Legacy Single Sign On Guide (SSO)

Third party applications (TPA) would like to use Blackbaud On Products as the identity and login provider. When an end user attempts to use the TPA site, they are automatically redirected to an On Products login screen. After logging in, the user is automatically redirected back to the TPA site. This is done in a secure manner so that we don't expose the username or password.

Using the On Products Redirect SSO, a TPA can authenticate users without creating a login screen. The user will always see the On Products login screen which reduces confusion for users as they will always type their On Products credentials into the same screen all the time.

How it works

This diagram shows the login process for a user who may or may not be logged into the school's On Products site.

A user can browse directly to a link for the TPA (it could even be bookmarked).

The TPA redirects the browser to the On Products SSO URL.

On Products display the On Products login screen if the user was not already logged into Podium.

On successful login, the browser is redirected back to the TPA with an encrypted token containing the user's credentials


  • The original link to the TPA contains no credentials or tokens. So it can be publicly exposed or bookmarked by users.

  • Encryption is done on the TPA and On Products servers. So an attacker cannot benefit from capturing the network traffic sent to and from the browser.

  • Because of timestamps in the data, an attacker cannot reuse a captured token.

What you need to do

  1. Obtain the On Products SSO URL to redirect login requests. Your SSO URL would follow the example, except you'll replace schoolname with your school's unique myschoolapp 'name.'
    Example: https://schoolname.myschoolapp.com/app/sso/custom

  2. Obtain an Encryption Key from your Web Service API Manager. Key is available to Web Service API managers when they log on to Core. From Core, Settings, Integrations, SDK SSO Settings, copy the key from the Shared Secret field. 'Shared Secret' is the 'Encryption Key.'

  3. Modify the TPA login process to call Blackbaud servers to do the login validation.

Download the code


Code is available on bitbucket.org the contians a working example of the Custom SSO code in c#. This is the basis for what will need to be added to the TPA for authentication to take place.



A PHP application is located on bitbucket.org and contains all the basic code need to setup an SSO. Installing the source files on any server that runs php will allow you to run the SSO demo called ‘sso.php’.



Have a question? See a problem with our docs? Want to engage with the ON API team? Please visit us on the ON API Community!