August 2025 – With the introduction of Consumer SSO, we have re-written our SSO documentation to make it straight forward to activate both Operator and Consumer SSO. As a result, any customer who had previously configured Operator SSO should re-read the following documentation to ensure all steps have been covered.
Introduction
For customers looking to start using their own Microsoft Entra tenant for authenticating consumers such as Students and Faculty against Gladstone GO, this guide will walk you through the steps required for configuration. Please be aware that prior to this setup the following two steps must have been completed:
- Customers should have contacted their Account Manager, agreed commercials and requested SSO to be switched on for them.
- Customers should have configured their Microsoft Entra admin centre. Steps for this setup can be found here.
Step 1: Users & Permissions
Important:
Before activating your Gladstone SSO, please make sure existing Gladstone consumers expecting to be authenticated through Gladstone SSO have the correct, matching email address compared to Microsoft Entra. Failure to do so will result in a new member record being created in Gladstone.
Each Entra user who is given access to GladstoneGo in the Entra configuration will need to be linked to a Gladstone member record. There are two ways to achieve this:
- Linking an existing member record
- Creating a new member record via auto-provisioning
1. Linking existing member records to Entra users
Gladstone member records are linked to an Entra user based on email address. The email field of the member record can be configured in Plus2 and needs to match the email of the Entra user. They also need to be the only member record using that email.
When the Entra user logs in to the Consumer applications of Go Join of Go Book, their linked Gladstone member record will be identified.
2. Creating a new member record via auto-provisioning
If an Entra user logs in to Go Join or Go Book, but there is no linked member record, a new member will be created.
Auto-provisioned users are created with the following details:
| User ID | Auto-generated - similar to current member ID generation |
| Display Name | Derived from first name and last name of Entra user |
| Email of Entra user | |
| Status | Based off Operator config |
| Price Level | Based off Operator config |
| Site | Based off Operator config |
Step 2: Enable Consumer SSO
- Within your previously configured Microsoft Entra account (see setup guide here), select the appropriate Enterprise application e.g. GladstonGo and Manage > Single sign-on.
- Scroll to Stage 3 SAML Certificates and copy the App Federational Metadata Url.
- From your Operator environment, go to Configuration > Integrations > Single Sign-On.
- In the Authentication SAML Federation Metadata URL field enter the copied Metadata URL from Step 2.
- Toggle Enable Consumer SSO to the On position and followed by the Status you wish all auto-provisioned member records to be created with e.g. Import
- Depending on how you manage your members at site, will depend on the number of groups you need to create in Microsoft Entra. If all your consumers, Faculty and Students operate on the same price level, then it is feasible to have a single group. If however, you have different price levels or different sites then multiple groups will be required.
Once this is defined, navigate to Manage > Users and groups within Microsoft Entra and select the first group of users which has been identified as those requiring to access to Consumer (Go Book and Go Join).
- Copy the Object ID of the Entra Group.
- From Operator, select the option Add entra group mapping and proceed to entering the name of the group, the group ID which you can paste from Step 7, the appropriate price level and site.
- Repeat Step 8 for all required groups, then select Save.