through:

With SSO enabled:

Your users' Blackbaud IDs redirect to your IdP, where users sign in to Blackbaud solutions with the same credentials as other authorized applications.
Your organization's IT admins manage authentication needs — such as password requirements and lockouts — through your IdP.

Set Up SSO

To set up SSO, you select your connection method on the Authentication settings page and then complete the steps on the Single sign-on page.

Tip: To designate someone else to set up SSO or to configure the settings with a different Blackbaud ID, select Invite another admin to configure and add a new organization admin.

For Microsoft Entra ID, select Microsoft Entra ID. For information, see Entra ID setup.
For Google Workspace, select Google Workspace. For information, see Google Workspace.
For OpenID Connect (OIDC), select OIDC. For information, see OpenID Connect (OIDC).
For Security Assertion Markup Language (SAML) 2.0, select SAML 2.0. For information, see Security Assertion Markup Language (SAML) 2.0.

Warning: To help prevent an inadvertent lockout, make sure you have a Blackbaud ID outside of your claimed domains with access to the Authentication settings page.

Erase SSO Settings

You can erase your SSO settings as necessary to start over with your SSO configuration. For example, you can erase SSO settings if you decide to use a different SSO connection method or if you want to start over from scratch after troubleshooting an SSO issue.

If you haven't turned on SSO, go to the Single sign-on page and select the Erase all single sign-on settings option that appears after the SSO configuration steps. Then on the confirmation screen, select Erase settings.
Note: The Erase all single sign-on settings option only appears after you save your SSO configuration settings in step 2 and turn off test mode in step 3. It is not available before you configure your connection or while you are in test mode.
If you already turned on SSO, you must turn off SSO before you can clear your SSO settings. For example, if you decide to use a different SSO connection method, you can turn off SSO and then erase your SSO settings to start over.
On the Single sign-on page, select Turn off SSO and then on the Turn off SSO connection screen, select the Turn off SSO connection checkbox and select Turn off SSO connection. Then on the updated Single sign-on page, select the Erase all single sign-on settings option that appears after the SSO configuration steps. Then on the confirmation screen, select Erase settings.

When you erase your SSO settings, you retain any verified email domains.

Change IdP or Connection Method

To change your IdP or connection method, you need to disable your connection, set up the connection again to make your changes, and then turn SSO back on. You also follow this process to change any other configuration settings, except for adding claimed email domains, which you can do without turning off SSO.

To minimize the disruption from turning off SSO, we recommend making changes during a maintenance window. Schedule a time outside of normal business hours because the process can be time-consuming, and let users know they can't sign in to Blackbaud solutions through your IdP during that time. If users do sign in, they will be prompted to reset their passwords to sign in through Blackbaud's authentication service.

Turn off SSO.
1. On the Single sign-on page, select Turn off SSO.
2. On the Turn off SSO connection screen, select the Turn off your SSO connection checkbox.
3. If you don't want to prompt users to reset their passwords, clear the Send users an email to reset their Blackbaud ID passwords checkbox. By default, the option emails all users who sign in through your SSO connection, and you should only clear it if you will turn SSO back on before users need to sign in. For example, you can clear it for small changes, such as switching your IdP, where users won't reset their passwords because you will turn SSO back on relatively quickly.
4. Select Turn off SSO.
Set up the connection again and change the IdP, connection method, or other configuration settings as necessary.
1. On the Authentication settings page, select your connection method.
2. On the Single sign-on page, configure the connection and include your desired changes. Your claimed email domains remain verified, but you must reconfigure all other settings.
3. Test the connection to verify that you can use your IdP to sign in to your Blackbaud solutions.
Turn SSO on again.
- On the Single sign-on page, select Turn on SSO under Turn on to complete the connection. The updated connection reflects your changes, and users can sign in to Blackbaud solutions through your IdP.