Federated SSO
- An identity provider (IDP) that can accept authentication rules for GoFundMe Pro and check for a user's authentication status is required.
- Federated SSO is not included in all GoFundMe Pro plans and may involve an additional cost. Reach out to your Account Manager or Customer Success Manager for specific pricing and plan details.
GoFundMe Pro federated SSO makes it easier to manage your admins' accounts by allowing them to sign in to GoFundMe Pro and manage their passwords through your existing IDP.
Federated SSO is for administrators who work directly with your organization, not donors or supporters.
GoFundMe Pro's federated SSO supports:
- Identity providers who use SAML 2.0 or OIDC protocols, such as Azure or Okta
- User creation through bulk upload by GoFundMe Pro
- Identification of admins by your organization’s email domain
- This is how GoFundMe Pro knows who needs to be authenticated through your IDP.
- Once activated, all email addresses belonging to your email domain(s) must authenticate to GoFundMe Pro via SSO.
- Password creation, reset, and recovery through your organization’s IDP
- Two-factor (2FA) or multi-factor authentication (MFA) through your organization’s IDP, if available
GoFundMe Pro's federated SSO does not support:
- Authentication through social logins such as Facebook, Google, etc.
- Donor or supporter account creation or login
- Donors and supporters will continue to create and manage their accounts directly in GoFundMe Pro.
- Custom roles or organization-specific attributes
- Password creation, reset, and recovery in GoFundMe Pro
- After SSO activation, your organization’s IDP will manage these flows
- 2FA or MFA through GoFundMe Pro
Connecting your organization’s IDP to GoFundMe Pro's federated SSO requires setup and testing in your organization’s IDP and GoFundMe Pro's IDP. We recommend budgeting 3-4 weeks for this process. The activation process will consist of the following:
- IDP configuration in GoFundMe Pro
- Admin user creation
- User testing in your organization’s IDP
- Activating SSO for your organization
Initial SSO setup will take place in your GoFundMe Pro account and will be tested with one user. Once testing is complete, SSO configuration is done in GoFundMe Pro's production environment and turned on when your organization is ready.
Frequently asked questions
What does my organization need to have set up before we can start onboarding to GoFundMe Pro's federated SSO solution?
You need to have a fully implemented identity provider (IDP). Your IDP should be able to actively accept authentication rules for a given app (in this case, GoFundMe Pro) and check for a user's authentication status.
Does our organization need domain masking in GoFundMe Pro to use federated SSO?
No, domain masking is not required. Your organization just needs a unique email domain that all admins will use to access GoFundMe Pro.
Where can our organization find the URLs, IDs, certificates, or other required information in our IDP that GoFundMe Pro needs to configure SSO?
The locations will be specific to your IDP. GoFundMe Pro's IDP provides documentation on configuring some external IDPs, such as Azure. However, if your IDP is not listed and you aren’t sure where to find the required information, contact your GoFundMe Pro account manager.
What if there are admin users in our organization who do not use our organization's custom email domain? How will they log in after we activate federated SSO?
To ensure all admins authenticate against your IDP, we suggest you update these users to an email address under the custom domain.
Federated SSO eligibility is decoupled from GoFundMe Pro and handled entirely in GoFundMe Pro's IDP. In our IDP, we determine which Identity Provider to confirm authentication based on the user’s email domain. If the user provides a generic email domain, it will not match any Identity Provider routing rules. Therefore, the user would log in via the standard GoFundMe Pro login page and authenticate directly to GoFundMe Pro.
What if our organization uses more than one unique email domain for our admins?
We can support multiple email domains for your admins. During configuration, GoFundMe Pro would create multiple group rules in our IDP to add the different unique email domains to the right group. We would also create multiple IDP routing rules for the service provider-initiated login flow.
Inform your GoFundMe Pro contact at the beginning of the configuration process if you need to support multiple unique email domains.
Does GoFundMe Pro's SSO solution support just-in-time user creation?
We do not support just-in-time (JIT) user creation. Users must be created in GoFundMe Pro before they can log in via federated SSO.
Where should our admins log into GoFundMe Pro after SSO is activated?
Admins can continue to log in through GoFundMe Pro. Or, they can log in directly from your Identity Provider portal through an app configured during onboarding.
How would our admins request a password reset after we activate SSO?
Once your organization activates SSO, GoFundMe Pro will no longer manage your admins' passwords. Instead, your organization’s IDP will then manage your passwords. Reach out to your IDP administrator for assistance with password reset and recovery.
How would our organization add or remove admins or manage roles and permissions after we activate SSO?
You will continue to add and remove admins and manage their roles and permissions in GoFundMe Pro. New admins will continue receiving a welcome email but will no longer need to create a GoFundMe Pro password.
To learn more, visit the following articles:
Does GoFundMe Pro offer or require MFA or 2FA?
Yes. MFA will be required for all GoFundMe Pro admins starting in the first half of 2025. Your organization will be notified before MFA is required for your account.