Single Sign-On (SSO) for Gainsight Applications

Overview

The implementation of a global authentication mechanism enhances user experience, security, and efficiency by allowing seamless authentication and access across multiple products or product instances. Single Sign-On(SSO) enables users to log in once and access all three Gainsight products (CS, PX, CC, and CE) without the need for multiple login credentials. This eliminates the hassle of remembering and managing multiple usernames and passwords, improving user productivity and reducing the risk of security breaches.

The SSO capability between CS, PX, CC, and CE is a strategic initiative that enhances security, simplifies user management, and improves collaboration and productivity across multiple products.

Gainsight Authentication

Before proceeding,  Gainsight recommends reading how to authenticate mechanisms supported in Gainsight NXT.

For more information on the authentication, refer to the Gainsight Authentication article.

Authentication

Once the SSO is enabled, any modifications done to the authentication of one instance will reflect on all your other instances.

When Admins want to edit, delete, or change the Status of the authentication mechanism, a confirmation dialog appears.

Note: The message does not appear in case of Sandbox environment or if there is only one instance.

To confirm the changes, click I Understand. All the edits or changes made to the authentication mechanism will now be applied to all product instances.

Admins can also decide on how users will be redirected when they log in through an Identity Provider (IDP).

To select the redirect method:

1. Navigate to Administration > User Management > Authentication.
2. Click Settings. The Settings slide-out panel appears.
3. Select either of the two options:
   • Automatically redirect users to the instance they last logged into.
   • Give users the option to choose which instance to log into.
     Note: By default, Give users the option to choose which instance to log into is selected.
4. Click Save.

Accessing Gainsight Applications After SSO Enablement Using Identity Providers

Once SSO is enabled, users view a single Gainsight app in their identity provider portal such as Okta, instead of multiple products or instances.

When users click the app, they are navigated to the Product Instance selection page. From here, users can select the instance they want to login.

Note: Only those instances are shown that the user has access to.

Users can use the App Switcher to navigate to other instances or products.

IMPORTANT: 

• Users with access to multiple instances and who are logged in to Gainsight Hybrid org or tries to log in via SFDC click the app switcher, and they are navigated to Gainsight NXT. However, when they are accessing the NXT version, there is no option to navigate back to Hybrid version.
• For customers who have SAML or G-Suite as identity providers, Super Admin only needs to perform configuration only once in any one of Gainsight instances, and the configurations gets applied to all their Gainsight instances. Super Admins do not have the option to create or update configurations from the Sandbox environments.
• A Magic Link is enabled in the SSO login page whenever the Auth0 server is down. A temporary access mechanism is activated where users can log in to the system by providing a username. An email is sent with a Magic Link to the registered email ID, provided the email address is valid.
• In a multi-product scenario, if the username is changed in Gainsight CS, this update will not automatically reflect in Gainsight PX. A new user with the same username must be created in Gainsight PX in order for the user to log in.