How does SSO work if users already authenticate on my site without them having to authenticate again on the GoodData portal? On a competing solution I saw something called “trusted authentication” which pretty much trusts the authentication that already occurred on my site. Is there something similar on GoodData? Also, how does this link to the role a user has?
Best answer by Martin Burian
This is exactly purpose of SSO (Single Sign-On). Once SSO is set, it allows your users to log in against your identity provider and then users does not have to log in again to GoodData. It is done automatically for them. GoodData supports SAML 2.0 and PGP based SSO. More details here: https://help.gooddata.com/doc/en/building-on-gooddata-platform/gooddata-integration-into-your-application/set-up-user-authentication-and-sso/single-sign-on-overview
SSO is not linked to a user role. Let me explain how it exactly works. SSO on GoodData side is set based on information provided by customer - type of SSO, PGP public key / SAML metadata. GoodData provides back a SSO provider name which is link to the SSO setting. Then the customer assign the SSO provider to users for which the customer want to use the SSO way of logging in. The SSO has to be also set on customer side. For PGP a custom development is needed, but it can be used everywhere e.g. in your own application. It is easier with SAML, because custom development is usually not needed. It is just necessary to set it up in your identity provider supporting SAML 2.0. PGP based SSO and also SAML in default setting redirect user from identity provider site to GoodData once user is seamlessly logged on to GoodData. SAML also supports service provider initiated scenario. It means that the user can start at GoodData to log in via SSO.