1. Good Grants Help Centre
  2. Getting started
  3. 03. Registration and authentication

3rd party authentication

Alex Bon Ami
Updated

Good Grants supports 3rd party authentication so users can register and sign in using external accounts. This includes social login (Facebook, Google, LinkedIn, etc.) and enterprise authentication via SAML single sign-on (SSO). You can also build your own integration using the API.

Social authentication and API access are available on Premium plans and above. SAML is included with Enterprise subscriptions and is available as a paid add-on for all other plans. 

Enable 3rd party authentication

  1. In the Manage workspace, go to Settings > Users > Registration
  2. Select Enable registration via 3rd party authentication
  3. In the '3rd party authentication' section, choose the providers you want to enable
  4. Click Save 

If you want to disable Good Grants's default login, select 3rd party authentication only

Social authentication

Good Grants supports login via:

  • Facebook
  • Twitter / X
  • Google
  • LinkedIn
  • WordPress / Drupal (with plugin)

After enabling your chosen providers, social login buttons appear on your program’s home page.

How it works:

  • On their first login, users are redirected to the provider to confirm their identity.

  • The provider displays its own consent screen.

  • If a user declines consent, they can cancel and register normally.

SAML authentication

SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorisation data between your identity provider and Good Grants (service provider).

Good Grants supports both:

  • Service-provider-initiated login – button on your Good Grants login page
  • Identity-provider-initiated login – link from your organisation’s intranet

Users who sign in via SAML are created with your default role (usually entrant).

Configure SAML

  1. In the Manage workspace, go to Settings > Users > Registration
  2. Ensure Enable registration via 3rd party authentication is selected
  3. Under '3rd party authentication', select SAML
  4. Enter:
    • Issuer
    • Single sign-on service URL
    • X.509 certificate
  5. If needed, enable certificate encryption and enter your public/private key
  6. Click Save

When your identity provider needs Good Grants metadata

Some IdPs (e.g. Microsoft Azure) need service provider details before generating certificates. Use:

  • Entity ID: https://<your_account_url>/saml/metadata
  • Reply URL (ACS): https://<your_account_url>/saml/callback

Required SAML attributes

Your IdP must send these attributes, and they must match exactly:

  • firstName
  • lastName
  • email

NameID should be set to persistent.

Account linking

When a user signs in using SAML Good Grants checks whether their email already exists.

  • If not, a new user account is created automatically.
  • If yes, the user can link their existing Good Grants account by entering a verification code sent by email.

Verification codes expire after 10 minutes but can be regenerated (previous codes become invalid).

Service provider metadata

Once SAML is configured, you will see a Service provider metadata link at the bottom of the Integration tab.

The metadata XML includes:

  • entityID URL
  • Reply URL (ACS): https://<account_url>/saml/callback
  • Required attributes (firstName, lastName, email)

Each account has unique metadata.

Building your own SSO integration

If you prefer to build your own authentication flow, you can use the Good Grants API to:

  • Check if a user exists
  • Create the user (if they do not exist)
  • Generate an auth token
  • Redirect the user into Good Grants signed in

Check if the user exists

GET: https://api.cr4ce.com/user/:email

  • If the user exists, the response includes their slug (required for the next step).

Get an auth token

GET: https://api.cr4ce.com/user/:slug/auth-token

  • Response includes: "auth_token": "..."

Redirect the user into Good Grants

https://<ACCOUNT_DOMAIN>/login?token=<TOKEN>

Create a user (if needed)

POST: https://api.cr4ce.com/user

  • Body must include first name, last name, email, password at minimum.
  • The response includes the user’s slug.

For full details, go to Settings > Integrations > API documentation.

Good to know

  • Social login cannot override privacy or consent requirements set by the identity provider.
  • SAML logins always require three attributes: firstName, lastName, and email.
  • You can disable standard login entirely if you want authentication to occur only through your identity provider.
  • User roles for SAML accounts default to your system’s default role.
  • The API allows total flexibility if your organisation uses a non-standard SSO tool.

FAQs

Is there a cost for SAML? 

Yes. SAML is included with a Enterprise subscription but may be added to any plan as a paid add-on. 

If we have multiple Good Grants accounts, does each one require a SAML purchase?

Yes. Each account that requires SAML will need its own subscription. 

What options do we have if we don't purchase SAML?

Your users can register using the default Good Grants flow or use social authentication (Facebook, Twitter / X, Google, etc.)

Can we use our own system?

Yes. You can build your own SSO integration using the Good Grants API.  

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more