Overview
Gem supports Single Sign-On (SSO) via SAML configurations for any domain already connected to your team. You can end-to-end test the entire SSO login process before enforcing SSO for your whole team.
If you need help performing these steps, please consult your IT team for assistance.
Requirements
- Admin access to your Gem account.
Identity provider configuration fields
The following configuration information is for Okta, but can apply to other identity providers, as well. (Parameter names may differ slightly from provider to provider.):
- Single Sign On URL: https://www.gem.com/api/saml/sso/<insertdomain.com>
- Audience URI (SP Entity ID): https://www.gem.com/api/saml/sso/<insertdomain.com>
- Application username: email
Attribute Statements:
- first_name (Name Format: Basic) should map to the user’s first name
- last_name (Name Format: Basic) should map to the user’s last name
- role (optional attribute)
- if included, values should be one of: admin, standard, limited, custom
- user will be assigned to the included role upon login
- custom_role_name (optional attribute)
- If and only if the role attribute is custom, this attribute determines the custom role that should be assigned
- If included, value should be the name of one of your teams custom roles. The value is case-sensitive.
- If the role attribute is not custom, this attribute is disregarded.
- If the role attribute is custom, and the custom_role_name attribute is missing or invalid, the user will not be able to login.
The following fields should be left in their default states:
- Default RelayState
- Name ID format
Create a new SAML configuration
Only Admins can create a new SAML configuration.
- Select your account at the bottom of the main sidebar, then select the Admin settings option in the dropdown.
- Select the Integrations header in the top navigation.
- Select the SAML configurations option in the left navigation menu.
- Select Add configuration button.
- In the Domain field, select the chosen domain that you want to create a SAML configuration for.
- In the Metadata XML field, paste in your IDP metadata XML.
Note: The Enforced checkbox is disabled to ensure your team can test end-to-end and confirm that the SSO login process works for your test users before it’s enforced globally.
- In the Testing Users field, fill in users who you want to test SSO with before it is enforced globally. Make sure that you have confirmed they are users who are able to test and troubleshoot SSO login issues on your team.
- Select the Create button.
After this configuration is saved, any testing users will be able to test the SSO login process. Once you confirm your testing users can successfully log in via SSO, you can proceed to enforcing SSO for all team members.
Edit an existing SAML configuration
Only Admins can create a new SAML configuration.
- Select your account at the bottom of the main sidebar, then select the Admin settings option in the dropdown.
- Select the Integrations header in the top navigation.
- Select the SAML configurations option in the left navigation menu.
- Select the SAML configuration you want to edit from the list.
- Select the Edit button.
- Select the Enforced box.
- Select the Save button to save your changes.
After this, SSO will be enforced for your team.
Have any issues or questions on this topic? Please feel free to contact your dedicated Gem Customer Success Manager directly or our Support team at support@gem.com.