Single Sign-on Setup

In Admin, organization admins can enable single sign-on (SSO) to require users to sign in to Blackbaud solutions through their organization's identity provider (IdP) instead of Blackbaud's secure authentication service or social sign-ins. Blackbaud ID supports SSO through:

  • Microsoft Azure Active Directory (AD)

  • Security Assertion Markup Language (SAML) 2.0 IdPs, such as Google Workspace, OneLogin, Shibboleth, or Central Authentication Service (CAS)

  • Microsoft Active Directory Federated Services (ADFS)

  • Okta

  • Google Workspace

Tip: For SSO through Microsoft Active Directory network credentials, set up a connection with Azure AD, ADFS, or a SAML 2.0 IdP that support Active Directory.

With SSO enabled:

  • Your users' Blackbaud IDs redirect to your IdP, where they sign in to Blackbaud solutions with the same credentials as other authorized applications.

  • Information technology admins manage and support your organization's authentication needs — such as password requirements and lockouts — through your IdP.

Tip: To have someone else set up SSO, or to configure these settings with a different Blackbaud ID, select Invite another admin to configure and add a new organization admin. For more information, see Admins.

To set up SSO, choose which connection your IdP requires in Authentication.

Warning: To help prevent an inadvertent lockout, ensure you have another Blackbaud ID outside of your claimed domains with access to Authentication.

As you set up your SSO connection, you can clear your settings and start over at any time, such as to troubleshoot issues. To erase your settings, select Erase all single sign-on settings under Single sign-on, and then select Erase SSO settings.

When you erase your SSO settings, you retain any verified email domains.

After you enable SSO, select Learn about disconnecting SSO to first turn off the connection to your IdP. For more information, see Single Sign-on Connection.