Skip to main content
Gainsight Inc.

Gainsight Authentication

Gainsight NXT
Gainsight helps innovative companies protect and nurture their most valuable asset - their customers - with the power of our award-winning platform. With our Customer Success Solution, you can gain deeper insights into customer behavior, operationalize the customer lifecycle, and coordinate actions and results across teams.

This article supports Gainsight NXT, the next evolution of the Customer Success platform. New and upgraded customers are deployed on Gainsight NXT.

If you have not upgraded and are using Gainsight Salesforce Edition, you can find supporting documentation here.

Not sure what your team is using? Click here.

 

This article describes the various authentication mechanisms supported in Gainsight NXT, through which users can verify their identity and login to Gainsight. This article explains how a Super Admin can configure each of these authentication mechanisms for the active users in Gainsight.

Gainsight provides the following Authentication Mechanisms:

  • DB Authentication
  • SAML Authentication
  • GSuite Authentication

By default, Gainsight provides DB Authentication to all the users added to the Users List. You can opt for additional authentication, that is SAML or GSuite to increase the level of security.

Notes:

  • Gainsight gives precedence to SAML or GSuite authentication over DB.
  • For a given domain, you can setup either SAML or GSuite. You can setup both SAML and GSuite authentications only when the domains are different.

Prerequisites

  • You must be a Super Admin to configure Users Authentication. To have Super Admin privileges, you must be added to the USERS LIST as a Super Admin in the User Management page.  
  • Users who want to login to Gainsight through one of the authentication mechanisms should be added to the users list. For more information about how to add users to the users list, refer to the Gainsight User Management article.
  • SAML Authentication can be done only after configuring SAML identity provider with Gainsight.

Key Terms

  • Super Admin: A Super Admin has access to all the Pages in Gainsight. Only Super admins can setup various authentication mechanisms.
  • Authentication: Any of the processes by which an application confirms the truth of a user’s identity.
  • DB Authentication: Act of confirming a user’s identity using their Username and Password.
  • SAML Authentication: Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. For example: IdPs can be SSO, Salesforce, Okta, etc.
  • Google Apps Authentication: Act of confirming a user’s identity using their Google Accounts.

Setup DB Authentication

Gainsight provides the DB Authentication mechanism out of the box to all the users added to the Users List. Click here to learn more on how to add users to the Users List.

Notes:

  • Users can login via DB method only when their Single sign-on (SAML or GSuite) is not enabled.
  • Users can still login via the DB method even if their domain in the username is different than what’s configured in SAML or GSuite. For instance, you are a Gainsight active user, your username is abc@xyz.com, your company has setup SAML or GSuite authentication with its child company AAR.com, you will still be able to login via DB method.   

While adding a user to the users list in the User Management page, you have the ability to send a welcome email to the user saying that ‘Welcome to Gainsight! Your account has been created with the following credentials’, and requests to reset the password.

Welcome Email Latest.png

A user who receives a welcome email can login to Gainsight NXT using the access link provided in the email and change password for the first time. For more information, refer User Login Methods to Gainsight NXT.

Setup SAML Authentication

SAML Authentication allows the users to login to Gainsight via Identity Providers (IdP), such as Okta, SSO, Salesforce, etc. Once Gainsight is configured to authenticate via SAML, users who want to access Gainsight will no longer be prompted to enter a username or password. Instead, an exchange between Gainsight and the configured IdP occurs that grants Gainsight access to the users.

To configure SAML Authentication:

  1. Navigate to the Administration > Operations > User Management > AUTHENTICATION page. You will be navigated to the Authentication Mechanism page.
  2. From the Add AUTHENTICATION menu, select SAML. The SAML Mechanism window is displayed.

1..GIF

  1. Enter the following details:
    1. Name: Enter name of your choice for your identification.
      Note: The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.
    2. Email Domain: Enter your Domain name. For example, acme.com
    3. Sign In URL: Sign In URL can be obtained from your SAML IdP. To get Sign In URL, set up SAML IdP (an example of obtaining the Sign in URL is given in the Authenticate via Okta section of this article).
    4. Sign Out URL: (Optional) Sign Out URL can be obtained from your SAML IdP. To get Sign Out URL, set up SAML IdP.
    5. Certificate: Certificate is a Public Key provided by your SAML IdP in .CER or .PEM formats. To get the certificate, set up SAML IdP. 
      Notes: 
  • To set up a SAML IdP, you may need support from your System or Network Administrator.
  • Once you add Gainsight to your IdP, it generates a metadata file (SAML file) from which you can obtain the Sign In URL, Sign Out URL and Certificate. 
  1. Username Mapping: Enter the name of the email field from SAML IdP. This is required to map incoming user’s username from SAML IdP to Gainsight user’s Username.

