Skip to main content
Gainsight Inc.

Configure SAML Authentication

This article explains how to configure Gainsight PX with SAML authentication. This article also explains the process of configuring Identity providers (IdP) for SAML.

Overview of SAML and Idp

Security Assertion Markup Language (SAML) is an Extended Markup language (XML) based open source authentication and authorization mechanism. SAML allows you to log in to multiple applications with just one set of credentials. SAML consists of two main components; Identity providers (IdP) and Service Providers (SP). When a user logs in to a SAML enabled device, the service provider requests authorization for the user from the identity provider. The identity provider authenticates the user’s credentials and returns the authorization for the user to the respective service provider. The user can now use the application.

Overview of SAML in Gainsight PX

You can configure SAML based authentication in Gainsight PX. Gainsight PX supports three Identity providers (Idp); Okta, AuthO, and GSuite. You can use any of these three Identity providers to configure SAML authentication for Gainsight PX. Once you configure an IdP, your users can log in to Gainsight PX from the configured IdP. When a user browses the IdP provider’s site, they need to enter their credentials. Once the credentials are verified, users can access Gainsight PX (and also other apps configured in their IdP).

Before setting up IdP, you must configure the  Gainsight PX SAML authentication, from within Gainsight PX. A new page called SSO / SAML is added to the Settings section to facilitate this configuration.

This article explains the configuration to be performed in Gainsight PX and the IdP configuration to be performed from the AuthO and Okta applications.

Prerequisite

To use SAML authentication, you must contact the Gainsight support team at pxsupport@gainsight.com and request login credentials.

Configure SAML in Gainsight PX 

You can configure SAML based authentication in Gainsight PX. Gainsight PX supports three Identity providers (Idp); Okta, AuthO, and GSuite. You can use any of these three Identity providers to configure SAML authentication for Gainsight PX. Once you configure an IdP, your users can log in to Gainsight PX from the configured IdP. When a user browses the IdP provider’s site, they need to enter their credentials. Once the credentials are verified, users can access Gainsight PX (and also other apps configured in their IdP).

Before setting up IdP, you must configure the  Gainsight PX SAML authentication, from within Gainsight PX. A new page called SSO / SAML is added to the Settings section to facilitate this configuration.

This article explains the configuration to be performed in Gainsight PX and the IdP configuration to be performed from the AuthO and Okta applications.

To configure SAML settings in Gainsight: 

  1. Navigate to Settings > SSO / SAML

gsuite.png

  1. Select an authentication method:

    • Saml Only: If you select this option, users can log in to Gainsight PX only through SAML. However, you can whitelist a few users to log in through Gainsight PX site (app.aptrinsic.com) as well. Gainsight recommends you to Whitelist at least one administrative user so that in case you encounter issues with SAML, the whitelisted user can log in to PX and grant access to other users. 

      In the following example, two users can log in from the Gainsight PX site using their userID and passwords as an alternative to SAML.

qw.GIF

  • Saml And Password: If you select this option, all the users can log in to Gainsight PX, either from a SAML based IdP or from the Gainsight PX site.

li.png

Identity Provider Metadata Url configurations are explained in the next sections.

Configure Okta as Identity Provider

This section explains how to configure Okta as the Identity Provider for Gainsight PX SAML authentication. Once you configure this section, your users can log in to Gainsight PX from Okta. 

To configure Okta as an IdP:

  1. Log in to your Okta developer account.

  2. Click Admin.

liop.png

 

  1. Navigate to Add Applications > Create New App. The Create a New Application Integration window is displayed. 

  2. Select SAML 2.0.

  3. Click Create.

Okta.GIF

  1. In the App name field enter a name. The name you provide here will be the name your users see in Okta for the PX widget.  

  2. Click Next.

qw_1.png

 

  1. Click the Configure SAML tab.

  2. In the Single sign on URL field, enter https://app-be.aptrinsic.com/saml/SSO

  3. In the Audience URI (SP entity ID) field, enter com:gainsight:px

wert.png 

  1. Click the Feedback tab.

  2. Select the I’m an Okta customer adding an Internal app radio button.

  3. Click Finish.

px1.png

  1.  Copy the link address for Identity Provider Metadata.

qwe.GIF

  1. Navigate to Gainsight PX and paste this URL in the Identity Provider Metadata Url field. 

You can paste the URL either in the Saml Only section or Saml And Password section. The URL is automatically copied to the other section. In the future, if you change your SAML authentication method, you need not copy-paste the URL again.

px_2.GIF

  1. Click Save.

Users can now log in to Gainsight PX from Okta.

Configure AuthO as Identity Provider

This section explains how to configure AuthO as the Identity Provider for Gainsight PX SAML authentication. Once you configure this section, your users can use login to Gainsight PX from AuthO.

To configure AuthO as an IdP:

  1. Log in to AuthO.

  2. Click + CREATE APPLICATION. The Create Application window is displayed. 

  3.  In the Name field, enter a name. 

  4. Select the Regular Web Application widget. 

  5. Click CREATE.

gpx.GIF

  1. Click the Addons tab.

  2. Enable the SAML2 WEB APP toggle switch.

px3.GIF

  1. In the Application Callback URL field enter https://app-be.aptrinsic.com/saml/SSO

  2. In the Settings section, enter the following code.

{
"audience": "com:gainsight:px",
    "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
  1. Click ENABLE.

score.GIF

  1. Click the Usage tab.

  2. Copy the URL from the Identity Provider Login URL field.

  3. Click the Download link for the Identity Provider Metadata

idp.GIF

  1. Paste the login URL and the code present in the metadata in the Gainsight PX application. When you paste the URL and the code in any one section, it is automatically copy-pasted to the other section.

idp1.GIF

  1. Click Save.

Users can now log in to Gainsight PX from AuthO.

  • Was this article helpful?