Skip to main content
Gainsight Inc.

Gainsight Authentication

Gainsight NXT

 

This article explains how admin can configure the various authentication mechanisms supported in Gainsight NXT, through which active users can verify their identity and login to Gainsight.

Overview

Gainsight provides the following Authentication Mechanisms:

  • DB Authentication
  • SAML 2.0 Authentication
  • GSuite Authentication

By default, Gainsight provides DB Authentication to all the users added to the Users List. You can opt for additional authentication, that is SAML 2.0 or GSuite to increase the level of security.

The following are the fields and options displayed in the Authentication tab:

  • Name: Displays name of the authentication type.
  • Type: Displays type of the authentication.
  • Status: Displays status of the authentication. Admins can Toggle on/off the authentication mechanisms through which the users can verify their identity and login to Gainsight.

UM-A1.jpg

Note:

  • Gainsight gives precedence to SAML 2.0 or GSuite authentication over DB.
  • For a given domain, you can setup either SAML 2.0 or GSuite. You can setup both SAML 2.0 and GSuite authentications only when the domains are different.
  • The ‘Authentication’ Tab is not visible, when accessing from Salesforce. Option to add SSO Configuration will be found in Salesforce Setup.

Prerequisites

  • You must be a Super Admin to configure Users Authentication. To have Super Admin privileges, you must be added to the USERS LIST as a Super Admin in the User Management page.  
  • Users who want to login to Gainsight through one of the authentication mechanisms should be added to the users list. For more information about how to add users to the users list, refer to the Gainsight User Management article.
  • SAML 2.0 Authentication can be done only after configuring SAML identity provider with Gainsight.

Key Terms

  • Super Admin: A Super Admin has access to all the Pages in Gainsight. Only Super admins can setup various authentication mechanisms.
  • Authentication: Any of the processes by which an application confirms the truth of a user’s identity.
  • DB Authentication: Act of confirming a user’s identity using their Username and Password.
  • SAML 2.0 Authentication: Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. For example: IdPs can be Salesforce, Okta, etc.
  • Google Apps Authentication: Act of confirming a user’s identity using their Google Accounts.

Setup DB Authentication

Gainsight provides the DB Authentication mechanism out of the box to all the users added to the Users List. For more information on how to add users to the User List, refer to the Gainsight User Management article.

Note: Users can login via the DB method even if their domain in the username is different than what’s configured in SAML 2.0 or GSuite. For instance, you are a Gainsight active user, your username is abc@xyz.com, your company has setup SAML 2.0 or GSuite authentication with its child company AAR.com, you will still be able to Gainsight Login via DB method.   

While adding a user to the users list in the User Management page, you have the ability to send a welcome email to the user saying that ‘Welcome to Gainsight! Your account has been created with the following credentials’, and requests to reset the password.

Welcome Email Latest.png

A user who receives a welcome email can login to Gainsight NXT using the access link provided in the email and change password for the first time. For more information, refer to the User Login Methods to Gainsight NXT article.

Setup SAML 2.0 Authentication

SAML 2.0 Authentication allows the users to login to Gainsight via Identity Providers (IdP), such as Okta, Salesforce etc. Once Gainsight is configured to authenticate via SAML 2.0, users who want to access Gainsight will no longer be prompted to enter a username or password. Instead, an exchange between Gainsight and the configured IdP occurs that grants Gainsight access to the users.

To configure SAML 2.0 Authentication:

  1. Navigate to the Administration > User Management > Authentication page.
  2. Click Add AUTHENTICATION and select SAML. The SAML Mechanism window appears.SAML Authentication.jpg
  3. Enter the following details:
Fields Description
Name

Enter name of the authentication.

Note: The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.

Email Domain Enter the domain. For example, acme.com
Sign In URL Enter Sign In URL which can be obtained from your SAML IdP. To get Sign In URL, set up SAML IdP (an example of obtaining the Sign in URL is given in the Authenticate via Okta section of this article).
Sign Out URL (Optional) Enter Sign Out URL which can be obtained from your SAML IdP. To get Sign Out URL, set up SAML IdP.
Certificate

Certificate is a Public Key provided by your SAML IdP in .CER or .PEM formats. To get the certificate, set up SAML IdP.

Notes: 

  • To set up a SAML IdP, please contact your System or Network Administrator.
  • Once you add Gainsight to your IdP, it generates a metadata file (SAML file) from which you can obtain the Sign In URL, Sign Out URL and Certificate. 
Username Mapping Enter the name of the email field from SAML IdP. This is required to map incoming user’s username from SAML IdP to Gainsight user’s Username.
  1. Click SAVE.

UM-A2 (1).jpg

  1. Upload this metadata to your IdP to complete the setup of SAML connection.
  2. Once the SAML authentication is configured, and when users attempts to sign into Gainsight through Direct Gainsight Login page, SAML redirects the user to the IdPs, such as Okta/Salesforce etc.

