Skip to main content
Gainsight Inc.

Configure SAML Authentication

This article explains how to configure SAML authentication using the Identity Providers (IdP) for Gainsight PX. 

Overview of SAML and Idp

Security Assertion Markup Language (SAML) is an Extended Markup language (XML) based open source authentication and authorization mechanism. SAML allows you to log in to multiple applications with just one set of credentials. SAML consists of two main components; Identity providers (IdP) and Service Providers (SP). When a user logs in to a SAML enabled device, the service provider requests authorization for the user from the identity provider. The identity provider authenticates the user’s credentials and returns the authorization for the user to the respective service provider. The user can now use the application.

Configure SAML in Gainsight PX

Gainsight PX supports SAML authentication with Okta, AuthO, and GSuite IdPs. After you configure an IdP, your users can log in to Gainsight PX using the configured IdP. When the user is authenticated on the IdP provider's application, they  can access Gainsight PX (and also other apps configured with the IdP). Before setting up IdP, configure the SAML settings in Gainsight PX using the SSO / SAML page in the Administration menu.

To configure SAML settings in Gainsight PX: 

  1. Navigate to Administration > SSO / SAML. The Login Settings page is displayed.
  2. Select an authentication method:
    • Saml Only: If you select this option, users can log in to Gainsight PX only through SAML. However, you can select a few users to log in using your Gainsight PX application as well.
      Gainsight recommends you to add at least one administrator user to the Allow List so this user can log in to PX and grant access to other user(s) in case of SAML issues. In the following example, only the three selected users can log in to Gainsight PX application using their credentials. Click on the user to add them to the allowed list. 

saml_users.png

  • Saml And Password: If you select this option, all the users can log in to Gainsight PX, either from a SAML based IdP or from the Gainsight PX application.

saml_password.png

Identity Provider Metadata Url configurations are explained in the following sections.

Configure Okta as Identity Provider

This section explains how to configure Okta as the Identity Provider (IdP) for Gainsight PX SAML authentication so that your users can log in to Gainsight PX from Okta. 

To configure Okta as an IdP:

  1. Log in to your Okta developer account.
  2. Click Admin on the upper-right corner.

liop.png

  1. On the admin Dashboard, click Add Applications in the Shortcuts section.
  2. Click Create New App on the Add Applications page. The Create a New Application Integration window is displayed. 
  3. Select SAML 2.0 as the Sign on method.
  4. Click Create.

saml_okta.png

  1. In the App name field, enter a name for your application. The name you provide here is the name your users see in Okta for the PX widget.  
  2. Click Next.

qw_1.png

  1. Click on the Configure SAML tab.
  2. In the Single sign on URL field, enter https://app-be.aptrinsic.com/saml/SSO
  3. In the Audience URI (SP Entity ID) field, enter com:gainsight:px.

wert.png

  1. Click on the Feedback tab.
  2. Select the I’m an Okta customer adding an Internal app radio button.
  3. Click Finish.

px1.png

  1. In the Settings section of the Sign On tab on the Gainsight PX details page, copy the link address for Identity Provider Metadata.

saml_okta_metadata.png

  1. Navigate to Gainsight PX and paste the URL in the Identity Provider Metadata Url field on the Login Settings page. 
    You can paste the URL either in the Saml Only section or Saml And Password section. The URL is automatically copied to the other section if you change your SAML authentication method later.

saml_metadata_url.PNG

  1. Click Save. Users can now log in to Gainsight PX from Okta.

Configure AuthO as Identity Provider

This section explains how to configure AuthO as the Identity Provider (IdP) for Gainsight PX SAML authentication so that your users can log in to Gainsight PX from AuthO.

To configure AuthO as an IdP:

  1. Log in to AuthO.
  2. Click + CREATE APPLICATION. The Create Application window is displayed. 
  3. In the Name field, enter a name. 
  4. Select the Regular Web Applications widget. 
  5. Click Create.

authO_px.png

  1. On the Gainsight PX details page, click on the Addons tab.
  2. Turn ON the SAML2 WEB APP toggle switch.
  3. In the Application Callback URL field, enter https://app-be.aptrinsic.com/saml/SSO
  4. In the Settings section, enter the following code.
{
"audience": "com:gainsight:px",
    "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
  1. Click ENABLE.
  2. Click the Usage tab.
  3. Copy the URL from the Identity Provider Login URL field.
  4. Click the Download link for the Identity Provider Metadata
  5. Navigate to Gainsight PX and paste login URL and the metadata code in the Identity Provider Metadata Url field on the Login Settings page either in the Saml Only section or Saml And Password section. The URL is automatically copied to the other section if you change your SAML authentication method later.
  6. Click Save. Users can now log in to Gainsight PX from AuthO.

 

  • Was this article helpful?