Single Sign-On (SSO) for Gainsight Applications

Overview

The implementation of a global authentication mechanism enhances user experience, security, and efficiency by allowing seamless authentication and access across multiple products or product instances. Single Sign-On(SSO) enables users to log in once and access all three Gainsight products (CS, PX, CC, and CE) without the need for multiple login credentials. This eliminates the hassle of remembering and managing multiple usernames and passwords, improving user productivity and reducing the risk of security breaches.

The SSO capability between CS, PX, CC, and CE is a strategic initiative that enhances security, simplifies user management, and improves collaboration and productivity across multiple products.

Migration Plan

Gainsight has already started the migration in the CS Production instances to SSO starting from the first week of August 2023 and will be completed by the end of October 2023. For the new customers SSO is enabled by default.  For existing customers, SSO is rolled out in a phased manner. 

Admins who have multiple instances enabled in their org will receive a system generated email as soon as their production instance is migrated. This email provides information on the further steps to be followed. When a sandbox environment is refreshed, the SSO experience is enabled and all the users will move to Inactive state. Admins need to update their status to Active and initiate a welcome email for the users. 

SSO for Gainsight Production Instance Users

Admins do not need to perform any action for the users who are using Gainsight production instances. The users can access these instances using their current login credentials. They will also receive an email with instructions to start using their current credentials to access the sandbox as well. Users who are not active in their production instances will receive a welcome email to reset their passwords for added security.

Accessing Gainsight Applications After SSO Enablement Using Identity Providers

Once SSO is enabled, users view a single Gainsight app in their identity provider portal such as Okta or SAML, instead of multiple products or instances. When users click the app, they are navigated to the last used instance or product. Users can use the App Switcher to navigate to other instances or products.

IMPORTANT: 

• Users with access to multiple instances and who are logged in to Gainsight Hybrid org or tries to log in via SFDC click the app switcher, and they are navigated to Gainsight NXT. However, when they are accessing the NXT version, there is no option to navigate back to Hybrid version.
• For customers who have SAML or G-Suite as identity providers, Super Admin only needs to perform configuration only once in any one of Gainsight instances, and the configurations gets applied to all their Gainsight instances. Super Admins do not have the option to create or update configurations from the Sandbox environments.
• A Magic Link is enabled in the SSO login page whenever the Auth0 server is down. A temporary access mechanism is activated where users can log in to the system by providing a username. An email is sent with a Magic Link to the registered email ID, provided the email address is valid.
• In a multi-product scenario, if the username is changed in Gainsight CS, this update will not automatically reflect in Gainsight PX. A new user  with the same username must be created in Gainsight PX in order for the user to log in.