> For the complete documentation index, see [llms.txt](https://knowledge-base.letsgetdigital.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://knowledge-base.letsgetdigital.com/accounts-and-security/single-sign-on-sso-wip.md). # Single sign-on (SSO) (WIP) Single sign-on (SSO) lets your team sign in to a Let's Get Digital admin environment using your own organisation's identity provider — **Microsoft Entra ID** or **Google** — instead of (or alongside) the normal Global login. This article explains what the admin sees on the login page, how SSO is set up, and how access is controlled per environment. {% hint style="info" %} ### Note This is **Phase 1**: SSO covers signing in to an individual admin environment. There is currently no SSO entry point at the Global login page itself — see [Where SSO does not apply yet](#where-sso-does-not-apply-yet). {% endhint %} ## How SSO is organised There are two levels to SSO, and it helps to keep them separate: | Level | What lives here | Who manages it | | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | | **Organisation (company)** | The SSO provider connection: which provider (Entra ID or Google), and its credentials. **One configuration is shared across all of that organisation's environments.** | Let's Get Digital staff (see below) | | **Environment** | The *login mode* for each individual environment: Global login, Global login + SSO, or SSO only. | Let's Get Digital staff | Because the provider configuration is held once at the organisation level and reused by every linked environment, one change affects every environment under that organisation at the same time. {% hint style="warning" %} ### Important **SSO configuration is currently set up by Let's Get Digital staff, not self-service.** As the organiser you hold your identity provider's details (Client ID, Client secret, Tenant/Directory ID). To enable SSO you provide these to Let's Get Digital, who enter them and link your environments. You cannot configure SSO yourself from the admin panel in Phase 1. {% endhint %} ## What the admin sees on the login page What appears on an environment's admin login page depends on that environment's login mode. * **Global login + single sign-on** — the page shows a **"Sign in with Microsoft Entra ID"** and/or **"Sign in with Google"** button, an **"or"** divider, and a **"Go to global login"** button. * **Single sign-on only** — the page shows only the SSO button(s) under the heading **"Sign In"** with the subtitle *"Sign in to continue to the admin panel."* There is no route to Global login from this page. * **Global login** (no SSO) — the page shows only the **"Go to global login"** button. {% hint style="info" %} ### Note The admin login page never asks for a username and password directly. The **"Go to global login"** button takes you to the Global login page, where you sign in with your Global login method (one-time code, passkey, or Google). To learn more about Global login, [click here](/accounts-and-security/global-login.md). {% endhint %} ### Signing in with SSO 1. On the environment's admin login page, click **"Sign in with Microsoft Entra ID"** or **"Sign in with Google"**. 2. You are sent to your identity provider to authenticate (and approve, if prompted). 3. Your provider sends you back to the environment and you are signed in. If sign-in fails, you are returned to the same admin login page with an error shown inline — you are not bounced around or left on a blank error page. ## How a user is matched SSO does **not** create new accounts. Sign-in is matched on the **email address** your identity provider returns: * The email must be **verified** by the provider. For Google this uses the provider's `email_verified` claim; for Entra ID a returned email is treated as verified. * That email must already belong to an **admin user in that environment**. If the email is unknown, or the account is not an admin, sign-in is denied with: *"Your account is not authorised to access this environment."* On a first successful sign-in, the user's **first and last name** are filled in from the provider **only if they are currently empty** — existing names are never overwritten. {% hint style="info" %} ### Note **Job title is not synced.** Only email and name are used. Job title is not part of the sign-in claims for either Microsoft or Google, so it cannot be carried across — even if it is set in Entra ID or Google. {% endhint %} ## Setting up a provider Your Let's Get Digital event consultant sets up the SSO connection for you. Your part is to\ create an app registration in your own identity provider (Entra ID or Google) and hand over\ its details — here's what's involved. {% hint style="warning" %} ### Important **Entra ID — claim setup matters.** For first and last name to come through cleanly on Entra ID, the app registration should expose `email`, `given_name` and `family_name` as optional claims (Token configuration). Without them, the user's name is guessed by splitting their Entra ID display name on first sign-in. {% endhint %} ### Add providers For each provider you're using, gather these details from your app registration and share\ them with your event consultant: | Detail | Notes | | ------------------------- | ---------------------------------------------------------------------------------------------------- | | **Provider** | Entra ID or Google (read-only once saved) | | **Client ID** | From the app registration | | **Client secret** | From your app registration. Treat it like a password — keep it secure. | | **Directory (tenant) ID** | Entra ID only | | **Allowed hosted domain** | Google only, optional. Restricts sign-in to one Google Workspace domain; must be a valid domain name | {% hint style="danger" %} ### WARNING: Protect Your Client Secret **Treat your Client Secret like a password**. Do not share it via email or chat (Slack, Teams, etc.), as message histories are insecure. * **How to share:** Use a self-destructing one-time link (via a password manager) or a password-protected file. Ask your event consultant for their preferred secure channel. * **Compromised?** If exposed, regenerate the secret immediately in your identity provider. {% endhint %} Your event consultant will also give you a redirect URI. Register this exact URI in your Entra ID or Google app registration — it tells your provider to send admins back to Let's Get Digital after they sign in. {% hint style="info" %} ### Note **One connection per provider type**. An organisation can have an Entra ID connection and a\ Google connection at the same time — you just can't add two of the same type. The provider\ type is fixed once a connection is saved: to change a connection you update its credentials,\ you don't switch it to a different provider. {% endhint %} ### Setting the login mode per environment For each of your environments, you choose how admins sign in. Let's Get Digital applies the\ mode for you: * **"Global login"** — Global login only; no SSO buttons. * **"Global login + single sign-on"** — both Global login and SSO buttons. * **"Single sign-on only"** — SSO buttons only; Global login (password) is turned off for that environment. ### Built-in safeguards The system prevents the configurations that would lock everyone out: * You cannot switch an environment to a mode that uses SSO unless an **enabled provider** is configured. Attempting it shows: *"An environment can only use single sign-on while an enabled provider is configured…"* * You cannot **delete or disable the last enabled provider** while any environment is set to **Single sign-on only** — that environment would have no way in. ### When the secret expires If the provider's client secret expires or is wrong, the admin sees a clear message rather than a cryptic error, for example: *"Single sign-on is configured incorrectly or the key has expired. Please provide Let's Get Digital with new credentials to proceed."* Provide Let's Get Digital with a fresh secret to restore access. ## Where SSO does not apply yet * **Global login page** — the Global login offers one-time code, passkey, and Google as sign-in methods. An organisation using **Entra ID** can sign in to each environment via the SSO button, but there is no Entra ID path at the Global login page itself in Phase 1. * **Self-service SSO setup** — entering and managing provider credentials is done by Let's Get Digital staff, not by organisers, in Phase 1. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledge-base.letsgetdigital.com/accounts-and-security/single-sign-on-sso-wip.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.