Skip to content
  • There are no suggestions because the search field is empty.

How SSO Permissions Work in Golden

Golden supports Single Sign-On (SSO) integrations (including Microsoft Entra ID and other identity providers) to streamline how users access the platform. Understanding how SSO interacts with Golden's permission model is key to setting up your integration correctly and avoiding confusion down the road.

This article applies to any SSO provider connected to Golden. Examples use Microsoft Entra ID, but the same logic applies to other supported identity providers.

SSO Is Only Used for Initial Permissions
When a user logs into Golden for the first time via SSO, their default role (for example, Writer or Reader) is converted into the equivalent set of Golden permissions. This conversion happens only once, on that very first login.
After that initial setup, Golden no longer updates permissions based on changes made in your identity provider. Any adjustments to what a user can or cannot do must be made directly in the Golden dashboard. This is intentional: it ensures that permission changes made in Golden are never overwritten the next time a user logs in.

SSO Still Controls Group and Chapter Access
Even after first login, your SSO provider continues to play a role, just a different one. Each time a user logs in, Golden evaluates their SSO group memberships to determine their chapter and divisional access.
Think of it this way:
  • SSO provider: controls where someone can go (chapter and group access)
  • Golden UI: controls what they can do once they're there (permissions)
Why Permissions May Look Inconsistent
You may notice that permissions appear to behave differently across chapters or levels for some users. This is a common source of confusion, and it has a straightforward explanation.

If a user has not yet logged into certain chapters or levels, Golden has not yet performed the one-time permission conversion for those areas. When they do log in for the first time in that context, the system applies the current defaults from your SSO provider at that moment. This can make it look like SSO changes are affecting permissions in some places but not others — when in reality, it's just a matter of which areas the user has accessed so far.

This is especially important to keep in mind if permission updates were made in your SSO provider instead of in the Golden UI. Those changes won't retroactively apply to chapters the user has already accessed, but may appear in new areas upon first login.

Quick Reference: Where to Manage What
  • SSO provider (e.g., Entra ID): Use for initial role assignment and group/chapter access
  • Golden UI: Use for all ongoing permission changes after first login
Questions? Reach out to your Client Strategist or email support@goldenvolunteer.com.