SAML Integration with BlackBaud
You want to integrate BlackBaud with PortalGuard for Single Sign-On and/or Two-Factor Authentication.
Use our generic SSO template and follow the steps below to set up the SSO integration for BlackBaud.
- Complete the PortalGuard SSO Pre-Requisites:
Install the Relying Party Template
- Remote into the PortalGuard server and shut down the Identity Provider Configuration Editor.
- Download the template file attached to this KB article and place it on your PortalGuard server in the following directory:
- Program Files\PistolStar\PortalGuard\Policies
- Open the Identity Provider Configuration Editor.
- Click on the SAML Websites tab.
- Verify the BlackBaud configuration now exists.
Modify the Relying Party Template
- From within the Identity Provider Configuration Editor, edit the new configuration file verified in the previous section.
- You may either double click the entry, or select the entry and then click the 'Edit' button.
- On the General tab, ensure the 'Identifier' and 'Assertion Consumer Service URL' match the expected value for your instance of BlackBaud.
- Important Note: This information will come from the Metadata file for BlackBaud. Please contact the BlackBaud support team to access this metadata. SAML Metadata is provided in XML format, and describes the application's properties such as access URLs and unique identifiers. The information specifically required by PortalGuard is detailed below:
- The entityID value attached to the EntityDescriptor element from the metadata file translates to the 'Identifier' within PortalGuard.
- The AssertionConsumerService element with a binding of 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' from the metadata file translates to the 'Assertion Consumer Service URL' within PortalGuard.
- Navigate to the Identity Claims tab and validate that each claim is pulling the appropriate information.
- For LDAP environments, each claim will be configured to pull a certain field value for the user.
- For SQL environments, an SQL Query will be utilized with an expected return of the intended value.
- In either case, a 'Static' value may be utilized as well.
- Navigate to the IdP-Initiated tab. Modify the 'Display Text', 'Help Text', and 'Display Image' values according to the requirements for your environment.
- 'Display Text': The label for the Tile on the PortalGuard SSO Jump Page.
- 'Help Text': Context information that appears if the user hovers over the tile but does not click it.
- 'Display Image': Thumbnail to utilize for the tile on the PortalGuard SSO Jump Page.
- 'Hide on SSO Jump Page': Select this box if you want to hide the tile on the SSO Jump Page (e.g. users should navigate to this website directly).
- Navigate to the Authorization tab and ensure the scope for this application matches the requirements for your environment.
- Important Note: If the 'Authorized Users' box is empty, that means all users will be able to see/utilize this SSO Integration. Otherwise, only the users/groups/OUs present will be able to see/utilize this SSO Integration.
- Click on the 'Save' button to commit your changes.
Configure BlackBaud to Use PortalGuard for SSO
IMPORTANT NOTE: The following steps are intentionally vague. Each application will require different configuration steps and these steps may change over time as the application grows and develops. If you experience a vastly different experience from what is below, please contact technical support via firstname.lastname@example.org to have this article updated. We recommend always confirming with configuration documentation specific to BlackBaud as well, to ensure no unwarranted mistakes are made.
- Login to the Administrative side of BlackBaud.
- Navigate to the SSO Settings.
- Download your PortalGuard Metadata file using the following URL structure:
- Use the following information as a guideline for how to populate the administrative settings for SAML SSO to BlackBaud:
- 'IdP Entity ID':
- The 'Issuer' value defined within the Response tab of PortalGuard's Identity Provider Configuration Editor
- This can also be found in the PortalGuard metadata as the 'entityID' value of the 'EntityDescriptor' element.
- 'Log On URL':
- The PortalGuard SSO URL, which should follow this structure:
- 'Log Out URL':
- The PortalGuard logout URL, which should follow this structure:
REV. 03/2019 | PortalGuard