If you have a self hosted Ghost site, configuring Single Sign on with your Ghost site is fairly straightforward. It boils down to starting with a free GoPilot Account, and downloading and setting up the GoPilot client on your Ghost installation.

Single Sign On User Flow

Single sign on flow starts with a user clicking some sort of a login button or a login link  somewhere on your Ghost site, or even any other site you manage.

Once user is taken to GoPilot Sign in screen, user proceeds to login to the Identity provider login window, provides consent to allow your site to access email address and name (This user consent is only once and you probably have seen this many times with other apps since this is how the OAuth2/OpenID Connect  flow works)

After this, user is redirected to GoPilot and then automatically redirected to your Ghost site which Ghost site will be able to determine the users email address. If the users email matches one of your Ghost user accounts, the user will be automatically signed in to Ghost (Yay!)

So let's get to it! Here are the steps:

Create a GoPilot account

(If you already have a GoPilot account, you can skip this step)

Sign up for GoPilot at GoPilot Login/Sign Up page

After you signup, you will be taken to GoPilot Console.

Create an Application and Identity Provider within GoPilot

Decide which Identity Providers you wish to let your users sign in through, whether it is Google, Microsoft or any other. You can have one or more Identity providers and you can decide which ones to use for each of your Ghost sites.

Ghost relies on user's email address for identification, so as long as any console user signs in with an email account that is already a Ghost user on your site, thee user will not need to login to Ghost

Create one or more Identity Provider

For each Identity provider, you need to go to their console and tell them you will use GoPilot as SSO provider for your Ghost site.

For example for Google, you need to login to  Google Cloud console. Then you can create a new project and setup API credentials, to allow GoPilot to communicate with Google to access user's email and name (Based on least privilege principle, the scope we use allows minimum identifying information).

Go ahead and view how to setup identity providers in detail

For each Ghost site you wish to setup SSO, create an application.

Basically, you need to tell GoPilot what Ghost site you want to configure and also provide the Ghost Admin Console URL, so that GoPilot can send your users to your site after logging in.

GoPilot will automatically create a Client ID and Client Secret(basically a userid/password) for your Ghost site, so only your Ghost site can use this setup. Copy/paste these values now or later, as you will need them within your Ghost setup.

If needed,  read detailed documentation for this step

VERY IMPORTANT!!! Once you create an application (your Ghost site), make sure you go into detail and enable one or more Identity Providers to use with this application.

Ghost Site Setup

Once you finish the steps above, go to the server that hosts your Ghost site, to set it up for Single Signon.

You can view detailed information here

As explained at the top of the page, single sign on flow starts with a user clicking some sort of a login button or a login link  somewhere on your Ghost site, or even any other site you manage. This link is important as it takes user to GoPilot and tells GoPilot which Ghost site user is coming from.

View the document to prepare your login link that you can place on any of your sites(Ghost or not) that will allow users to sign in to Ghost with SSO

That's it!