Inbound SSO

These instructions guide you through the process of configuring and performing Single Sign-On (SSO) to Goldman Sachs Advisor Solutions (GSCS). The integration uses OAuth 2.0 to authenticate users and allow access to GSCS services.

UAT Testing

For testing in UAT, you will need to use different links.

For Step 1 in section B, use https://idfs-qa.gs.com/
For all other steps, use https://uat.advisorsolutions.site.gs.com

Part A. Setup SSO and User Authorization in GSCS (one time)

This part ensures that the partner is configured to request access to GSCS on behalf of the user.

You must add a button on your platform labeled "Authorize SSO to GSCS" that links to https://advisorsolutions.gs.com/app/authorizations/[client-id].

Steps for User

User clicks the "Authorize SSO to GSCS" button on the provider's interface
This action redirects the user to the GSCS User Authorization URL: https://advisorsolutions.gs.com/app/authorizations/[client-id]
Once redirected to the GSCS authorization page, the user logs in and is prompted to authorize the partner to access their GSCS account
User clicks "I authorize"
Upon successful authorization, GSCS redirects the user back to the partner with a response containing key information:

[
  "jwt": "string",
  "expiresIn": int
]

Partner processes the response and fetches loginid from the jwt and saves the GSCS loginId since the partner will need to send this GSCS loginId on future SSO calls.

Part B. Post-Authorization Steps to perform Inbound SSO

After the user completes the initial authorization step, they need to click on the "SSO to GSCS" button on the Partner interface to perform the inbound SSO.

Note

Step 1 and step 2 can be skipped if the jwt from User Authorization in GSCS is still active.

You must add a button on your platform labeled "SSO to GSCS". When the user clicks this button, on the backend you will need to complete the below steps. Steps 1-3 should be done on the backend, and step 4 will require you to open a new tab on the client browser.

Step 1 - Obtain Access Token

Partner (from backend api client) generates a client credentials access token by making a call to the token endpoint using the clientId and clientSecret:

curl -u [clientId]:[clientSecret] --data "grant_type=client_credentials" https://idfs.gs.com/as/token.oauth2?access_token_manager_id=JwtOneGsApi

A successful response returns an access token:

[
  "access_token": "<redacted>",
  "token_type": "Bearer",
  "expires_in": 3600
]

This access token is used in Step 2.

Step 2 - Generate User Token

Using the client credentials access token from Step 1, retrieve (from backend api client) a user-specific token to proceed with the SSO process:

Make a POST request to the GSCS /tokens endpoint, passing the GSCS loginId that was retrieved from the initial user authorization step.

Endpoint: Get OAuth Token

Example Request: POST https://advisorsolutions.gs.com//api/v2/oauth-apps/[client-id]/tokens

Request Body:

[
  "loginId": "string"
]

A successful response provides a token for the logged-in user, which will be used in step 3.

Step 3 - Get SSO Code for User

Using the user access token from Step 2, from backend api client, make a call to get an sso-code from GSCS:

Make a POST call to the GSCS /sso-code endpoint, passing the GSCS loginId that was retrieved from the initial user authorization step.

Endpoint: POST /api/v2/oauth-apps/[client-id]/sso-code

Request body:

[
  "loginId": "string"
]

A successful response provides a sso-code for the logged-in user, which will be used in Step 4.

Step 4 - Open new tab to GSCS

Opens a new tab with the url:

https://advisorsolutions.site.gs.com/sign-in?ssoCode=[sso code from step 3]&loginId=[GSCS loginid]&clientId=[client-id]&redirectUri=/api/v2/accounts

The parameters ssoCode, loginId, and clientId are all required. The parameter redirectUri is optional- you can pass it if we need the user to land on a specific uri within GSCS, otherwise the default behavior if the redirectUri parameter is not passed is that the user will land on the GSCS homepage.

GSCS validates the ssoCode, loginId, and clientId parameters, and if all 3 parameters are correct, GSCS sets an authentication cookie and logs in the user.

Important Notes

The clientSecret is not safeguarded by GSCS and must be securely stored by your administrators.
Access tokens have a limited confidential validity and must be refreshed periodically.
Users can revoke access through their account settings on the GSCS advisor portal. If a user revokes permissions, that will cause an unauthenticated error on Step 2.

Deep Links

The following links are some commonly used pages on our advisor portal. You can embed these links within your workflows as needed.

