SAML 2.0 Setup for Google Workspace

To enable users to sign in to their Blackbaud IDs with their managed Google account credentials, set up a custom Security Assertion Markup Language (SAML) 2.0 app in your Google Workspace admin console, and configure its connection in Authentication.

Warning: To prevent an inadvertent lockout, ensure you have another Blackbaud ID outside of your claimed domains with access to Authentication.

Tip: If users sign in with multiple Google accounts or share browsers, rather than a SAML connection, we recommend you set up a custom web app in your Google API Console for single sign-on (SSO) through Google Workspace. For more information, see Google Workspace Setup.

  1. In Admin, go to Authentication and select Manage SSO settings.

  2. Under Single sign-on, select SAML 2.0 .

  3. Under Configure your connection, select Get started or Edit connection.

  4. Enter the organization name to display when users sign in.

  5. In a separate browser tab, sign in your Google Workspace admin console with an administrator account.

    1. Select Apps, Web and mobile apps.

    2. Select Add app, Add custom SAML app.

    3. Under App details, enter a name and description to identify your app.

    4. To upload an image, select Choose file and browse to a PNG or GIF to use as the app's icon.

      Warning: To ensure a consistent connection, upload the logo now. If you add or change the logo after you set up the connection, Google Workspace requires you to recreate the app.

    5. Select Continue.

    6. Under Option 2, select the button in the Certificate field to download a certificate (CER) file.

  6. Return to Authentication:

    1. In the SAML sign-in URL field, enter the SSO URL from your Google IdP information.

    2. To set up a bookmark app that lets users sign in to their Blackbaud solutions directly from Google Workspace, enter the URL for your Blackbaud solution in the IdP initiated SSO URL field. The URL must use a Blackbaud ID-supported domain, such as blackbaud.com. For more information, see Redirect Settings.

    3. Under Signing certificate, select Choose file, and browse to and select the certificate (CER) file you downloaded from your Google IdP information.

    4. Enter the attributes Google will use to permanently identify user details:

      • In the NameID and Email address fields, enter emailAddress.

      • In the First name field, enter given_name.

      • In the Last name field, enter sur_name.

      Note: You'll create these attributes when you configure your Google IdP.

    5. Select Save.

  1. In Authentication:

    1. Under Configure your identity provider (IdP), select View instructions.

    2. Copy the Assertion Consumer Service (ACS) URL.

  2. In your Google Workspace admin console, go to Service provider details and paste the ACS URL in the ACS URL field.

  3. Return to Authentication and copy the entity ID.

  4. Back in your Google Workspace admin console:

    1. Under Service provider details, paste the entity ID in the Entity ID field.

    2. Under Name ID, accept the defaults. For the name ID format, you want "UNSPECIFIED," and for the NameID. you want "Basic information > Primary email."

    3. Select Continue.

    4. Select Finish because no attribute mapping is required.

    5. On your newly created dashboard, under User access, select ON for everyone.

  5. Return to Authentication and select Save.

To properly recognize and redirect users to Google Workspace when they sign in, identify which email domains your organization uses. For more information, see Claimed Email Domains.

After you set up your SAML 2.0 connection and claim your email domains, test the connection to verify your organization can now use Google Workspace to sign in to Blackbaud solutions. For more information, see Test Mode.

After you set up your connection, you can turn on SSO. When you turn on SSO, anyone who signs in to their Blackbaud ID with one of your claimed domains is redirected to your organization's Google login. After they authenticate with their managed Google account credentials, their Blackbaud ID:

  • Automatically redirects to your organization's Google login for future sign-ins

    Tip: By default, users redirect to their Blackbaud ID profile when they sign in through your Google login. To instead open a different Blackbaud solution, edit the redirect. For more information, see Redirect Settings.

  • Uses your Google Workspace admin console for password updates, lockouts, and similar authentication management

To complete the connection to Google, select Learn about connecting SSO and Connect with SAML.

Note: After you enable SSO, resend any pending invitations sent before the connection to Google.

Warning: After you set up your connection, if you change a user's email address, you'll need to re-invite them to their Blackbaud solutions at the new email address.

Tip: To clear your setup and start over, select Erase all single sign-on settings. For more information, see Single Sign-on Setup.