# Single Sign-On (SSO)

### Single Sign-On (SSO)

**What's the difference between the SSO URL and the Redirect URL?**

<div class="overflow-x-auto w-full px-2 mb-6" id="bkmrk-%C2%A0-sso-url-redirect-u"><table class="min-w-full border-collapse text-sm leading-[1.7] whitespace-normal"><thead class="text-left"><tr><th class="text-text-100 border-b-0.5 border-[hsl(var(--border-300)/0.6)] py-2 pr-4 align-top font-bold" scope="col"> </th><th class="text-text-100 border-b-0.5 border-[hsl(var(--border-300)/0.6)] py-2 pr-4 align-top font-bold" scope="col">SSO URL</th><th class="text-text-100 border-b-0.5 border-[hsl(var(--border-300)/0.6)] py-2 pr-4 align-top font-bold" scope="col">Redirect URL</th></tr></thead><tbody><tr><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">**Purpose**</td><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">Where users are sent after signing out or when their session expires — must include login info</td><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">Used by Blackbaud during the authentication process</td></tr><tr><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">**Use for Resource Tile?**</td><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">✅ Yes — always use this</td><td class="border-b-0.5 border-[hsl(var(--border-300)/0.3)] py-2 pr-4 align-top">❌ No</td></tr></tbody></table>

</div>Your SSO URL looks something like: `https://11451.myschooldemo.com/app/sso/auth/pickatime`

It's located under **Core / Content / Additional Content Types / Links**. To construct it, combine the first portion of your Blackbaud URL with the second portion from your SSO link *(see step 5 of [SSO Settings](http://docs.google.com/default.aspx#pageid=creating_your_sso___current_schools))*.

---

**What should my SSO key look like?**

The SSO Key is exactly **88 characters**. A common issue occurs when extra characters are accidentally added after the trailing `==`.

> The key should end at `==` with nothing after it, and must be no longer than 88 characters total.

### SSO Error Messages

**"The integration with pickAtime is not set up correctly"**

Your vendor ID has been appended to the end of the Secret Key (**Global Setup / Business / Show Advanced Options / Single Sign On Options / Blackbaud**).

**Fix:** Remove any characters after the `==` — the key should be exactly 88 characters with nothing following `==`.

---

**"Failed to get Blackbaud Account Information"**

Your SSO URL may be incorrect. Confirm you're using the **SSO URL**, not the **Redirect URL**.

Your SSO URL should look like: `https://11451.myschooldemo.com/app/sso/auth/pickatime`

*(Found under **Core / Content / Additional Content Types / Links** — combine your Blackbaud base URL with the path from your SSO link.)*

If the URL is correct, also confirm your **SSO Key is exactly 88 characters**.

---

**"Failed to get Blackbaud user"**

pickAtime can't communicate with Blackbaud for this user.

**Fix:** Confirm the user exists in **both** systems, and that their **User ID** matches in both.

---

**"Blackbaud user not found"**

pickAtime couldn't find a matching user record.

**Fix:** Verify that:

- The user has been imported into pickAtime
- The user exists in both systems
- The **User ID** matches in both systems

---

**"pickAtime user not found by Blackbaud userID"**

The Blackbaud User ID couldn't be matched to a **Parent ID** or **Teacher ID** in pickAtime.

**Fix:** Confirm the same User ID exists in both systems.