Setup FAQs

SSO is a self-service configuration that organizations complete on their own. Blackbaud Support can't offer guidance on your identity provider (IdP) settings or SSO configuration. Here is a broad description of how to set up SSO, but see the SSO help documentation for detailed guidance.

1. Designate an organization admin to configure SSO. We recommend an admin on your IT staff who is familiar with your organization's IdP. We also strongly recommend that before you enable SSO, you create an admin account with an email address outside of your claimed domains so that if errors occur or you disable SSO later, you can still log in to access your SSO configuration settings.
2. From Security, select Authentication and then Manage SSO settings.
3. Select an IdP that Blackbaud supports, and follow the steps for that provider to set up SSO configuration.

Blackbaud ID supports the following SSO options. Follow the links for detailed instructions.

• Microsoft Entra ID
• Google Workspace
• OpenID Connect (OIDC)
• Security Assertion Markup Language (SAML) 2.0 IdPs

Yes. To test the setup and verify your connection, see the test mode documentation.

For organizations where IT departments or other stakeholders require the completion of questionnaires before they enable single sign-on (SSO), see our FAQ with common questions on questionnaires.

Yes. You can edit the label for the blue button on the Blackbaud ID sign-in page and the "Authenticated with" label at the top of user profiles. For details on how to edit this setting, see display names.

Yes. It is very important to create an admin account with an email address outside of your claimed domains before you enable SSO.

If you disable SSO or errors occur after you enable it, you can use the admin account to log in to Blackbaud.com to access your SSO configuration settings. You can also use this admin account if issues with your identity provider or with SSO prevent you from logging in with your organization domain email address.

To create this admin account, add an admin account with an email address that does not use your organization's claimed domains. Then, log in with it and make sure you can access your SSO settings on the Authentication settings page.

All users who sign in with Blackbaud IDs for your verified domains receive an email to inform them of the change to their log in experience. The email explains that when they sign in to their Blackbaud solutions, they now need to use the same credentials that they use for other applications that your organization authorizes. The email can't currently be customized.

When you enable SSO, it affects the entire email domain. If multiple organizations with different site IDs share an email domain, configuring SSO for one of them also configures it for the others. It is important to ensure that related organizations on the same email domain coordinate to prepare all users when SSO is enabled. The organization admins of the Site ID that configures SSO are the only admins who can manage SSO settings for all the organizations.

After you set up SSO with your IdP, you can view and manage details for the connection.

To change SSO settings:

1. From Security, select Authentication.
2. Under Authentication settings, select Manage SSO settings. On the page that appears, you can view and manage settings, such as display names, claimed email names, and redirect URL.

However, some SSO settings can't be changed when an SSO connection is enabled. To edit these settings you need to disable the connection. You can then set up the connection again and change the settings as necessary.

After you set up your SSO connection, you can change your IdP by disabling the connection and then turning SSO on again with a different IdP.

1. Disable your SSO connection.
2. Set up the SSO connection again.
3. Test the new SSO connection.