Preparing Your Site Administrators For Single Sign-On

Published

As we get closer to the introduction of Blackbaud ID and our new Single-Sign On functionality (coming in October!), we want to continue our communication efforts to help ensure all Altru sites are fully prepared for these login changes. If you missed our initial blog post around this topic, you can go back and read through it here.

Today we want to highlight the Blackbaud.com Site Administrator and how to update this contact for your site if needed. In our Blackbaud ID Early Adopter Program, some organizations had questions around Site Administrators as they prepared for the update.

As explained previously, your Site Administrator plays an essential role in ensuring your site’s transition to Single Sign-On is as smooth as possible. After SSO is enabled, the login process will change, and all users will enter their Blackbaud.com credentials to access Altru going forward. The Site Administrator is responsible for making sure all users have Blackbaud.com accounts setup in advance. If you need to determine who is listed as your organization’s site administrator(s), you can follow the steps in this KB article to find out. Or, if you need to become a Site Administrator for your organization, we have instructions on how to do this too. The exact steps depend on whether or not you already have an active site administrator listed for your organization, but either way, the process is laid out for you here.

You may also want to read through our Site Administrator Summary on Blackbaud.com if you’re unfamiliar with the role. This page includes a rundown of all the various tasks this role is responsible for and helpful instructions on how to invite new users. The invitation steps are relatively simple (it is a two-step process) but taking these actions in advance will minimize the work you need to do after Single Sign-On is released.

If you haven’t already, be sure to subscribe to Altru Announcements to stay up-to-date on all things SSO. We will be posting additional announcements, blogs and more as we get closer to the release!

News Blackbaud Altru® Blog 08/02/2017 12:20pm EDT

Added by Jillian Lewis

10 Comments

Jillian Lewis Sep '17

We hear your concerns and completely understand that this change to login functionality may impact certain processes that are in place for your organization. That is the main reason behind all of our ongoing communication efforts and our attempts to help answer any questions around specific scenarios like temporary workers, shared users, etc. With that said, Single Sign-On is the latest experience for all of Blackbaud’s customers going forward, and this is the direction all of Blackbaud’s solutions are moving to ensure we stay up-to-date with the latest security & authentication standards in the industry. For that reason we are unable to offer specific organizations or users the ability to opt-out of the functionality.

One thing to note in regards to Vonna’s first comment: with this shift, we are working to update our Blackbaud.com experience so that you will eventually have more granular control over what your linked users have access to, in terms of support resources, etc. It is something that is currently in the works, and while we don’t have a definite timeline to provide, we do hear you and I wanted to make you aware that we are in fact heading in that direction.

To answer your questions about creating new users “post-SSO”, you do not need to create two accounts. Essentially, the steps will be to 1) Invite the new user through Blackbaud.com, then 2) Send an invitation from Altru to the email address associated with that Blackbaud ID. It will be the same login/account, but the act of sending the invitation through Altru essentially grants that user access to the program.

Hope that helps a bit. If you haven’t already, I would recommend signing up for the Single Sign-On webinar this Wednesday as we will be talking through the new functionality in further detail and will walk through various scenarios and best practice recommendations.

vonna brown Sep '17

Going back to Mike's question- Does the altru user need two accounts? If I have a new user to altru after SSO implentation-do I still need to set up an altru login as well as a blackbaud login?

Mike Marseglia Sep '17

I have to agree with Vonna Brown, we have approx. 70 part-time hosts at any given time that we do not issue museum e-mails to. This portion of our staff is prone to frequent turnover and our organization only utilizes 1 Blackbaud product (Altru). I do realize that SSO is actually a technological advancement for most systems and SAAS environments, but our organization does not have a need for this, nor even request such a feature, and it will only be problematic by adding a considerable amount of preparation man hours for our site administrator. I was told by support that no other organization has requested to "opt out" of this feature. Will Blackbaud even consider a way for customers to "opt out", given their universal architecture? Support also suggested "no", but given any new users that we add to Altru in the future, will we have to now create 2 user accounts, 1 for Blackbaud.com and 1 for Altru? Then let the user log-in to "marry" the accounts. I'm not clear on that as the documentation I've received suggests the 2 accounts would need to exist. What are other organizations thoughts on this?

vonna brown Aug '17

Is this something that can be disabled? I have over 140 users-many cashiers (we have 4 sites) and we don't give sign ins to BlackbaudSupport.com to part-time staff/cashiers. We did not ask for this and will only create a burden!

Jillian Lewis Aug '17

Kiku, thanks for your questions.
- The credentials for Altru Sandbox will change once Single Sign-On is implemented. Our team will be managing this and will update Knowledgebase (https://kb.blackbaud.com/articles/Article/64336) as soon as they are changed.
- Once SSO is turned on for your organization, the only way to log in to your database will be with a Blackbaud ID (or Google Auth if you choose to authenticate that way). In other words, yes, it will all switch over at once.
- Yes, now that users will be logging in with Blackbaud ID, the date/time of last login activity will be tracked.
Hope that helps!

April, all users who need to access Altru will need to login using either Blackbaud ID or Google Authentication. For seasonal or temporary employees, we still recommend that each user have an individual login. There are no security ramifications if you have them sign up with their personal email addresses and associate them with your site ID on Blackbaud.com. Once they leave, you can disable the user in Altru and remove them from your site ID on Blackbaud.com. If/when they return, you can easily mark them active again in Altru and re-associate them on Blackbaud.com.

However, while we advise against it, if you create a shared email address and password, we recommend that every time a temporary employee, volunteer, etc. separates from your organization, you should change the password for that Blackbaud ID.

April Geiselman Aug '17

We have multiple cashiers that are not allowed internet access at our gates, and are usually seasonal (sometimes not coming back after the summer is over), will we really have to give the sometimes upwards of 40 employees email addresses when all they need is to sign onto Altru?

J Kiku Langford McDonald Aug '17

A Few Questions:

How will we log into the sandbox Altru system once SSO is implemented?

Will there be any period of time when users can log in either with SSO or their Altru credentials? Or will it all switch over at once on a certain day?

When users log in to Altru through SSO, will these dates and times be recorded so we can see how recently different users have accessed Altru?
https://www.screencast.com/t/jHTmqBV9pl

Jillian Lewis Aug '17

For Odata, if you have a dedicated Odata user that is not used to login to Altru, you'll be able to continue using those credentials for Odata after the update. If you're using an Altru user for your Odata connection that you intend on linking to your Blackbaud ID, you will need to update those credentials wherever the Odata connection lives (after linking the accounts).

In regards to using your Google account - you'll still be able to login this way and can link your Altru user to your existing account. However, Google authentication doesn't work with Odata. So if your organization uses (or intends to use) Odata, you should either create a dedicated Odata user or plan on linking a Blackbaud ID.

Kara Petraglia Aug '17

What will change for users who use their Google Account to sign in to Blackbaud.com?

Derek Schartung Aug '17

What about odata access? What account settings will we use for that?