 

  1. Click SAVE. You will see the SAML authentication mechanism being added to the list of authentication mechanisms.
  2. Click DOWNLOAD METADATA to download the metadata.

2..GIF

  1. Upload this metadata to your IdP to complete the setup of SAML connection.
  2. Once the SAML authentication is configured, users can login to Gainsight. When a user attempts to sign into Gainsight via its login page, SAML redirects the user to the IdPs, such as Okta/SSO/Salesforce etc.
    If the user is already signed in to the SAML IdP (for example, the user is already signed in to Okta), the user is directly navigated to Gainsight. If not signed in, the user is redirected to the login page of IdP (for example, Okta’s login page).

    You can perform the following actions on the Authentication Mechanism page:
  • Click the ellipsis menu and select Edit to edit the connection settings. 
  • Click the ellipsis menu and select Delete to delete connection settings.

3..GIF

Authenticate via Okta

Navigate to the admin dashboard, create/add an app in okta that supports SAML.

  1. Navigate to app settings and click the Sign On tab.

4..png

  1. Click View Setup Instructions. You can see the SAML Idp settings.

5..png

  1. Note the Single Sign-On URL and download the X509 certificate.
  2. Now create the SAML connection in Gainsight as described above.
  • Domain - email domain of the user assigned to your okta app.
  • Sign In URL - Obtained in the previous step.
  • Certificate - Downloaded in the previous step.
  • Email field - email field name is ‘email’ (can be any attribute which corresponds to Gainsight Username).
  • Download the metadata after saving the connection.
  1. Navigate back to Okta > your app.
  2. Click the General tab.

6..png

  1. Edit the SAML settings. Fill in the appropriate fields.
    1. Single sign-on URL: Value for this can be obtained in the metadata (value of Location property of AssertionConsumerService element ) given when saving SAML connection in Gainsight.
    2. Audience URI (SP Entity ID): Value for this can be obtained in the metadata given when saving SAML connection in Gainsight.

7..png

  1. You must also add the following Attribute Statement:
    1. Name: email
    2. Name format (optional): Unspecified
    3. Value: ${user.email}

8.png

  1. Click Finish.

Setup GSuite Authentication

GSuite Authentication allows the users to login to Gainsight NXT just by entering their usernames, provided users have already logged-in to their Google accounts, otherwise, users will be redirected to the login page of the Google account where the user enters the Google account credentials. For example, if a user’s username is abc@AAR.com, and you have configured GSuite authentication for this particular user, then all of the users with AAR.com [domain name] are authenticated via GSuite. For other users whose domain name is different can login via DB method.

Note: You cannot setup GSuite authentication mechanism if your domain is already mapped with SAML authentication.

To configure GSuite Authentication:

  1. Navigate to the Administration > Operations > User Management > AUTHENTICATION page. You will be navigated to the Authentication Mechanism page.
  2. Click + AUTHENTICATION MECHANISM.

GSuite Navigation (2).gif

  1. Select Google Apps from the dropdown list.
  2. Enter the following details:
  • Name: Enter the name of your choice for your identification.
    Note: The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.

  • Google Apps domain: Enter your Google Apps domain name.

G Suite Enter Details.png

  1. Click SAVE. You will see the GSuite authentication mechanism being added to the list of authentications.

Edit and Delete GSuite.gif

  1. You can perform the following actions on the Authentication Mechanism page:

    1. Click Edit (pen) icon to edit the connection settings.

    2. Click Delete (trash can) icon to delete the connection settings.

Note: You can only edit the Google Apps domain and you cannot edit the Name.

Once the GSuite authentication is configured, users can login to Gainsight NXT just by entering your email address, provided you have already logged-in to your Google account, as your Company’s domain name is mapped with GSuite, otherwise, you will be redirected to the login page of your Google account and once you successfully login into your Google account, you will navigated to Gainsight. For more information, refer User Login Methods to Gainsight NXT.

  • Was this article helpful?