Skip to main content
Gainsight Inc.

Gainsight Authentication

Gainsight Standard Edition
This article supports Gainsight Standard Edition. This Edition is built on Gainsight's state of the art Matrix Data Architecture (MDA) platform, and is designed for customer success professionals for driving revenue, increasing retention, and scaling operations. To learn more about Gainsight Standard Edition, click here.

If you are using Gainsight Salesforce Edition, which is built on Salesforce and customer business data is stored in SFDC, you can find supporting documentation here.

 

This article describes the various authentication mechanisms supported in Gainsight, through which users can verify their identity and login to Gainsight. This article explains how a Super Admin can configure each of these authentication mechanisms for the active users in Gainsight.

Gainsight provides the following Authentication Mechanisms:

  • DB Authentication
  • SAML Authentication
  • GSuite Authentication

By default, Gainsight provides DB Authentication to all the users added to the Users List. You can opt for additional authentication, that is SAML or GSuite to increase the level of security.

Notes:

  • Gainsight gives precedence to SAML or GSuite authentication over DB.
  • For a given domain, you can setup either SAML or GSuite. You can setup both SAML and GSuite authentications only when the domains are different.

Prerequisites

  • You must be a Super Admin to configure Users Authentication. To have Super Admin privileges, you must be added to the USERS LIST as a Super Admin in the User Management page.  
  • Users who want to login to Gainsight through one of the authentication mechanisms should be added to the users list. For more information about how to add users to the users list, refer to the Gainsight User Management article.
  • SAML Authentication can be done only after configuring SAML identity provider with Gainsight.

Key Terms

  • Super Admin: A Super Admin has access to all the Pages in Gainsight. Only Super admins can setup various authentication mechanisms.
  • Authentication: Any of the processes by which an application confirms the truth of a user’s identity.
  • DB Authentication: Act of confirming a user’s identity using their Username and Password.
  • SAML Authentication: Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. For example: IdPs can be SSO, Salesforce, Okta, etc.
  • Google Apps Authentication: Act of confirming a user’s identity using their Google Accounts.

Setup DB Authentication

Gainsight provides the DB Authentication mechanism out of the box to all the users added to the Users List. Click here to learn more on how to add users to the Users List.

Notes:

  • Users can login via DB method only when their Single sign-on (SAML or GSuite) is not enabled.
  • Users can still login via the DB method even if their email’s domain is different than what’s configured in SAML or GSuite. For instance, you are a Gainsight active user, your email address is abc@xyz.com, your company has setup SAML or GSuite authentication with its child company AAR.com, you will still be able to login via DB method.   

While adding a user to the users list in the User Management page, you have the ability to send a welcome email to the user saying that ‘Welcome to Gainsight! Your account has been created with the following credentials’, and requests to reset the password.

Welcome Email Template.png

A user who receives a welcome email can login to Gainsight using the access link provided in the email and change password for the first time. For more information, refer Gainsight User Login.

Setup SAML Authentication

SAML Authentication allows the users to login to Gainsight via Identity Providers (IdP), such as Okta, SSO, Salesforce, etc. Once Gainsight is configured to authenticate via SAML, users who want to access Gainsight will no longer be prompted to enter a username or password. Instead, an exchange between Gainsight and the configured IdP occurs that grants Gainsight access to the users.

Notes: You cannot setup SAML authentication if your domain is already mapped with GSuite authentication.

To configure SAML Authentication:

  1. Navigate to the Administration > Operations > User Management > AUTHENTICATION page. You will be navigated to the Authentication Mechanism page.
  2. Click + AUTHENTICATION MECHANISM.

GSuite Navigation (2).gif

  1. Select SAML from the dropdown list.
  2. Enter the following details:
    • Name: Enter name of your choice for your identification.
      Note: The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.
    • Domain: Enter your Domain name.
    • Sign In URL: Sign In URL can be obtained from SAML IdP. To get Sign In URL, set up SAML IdP.
    • Sign Out URL: (Optional) Sign Out URL can be obtained from SAML IdP. To get Sign Out URL, set up SAML IdP.
    • Certificate: Certificate is a Public Key provided by SAML IdP in .CER or .PEM formats. To get certificate, set up SAML IdP.
      Notes:
      - To set up a SAML IdP, you may need support from your System or Network Administrator.
      - Once you add Gainsight to your IdP, it generates a metadata (SAML file) from which you can obtain the Sign In URL, Sign Out URL and Certificate.
    • Email field: Enter the name of the email field from SAML IdP. This is required to map incoming user’s email from SAML IdP to Gainsight user’s email.

SAML Conf Details.png

  1. Click SAVE. You will see the SAML authentication mechanism being added to the list of authentication mechanisms.
  2. You can perform the following actions on the Authentication Mechanism page:
  • Click Edit (pen) icon to edit the connection settings.
  • Click Delete (trash can) icon to delete connection settings.

Edit and Delete GSuite.gif

  1. Click Edit (pen) icon to open the SAML authentication mechanism.

Download Metadata.gif

  1. Click DOWNLOAD METADATA to download the metadata.
  2. Upload this metadata to your IdP to complete the setup of SAML connection.

Note: Uploading metadata to your IdP may require support from your System or Network Administrator.

Once the SAML authentication is configured, users can login to Gainsight. When a user attempts to sign into Gainsight via its login page, SAML redirects the user to the IdPs, such as Okta/SSO/Salesforce. If the user has already sign in to the SAML IdP, system navigates the user to Gainsight directly, otherwise, system redirects the user to the login page of IdP, where the user enters the IdP credentials and will be navigated to Gainsight. For more information, refer Gainsight User Login.

Notes:

  • You cannot login via SAML if your domain name is mapped with GSuite, you may need to login via GSuite authentication.
  • For users, whose domain name is not mapped with SAML or GSuite can login via DB authentication.

Setup GSuite Authentication

GSuite Authentication allows the users to login to Gainsight just by entering their email address, provided users have already logged-in to their Google accounts, otherwise, users will be redirected to the login page of the Google account where the user enters the Google account credentials. For example, if a user’s email address is abc@AAR.com, and you have configured GSuite authentication for this particular user, then all of the users with AAR.com [domain name] are authenticated via GSuite. For other users whose domain name is different can login via DB method.

Note: You cannot setup GSuite authentication mechanism if your domain is already mapped with SAML authentication.

To configure GSuite Authentication:

  1. Navigate to the Administration > Operations > User Management > AUTHENTICATION page. You will be navigated to the Authentication Mechanism page.
  2. Click + AUTHENTICATION MECHANISM.

GSuite Navigation (2).gif

  1. Select Google Apps from the dropdown list.
  2. Enter the following details:
  • Name: Enter the name of your choice for your identification.
    Note: The name can only contain alphanumeric characters and “-”. It must be unique, begin and end with an alphanumeric character and can contain a maximum of 40 characters.

  • Google Apps domain: Enter your Google Apps domain name.

G Suite Enter Details.png

  1. Click SAVE. You will see the GSuite authentication mechanism being added to the list of authentications.

Edit and Delete GSuite.gif

  1. You can perform the following actions on the Authentication Mechanism page:

  2. Click Edit (pen) icon to edit the connection settings.
  3. Click Delete (trash can) icon to delete the connection settings.

Note: You can only edit the Google Apps domain and you cannot edit the Name.

Once the GSuite authentication is configured, users can login to Gainsight just by entering your email address, provided you have already logged-in to your Google account, as your Company’s domain name is mapped with GSuite, otherwise, you will be redirected to the login page of your Google account and once you successfully login into your Google account, you will navigated to Gainsight. For more information, refer Gainsight User Login.

  • Was this article helpful?