Note: We recommend to test the SAML integration by logging out and logging in as a Super Admin via SAML.

  1. (Optional, but recommended) Navigate to the Administration > User Management > Authentication page. Toggle OFF the DB Login to deactivate the DB Login, after which all users must log in using the central SAML authentication method.

UM-A2 (1).jpg

Notes:

  • If the user is already signed in to the SAML IdP (for example, the user is already signed in to Okta), the user is directly navigated to Gainsight. If not signed in, the user is redirected to the login page of IdP (for example, Okta’s login page).
  • Once the SAML Authentication is saved, you can download metadata by clicking Download Metadata.

Authenticate via Okta

Navigate to the admin dashboard, create/add an app in okta that supports SAML 2.0.

  1. Navigate to app settings and click the Sign On tab.

4..png

  1. Click View Setup Instructions. SAML Idp settings is displayed.

5..png

  1. Note the Single Sign-On URL and download the X509 certificate.
  2. Now create the SAML 2.0 connection in Gainsight as described above.
  • Domain - email domain of the user assigned to your okta app.
  • Sign In URL - Obtained in the previous step.
  • Certificate - Downloaded in the previous step.
  • Email field - email field name is ‘email’ (can be any attribute which corresponds to Gainsight Username).
  • Download the metadata after saving the connection.
  1. Navigate back to Okta > your app.
  2. Click the General tab.

6..png

  1. Edit the SAML 2.0 settings. Fill in the appropriate fields.
  • Single sign-on URL: Value for this can be obtained in the metadata (value of Location property of AssertionConsumerService element ) given when saving SAML 2.0 connection in Gainsight.
  • Audience URI (SP Entity ID): Value for this can be obtained in the metadata given when saving SAML 2.0 connection in Gainsight.

7..png

  1. You must also add the following in ATTRIBUTE STATEMENTS section:
  • Name: email
  • Name format (optional): Unspecified
  • Value: ${user.email}

8.png

Notes:

  • For authentication via Azure, enter the email address of user in the Source Field displayed in the Field Mapping section in Gainsight. You need to also provide the same email address of user in Azure on Attributes & Claims page. 
  • The Source field name should be a case-sensitive name.

Screenshot 2023-03-09 at 3.59.06 PM.png

Screenshot 2023-03-14 at 3.30.40 PM.png

  1. Click Finish.

Note: We recommend to test the Okta authentication method by logging out and logging in as a Super Admin through Okta.

  1. (Optional, but recommended) Navigate to the Administration > User Management > Authentication page. Toggle OFF the DB Login to deactivate the DB Login, after which all users must log in using the Okta authentication method.

UM-A2 (1).jpg

Setup GSuite Authentication

GSuite Authentication enables the users to login to Gainsight NXT by entering their usernames, provided users have already logged-in to their Google accounts. Otherwise, users will be redirected to the login page of the Google account where the user enters the Google account credentials.

For example, if a user’s username is abc@AAR.com, and you have configured GSuite authentication for this particular user, then all of the users with AAR.com [domain name] are authenticated via GSuite. For other users whose domain name is different can login to Gainsight  NXT through DB method.

Note: You cannot setup GSuite authentication mechanism if your domain is already mapped with SAML 2.0 authentication.

To configure GSuite Authentication:

  1. Navigate to the Administration > User Management > Authentication page.
  2. Click Add Authentication and select Google Apps.

UM-A3.jpg

  1. Enter the following details:
  • Name: Enter the name of your choice for your identification. The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.

  • Google Apps domain: Enter your Google Apps domain name.

  1. Click SAVE. Google Apps authentication mechanism is added to the list of authentication.

GSApp_auth1.png

Note: We recommend to test the GSuite authentication method by logging out and logging in as a Super Admin through GSuite.

  1. (Optional, but recommended) Navigate to the Administration > User Management > Authentication page. Toggle OFF the DB Login to deactivate the DB Login, after which all users must log in using the GSuite authentication method.

UM-A2 (1).jpg

Once the GSuite authentication is configured, users can login to Gainsight NXT just by entering your email address, provided you have already logged-in to your Google account, as your Company’s domain name is mapped with GSuite, otherwise, you will be redirected to the login page of your Google account and once you successfully login into your Google account, you will navigated to Gainsight. For more information, refer User Login Methods to Gainsight NXT.

Edit or Delete Authentication

You can perform the following actions by clicking three dots menu of the Authentication type in the Authentication page:

  • Edit: Edit the authentication details.
  • Delete: Deletes the authentication.

Note: You cannot edit or delete a System Authentication which is generated by default.

UM-A4.jpg

Additional Resources

For more information about user management, refer to the following articles:

  • Was this article helpful?