Good Grants can be configured for single sign-on using Microsoft Azure and SAML. This allows users in your Microsoft Azure environment to log in without creating separate Good Grants credentials.
Configure SAML in Microsoft Azure
- Log in to the Microsoft Azure portal
- Go to All services and select Microsoft Entra ID
- Open the Add menu and choose Enterprise application
- Click Create your own application
- Enter an application name
- Click Create
- Select Set up single sign-on
- Choose SAML
- In Basic SAML Configuration, set the following values replacing "your_Good_Grants_account_domain" with your program's URL:
- Identifier (Entity ID): https://your_Good_Grants_account_domain/saml/metadata
- Reply URL (Assertion Consumer Service URL): https://your_Good_Grants_account_domain/saml/callback
- Configure the firstName, lastName, and email in the 'Attributes & Claims' section
- Set Name identifier format to Persistent
- Remove any values from the Namespace field in Additional claims
Enable SAML in Good Grants
- In the Manage workspace, go to Settings > Users > Registration
- Under '3rd party authentication', select SAML
- Copy the Azure AD Identifier from Microsoft Azure and paste it into Issuer
- Copy the Login URL from Microsoft Azure and paste it into Single sign-on service URL
- Download the certificate from Microsoft Azure
- Copy and paste the certificate text into the X.509 certificate field
- Click Save
Accessing SAML login
A SAML login button will now appear on your program home page. Users logged into Microsoft Azure can select this button to sign in automatically.
You can also link directly to: https://your_Good_Grants_account_domain/saml/login
Good to know
- Assertion encryption is optional.
- Some identity providers require a public certificate or private key.
- SAML users do not need to register separately in Good Grants.
- SAML configuration applies to login only, not role assignment.