Name of Page	Link
Home page	advisorsolutions.site.gs.com/app
Clients & Accounts: Accounts	advisorsolutions.site.gs.com/app/accounts
Clients & Accounts: Account Opening: Open an Account	advisorsolutions.site.gs.com/app/account-opening
Service Center: Activity Tracker: Awaiting Client Action (IFAs)	advisorsolutions.site.gs.com/app/service-center/activity-tracker/ifas
Client View: All Accounts	advisorsolutions.site.gs.com/app/clients/[memberoid]/overview
Client View: Account Positions	advisorsolutions.site.gs.com/app/clients/[memberoid]/accounts/[accountoid]/positions
Client View: Activity & Orders	advisorsolutions.site.gs.com/app/clients/[memberoid]/accounts/[accountoid]/activity
Client View: Money Movement	advisorsolutions.site.gs.com/app/clients/[memberoid]/accounts/[accountoid]/cash-transactions
Client View: Linked Bank Accounts	advisorsolutions.site.gs.com/app/clients/[memberoid]/accounts/[accountoid]/linked-bank-accounts
Client View: Account Settings: Account Profile	advisorsolutions.site.gs.com/app/clients/[memberoid]/accounts/[accountoid]/account-settings/basics

To get a memberoid, you can input a user’s loginid to the Get a user API call and it will return their memberoid.

To get an accountoid, you can input an account number to the Get an account API call and it will return the account.

Was this page useful?

Give feedback to help us improve developer.gs.com and serve you better.

UAT Testing
Part A. Setup SSO and User Authorization in GSCS (one time)
Part B. Post-Authorization Steps to perform Inbound SSO
Important Notes
Deep Links

Goldman Sachs DeveloperPrivacy and CookiesGS Terms & ConditionsRegulatory DisclosuresSecurity

GS DAP® is owned and operated by Goldman Sachs. This site is for informational purposes only and does not constitute an offer to provide, or the solicitation of an offer to provide access to or use of GS DAP®. Any subsequent commitment by Goldman Sachs to provide access to and / or use of GS DAP® would be subject to various conditions, including, amongst others, (i) satisfactory determination and legal review of the structure of any potential product or activity, (ii) receipt of all internal and external approvals (including potentially regulatory approvals); (iii) execution of any relevant documentation in a form satisfactory to Goldman Sachs; and (iv) completion of any relevant system / technology / platform build or adaptation required or desired to support the structure of any potential product or activity. All GS DAP® features may not be available in certain jurisdictions. Not all features of GS DAP® will apply to all use cases. Use of terms (e.g., "account") on GS DAP® are for convenience only and does not imply any regulatory or legal status by such term.

¹ Real-time data can be impacted by planned system maintenance, connectivity or availability issues stemming from related third-party service providers, or other intermittent or unplanned technology issues.

Transaction Banking services are offered by Goldman Sachs Bank USA (“GS Bank”) and its affiliates. GS Bank is a New York State chartered bank, a member of the Federal Reserve System and a Member FDIC. For additional information, please see Bank Regulatory Information.

Certain solutions and Institutional Services described herein are provided via our Marquee platform. The Marquee platform is for institutional and professional clients only. This site is for informational purposes only and does not constitute an offer to provide the Marquee platform services described, nor an offer to sell, or the solicitation of an offer to buy, any security. Some of the services and products described herein may not be available in certain jurisdictions or to certain types of clients. Please contact your Goldman Sachs sales representative with any questions. Any data or market information presented on the site is solely for illustrative purposes. There is no representation that any transaction can or could have been effected on such terms or at such prices. Please see https://www.goldmansachs.com/disclaimer/sec-div-disclaimers-for-electronic-comms.html for additional information.

Mosaic is a service mark of Goldman Sachs & Co. LLC. This service is made available in the United States by Goldman Sachs & Co. LLC and outside of the United States by Goldman Sachs International, or its local affiliates in accordance with applicable law and regulations. Goldman Sachs International and Goldman Sachs & Co. LLC are the distributors of the Goldman Sachs Funds. Depending upon the jurisdiction in which you are located, transactions in non-Goldman Sachs money market funds are affected by either Goldman Sachs & Co. LLC, a member of FINRA, SIPC and NYSE, or Goldman Sachs International. For additional information contact your Goldman Sachs representative. Goldman Sachs & Co. LLC, Goldman Sachs International, Goldman Sachs Liquidity Solutions, Goldman Sachs Asset Management, L.P., and the Goldman Sachs funds available through Goldman Sachs Liquidity Solutions and other affiliated entities, are under the common control of the Goldman Sachs Group, Inc.