Steps to configure SAML SSO for Blackbaud

About Blackbaud

Blackbaud is a cloud-based software company that provides nonprofit organizations with solutions for fundraising, financial management, CRM, and analytics to help them maximize their social impact.

The following steps will help you enable SSO for Blackbaud software from Identity360.

Prerequisites

1. The MFA and SSO license for Identity360 is required to enable SSO for enterprise applications.
2. Log in to Identity360 as an Admin, Super Admin, or Technician with a role that has Application Integration and Single Sign-on permissions.
3. Navigate to Applications > Application Integration > Create New Application, and select Blackbaud from the applications displayed.
   Note: You can also find Blackbaud from the search bar located at the top.
4. Under the General Settings tab, enter the Application Name and Description.
5. Under the Choose Capabilities tab, select Single Sign-on and click Continue.
   General Settings of SSO configuration for Blackbaud
6. Under Integration Settings, navigate to the Single Sign On tab, click IdP Details. Copy the Metadata value, which will be used later during the configuration in Blackbaud.
   Integration Settings of SSO configuration for Blackbaud.

Blackbaud (service provider) configuration steps

1. Log in to Blackbaud as an administrator.
2. In Security, select Authentication.
3. Under New single sign-on (SSO) on the Authentication settings page, select Manage SSO settings.
4. On the Single sign-on page, select SAML 2.0.
5. Under Claim your email domains, select Claim domains or Edit claimed domains to identify the email domains that your organization uses. This allows you to properly recognize and redirect members to your identitity provider (IdP) when they sign in. For instructions, see Claimed Email Domains.
6. Under Configure your connection, click Get started.
7. Under Enter your connection details on the Connection tab of the Configure SAML 2.0 connection screen, enter details for your organization's connection.
8. In the Connection name field, enter Identity360.
9. In the Metadata type field, select Metadata XML, and paste the metadata value copied in step 6 of prerequisites.
10. Leave the Sign SAML requests field unchecked.
11. Under Confirm how your IdP identifies the following, specify the below details.
    • In the NameID field, enter assertionSubjectName.
    • In the Email address field, enter Email.
    • In the First name field, enter FirstName.
    • In the Last name field, enter LastName.
12. Select I acknowledge these settings require 24 hours to take effect.
13. Select Save and continue.
14. When you save your configuration settings, test mode is automatically turned on. At least one user must successfully sign in using test mode before you can enable your SSO connection.
    Note: To verify that your organization can use Identity360 to sign in to Blackbaud solutions, click Learn about testing SSO under Test connection. Copy the URL under Blackbaud ID redirect, and then test your connection in a private or incognito browser. For more information, see Test Mode.
15. To complete the connection, select Turn on SSO under Turn on. Then on the Connect your SAML 2.0 SSO screen, select Connect with SAML 2.0.
    Note: After you turn on SSO, users are redirected to Identity360 when they sign in to their Blackbaud IDs with one of your claimed domains.

Identity360 (identity provider) configuration steps

1. Switch to Identity360's application configuration page.
2. Enter the Relay State parameter, if necessary.
3. Click Save.
   Integration Settings of SSO configuration for Blackbaud.
4. To learn how to assign users or groups to one or more applications, refer to this page.

Your users will now be able to sign in to Blackbaud through the Identity360 portal.