Single Sign-on Setup

On the Authentication settings page in Security, organization admins (or other users with the necessary admin rights) can enable single sign-on (SSO) to require users to sign in to Blackbaud solutions through their organization's identity provider (IdP) instead of Blackbaud's secure authentication service or a social sign-in. Blackbaud ID supports SSO through:

With SSO enabled:

  • Your users' Blackbaud IDs redirect to your IdP, where users sign in to Blackbaud solutions with the same credentials as other authorized applications.

  • Your organization's IT admins manage authentication needs — such as password requirements and lockouts — through your IdP.

To set up SSO, you select your connection method on the Authentication settings page and then complete the steps on the Single sign-on page.

Tip: To designate someone else to set up SSO or to configure the settings with a different Blackbaud ID, select Invite another admin to configure and add a new organization admin.

  • For Microsoft Azure Active Directory (Azure AD), select Azure AD. For information, see Azure AD Setup.

  • For Google Workspace, select Google Workspace. For information, see Google Workspace Setup.

  • For OpenID Connect (OIDC), select OIDC. For information, see OpenID Connect (OIDC) Setup.

  • For Security Assertion Markup Language (SAML) 2.0, select SAML 2.0. For information, see SAML 2.0 Setup.

Warning: To help prevent an inadvertent lockout, make sure you have a Blackbaud ID outside of your claimed domains with access to the Authentication settings page.

You can erase your SSO settings as necessary to start over with your SSO configuration. For example, you can erase SSO settings if you decide to use a different SSO connection method or if you want to start over from scratch after troubleshooting an SSO issue.

  • If you haven't turned on SSO, go to the Single sign-on page and select the Erase all single sign-on settings option that appears after the SSO configuration steps. Then on the confirmation screen, select Erase settings.

    Note: The Erase all single sign-on settings option only appears after you save your SSO configuration settings in step 2 and turn off test mode in step 3. It is not available before you configure your connection or while you are in test mode.

  • If you already turned on SSO, you must turn off SSO before you can clear your SSO settings. For example, if you decide to use a different SSO connection method, you can turn off SSO and then erase your SSO settings to start over.

    On the Single sign-on page, select Turn off SSO and then on the Turn off SSO connection screen, select the Turn off SSO connection checkbox and select Turn off SSO connection. Then on the updated Single sign-on page, select the Erase all single sign-on settings option that appears after the SSO configuration steps. Then on the confirmation screen, select Erase settings.

When you erase your SSO settings, you retain any verified email domains.