Azure OIDC SSO issues

We have recently tried to implement Azure OIDC for our SSO. The Blackbaud directions are missing some vital information for this setup, at least as of the time of this post. In step 2, they tell you to “enter a name to identify your organization's OIDC connection in the Connection name field”. If you are using Azure SSO, it seems you will need this name to be the tenantid of your Azure Tenant for your Organization. Blackbaud is passing this connection name as the domain_hint property in their web requests to azure authentication and if it is wrong can cause quite a few issues including forced reauthentication and possibly user not found errors. This name could also be your domain name in Azure theoretically, but it seems that Blackbaud is renaming any periods as hyphens which would throw off the domain name since it would no longer be a valid domain name.

Just a heads up in case anyone else was having issue or thinking about using OIDC in Azure for SSO. We haven't been able to verify this will fix the issue for sure, because turning off SSO for our organization leads to around 8 hours of downtime for some reason but we have verified through a lot of testing that changing the domain_hint to the TenantID does fix the issue in the web requests coming from Blackbaud. Blackbaud tells the delays in turning off SSO for us is because we have so many users and each one has to be toggled for SSO. Maybe it is an individual that is manually toggling each user because I have idea how code could take that long lol. Also kind of wild you have to Turn Off SSO for your organization to edit a name, but what can you do.

In the meantime, until we can find a service time to change the name to a value that works, we created a Chome/Edge extension to get around the issue. If anyone is having issues and would want assistance making an extension for your organization, I would be happy to send you the basic information you would need.