Blackbaud SSO allows you to leverage your organization's identity provider to enable a one login experience using your Blackbaud ID for access to your Blackbaud solutions. Available solutions include; Blackbaud.com, Raiser's Edge NXT, Financial Edge NXT, Altru, Education Management and more to come. This article includes frequently asked questions that will assist in understanding and configuring SSO for your organization.
Is SSO required to log into my Blackbaud solutions? No, SSO is not required to log into your Blackbaud solutions and you can continue using your existing credentials. SSO is designed to make your sign in experience easier leveraging only one set of sign in credentials.
Do I have to configure SSO for each user at our organization? No, SSO is configured one time by your organization's site administrator. Once the set-up is complete and successful, each user with a Blackbaud id added with your identity provider will be notified by email.
What will the users at my organization need to do in order to sign in to Blackbaud solutions using our SSO method? Once connection to SSO is complete the user will need to enter their organization's email address at the login screen, which will then redirect the user to your identity provider for authentication. Once the user enters their organization's credentials they will be automatically signed into your Blackbaud product.
Can we temporarily enable SSO for testing and then disable it, without any negative repercussions for our end-users? Testing SSO allows you to ensure your configuration has been established correctly. In Test Mode, only users who sign in using test mode will be notified, other users will not be notified and will notice no changes when signing in.
If a Blackbaud user has access to more than one Blackbaud tenant, and SSO is only enabled for one tenant, will the user be able to access all tenants? SSO configuration is for being able to use it with any solution that uses the BBID. Therefore, a user with one BBID can access multiple solutions and the same is to be said with multiple databases. They will use the same BBID to access all database they are invited to.
Can we enable SSO test mode for more than one user? To test the connection in test mode, they can share the test URL with however many users they want to put it through its paces.
Can we enable SSO test mode for already provisioned users in the Blackbaud tenant? Yes, you can share the test URL with anyone with a BBID that uses a claimed domain.
How does SSO impact Blackbaud's built-in inactivity time-outs? It doesn’t… the time out for RENXT is still the same and they will need to sign in again if the user is signed out.
Is NetCommunity integrated with Blackbaud SSO? No, not at this time.
Once SSO is enabled, how do we provide vendors and even Blackbaud consultants access to a Blackbaud tenant? If consultants need access to the solution you would invite them and they would connect using their Blackbaud ID.
Once SSO is enabled, will users be presented with a choice to login either with their local credentials or via their organization's ID? Once SSO is configured the users will need to connect to their solution with their Blackbaud ID(your SSO credentials) and will no longer be able to log in using their old username and password.
Can we force SSO-only logins, if we so desire? When you enable SSO, anyone with a BBID on your claimed domains are redirected to the organization’s login to sign in through your IdP. So essentially yes, you are enforcing SSO for all BBIDs on a claimed domain.
If we force SSO-only logins, is there a fall back mode for admins if the SSO configuration breaks? You can erase and reset all settings for SSO. However, if all users are on SSO and something arises with the domain, then no one will have access to Authentication to manage it. Therefore, we recommend you have at least one admin-level BBID with an email address not on a claimed domain— something like @gmail.com or @hotmail.com, This will act as your "back door" to access the Authentication settings without having to sign in via SSO in case any unforeseen SSO issues arise.
Does enabling SSO for our organization automatically grant users access to Raiser's Edge NXT, Financial Edge NXT or other Blackbaud products? No, a user who has not been invited to the organization's Blackbaud solution will be redirected to blackbaud.com. To gain access to Raiser's Edge NXT, Financial Edge NXT or other products the user will need to receive an invite from a Supervisor user.
Can we configure SSO while we are migrating to Raiser's Edge/Financial Edge NXT or while we are in the testing phase? Yes, this configuration sits above the tenants for Raiser's Edge/Financial Edge NXT and is a one time set-up. You will not have to reconfigure once your organization goes live with your NXT solutions.
Does the SSO configuration also work to bypass the Citrix connection to access the database view for NXT solutions? At this time, the SSO configuration is only allowing you to sign in through the web view and not the database view through the Citrix connection. There is no time table as to if or when SSO may be used to access the database view.
My users are not recognized, can't sign in or could sign in but can't now after setting up SSO using SAML 2.0. How can I fix this? Please refer to our SAML troubleshooting guide for assistance.
Can we require all users to utilize the Two-step authentication option? We do not currently support an admin's ability to require two-step authentication for their organization's users. However, users can opt-in to two-step authentication from their Blackbaud ID user profile page. It is not currently possible to hide the two-step authentication option on user profiles.
I would like a demo or consultative help in setting up SSO, who do I get in touch with? For a demo or assistance setting up this configuration please contact your Account Executive who can schedule some consultative time with a Blackbaud representative.