Skip to main content

Setting Up SAML SSO with Goodworld

Goodworld supports Single Sign-On (SSO) via SAML 2.0, allowing your organization to authenticate donors and staff using your existing identity provider including Okta, Microsoft Entra ID (Azure AD), PingFederate, OneLogin, ADFS, and others.

Written by Richie Kendall

Overview

SAML SSO allows users to log in to Goodworld using credentials managed by your organization's identity provider (IdP). Goodworld acts as the Service Provider (SP), and your IdP handles authentication.

Step 1: Gather Your IdP Metadata

Before configuring Goodworld, you'll need either a metadata URL or metadata XML file from your identity provider. Most IdPs make this available in their admin console under federation, SSO, or application settings.

The metadata contains your IdP's issuer, entity ID, SSO endpoint, and signing certificates. Goodworld uses this to establish a trusted connection automatically.

Step 2: Configure SAML in the Goodworld Dashboard

  1. Navigate to your Company or Organization settings.

  2. Go to the Single Sign-On section.

  3. Find the SAML card and click Connect, then Configure.

  4. Complete the configuration across four tabs:

Metadata Tab

Choose one of the following:

  • Metadata URL — Paste the URL where your IdP publishes its metadata. Goodworld will fetch and parse it automatically.

  • Metadata XML — Paste the raw XML directly if your IdP does not expose a public metadata URL.

Goodworld will automatically derive the issuer, entity ID, SSO endpoints, and certificates from whichever option you provide.

Branding Tab

  • Display Name — The label shown on the SSO login button for donors (e.g., "Acme Corp SSO").

  • Logo URL (optional) — A logo to display alongside the button.

Attribute Mapping Tab

Map SAML attributes from your IdP to Goodworld user fields:

  • Email (required) — At least one SAML attribute that maps to the user's email address.

  • First Name, Last Name, Display Name, Profile Picture (optional) — Additional attributes, listed in priority order.

The attribute names here should match what your IdP includes in the SAML assertion. Check your IdP's attribute release policy or application configuration if you're unsure of the exact names.

Security Tab

  • Require signed authentication requests (default: on)

  • Require signed assertions (default: on)

  • Require signed responses (default: on)

  • Clock Skew — Maximum allowed clock difference in seconds (default: 0, max: 3600).

  • Requested AuthnContext (optional) — One value per line.

Important: Goodworld expects your IdP to sign both assertions and responses by default. Make sure your IdP's SP connection or application is configured accordingly. Consult your IdP's documentation for where to manage signature settings.

Step 3: Configure Your IdP with Goodworld's SP Metadata

After saving your configuration, the Goodworld dashboard will display:

  • Goodworld Metadata URL — Use this to import Goodworld's Service Provider metadata directly into your IdP. The URL follows the pattern: {API_URL}/saml/metadata/{providerId}

  • ACS (Assertion Consumer Service) URL — {API_URL}/saml/acs/{providerId}

In your IdP's admin console, create a new SAML application or SP connection and import Goodworld's metadata URL, or manually enter the ACS URL and entity ID. Refer to your IdP's documentation for the specific steps.

Troubleshooting

  • Certificate expiration — The Goodworld dashboard displays certificate expiration dates. When your IdP rotates its signing certificates, re-import the updated metadata to avoid authentication failures.

  • Signed assertion or response errors — If Goodworld rejects the SAML response, confirm that your IdP is configured to sign both assertions and responses. Goodworld requires both by default.

  • Attribute mapping issues — If user profiles are incomplete after login (e.g., missing name or email), verify that your IdP's attribute release policy includes the mapped attributes and that the attribute names in Goodworld match exactly what the IdP sends in the assertion.

  • Login button not appearing — Ensure the SAML configuration has been saved and that the integration is marked as active in the SSO section of your dashboard.

  • Clock skew errors — If users intermittently fail to authenticate, there may be a time synchronization issue between your IdP and Goodworld's servers. Increase the Clock Skew value in the Security tab to allow for a small time difference.

Need Help?

If you're unsure how to configure your specific identity provider, contact your IdP administrator or reach out to Goodworld Support with your IdP name and any error messages you're seeing.

Did this answer your question?