SAML Configurations in Gem

Gem supports Single Sign-On (SSO) for your team, configurable through the Gem Team Settings. There, you will be able to set up SAML configurations for any domain already connected to your team. The dashboard will also help you end-to-end test the entire SSO login process before enforcing SSO for your whole team.

If you need help performing these steps, please consult your IT team for assistance.

Identity Provider Configuration

The following configuration information is for Okta, but can apply to other identity providers, as well. (Parameter names may differ slightly from provider to provider.):

• Single Sign On URL: https://www.gem.com/api/saml/sso/<insertdomain.com>
• Audience URI (SP Entity ID): https://www.gem.com/api/saml/sso/<insertdomain.com>
• Application username: email

Attribute Statements:

• first_name (Name Format: Basic) should map to the user’s first name
• last_name (Name Format: Basic) should map to the user’s last name
• role (optional attribute)
• if included, values should be one of: admin, standard, limited, custom
• user will be assigned to the included role upon login
• custom_role_name (optional attribute)
• If and only if the role attribute is custom, this attribute determines the custom role that should be assigned
• If included, value should be the name of one of your teams custom roles. The value is case-sensitive.
• If the role attribute is not custom, this attribute is disregarded.
• If the role attribute is custom, and the custom_role_name attribute is missing or invalid, the user will not be able to login.

The following fields should be left in their default states:

• Default RelayState
• Name ID format

Creating a new SAML configuration in Gem

1. Open the Additional settings tab in Gem Team Settings.
2. Click Edit/Create SAML Configuration.
3. Select the chosen domain that you want to create a SAML configuration for.
4. Paste in your IDP metadata XML.
5. Fill in users who you want to test SSO with before it is enforced globally. Make sure that you have confirmed they are users who are able to test and troubleshoot SSO login issues on your team.
6. The Enforced checkbox is disabled in the creation window because we want to make sure that your team is able to test end-to-end and confirm that the SSO login process works for your test users before it is enforced globally to the rest of the team.
7. Save your changes.

Now that this new configuration is saved, any testing users will now be able to test the SSO login process. Once you are able to confirm that each of your testing users are able to successfully login via SSO, you can proceed to enforcing SSO for all team members.

Editing an existing configuration

1. Click Edit.
2. Check the Enforced box.
3. Save your changes.

SSO is now enforced for your whole team! In the event that you encounter errors anywhere in the process, review your SAML configuration and make sure that everything is set correctly. If errors persist, please contact the Gem Support team at support@gem.com with the details of your issue.

• Identity Provider Configuration
• Creating a new SAML configuration in Gem
• Editing an existing configuration