Authentication

Every instance ships with a password login with roles, rights and a simple two-factor toggle per instance. This is base, active in every go~mus instance.

With the authentication add-on, you can connect SAML and OpenID Connect, for example Microsoft Entra (formerly Azure AD) or Google Workspace. Users sign in with the organisation's identity system, without a separate go~mus password.

Users can be created automatically on first sign-in. Role and museum assignment can be derived from group attributes of the identity system, so onboarding and off-boarding live centrally in the identity provider.

Independent of the SSO path, each instance can enforce the simple TOTP-based two-factor authentication. Useful with the standard login when no organisation-wide identity system is in place.