Skip to main content
Gainsight Inc.

Configure SAML SSO with Google Workspace in Gainsight

  1. Last updated
  2. Save as PDF
This article provides instructions to Google Workspace Admin and Gainsight Admins to configure custom SAML SSO integration between Google Workspace and Gainsight.

This article provides instructions to Google Workspace Admin and Gainsight Admins to configure custom SAML SSO integration between Google Workspace and Gainsight.

Overview

Configure custom SAML SSO to ensure secure, seamless, and compliance-friendly authentication, while using Google Workspace as the single source of identity for all Gainsight users.

The document shows you how to:

  • Create a custom SAML app in Google Workspace
  • Configure SAML authentication in Gainsight
  • Download and use Gainsight metadata
  • Extract ACS URL and Entity ID from the XML
  • Assign users to the SAML app
  • Test and finalize the setup

Prerequisite

To configure SAML setup, both your Google Workspace Admin and Gainsight Admin must create the SAML app in their respective platforms—Google Workspace and Gainsight.

Create a Custom SAML App in Google

To create a new custom SAML application:

  1. Sign in to the Google Admin Console at admin.google.com
  2. Navigate to Apps > Web and mobile apps. The Web and mobile app screen appears.  

    App and web and mobile apps in google.
     
  3. From the Add app dropdown menu, select Add custom SAML app. The Add custom SAML app page appears. 

    The Add custom SAML app page appears.
     
  4. Google requires completing four configuration sections to set up the SAML app:
    1. App details
      1. Enter an App name and an optional Description
      2. Upload an image in the App icon if preferred. 
      3. Click CONTINUE.

        Add app page with options.
         
    2. Google Identity Provider details
      1. (Recommended for SAML setup) Copy or download these three values:
        • SSO URL
        • Entity ID
        • Certificate

          Google Identity Provider details.
           
      2. Click CONTINUE. 
    3. Service provider details: To get these details you must first perform these three steps below and then come back to enter the details in step d below:
      1. Create the SAML Authentication in Gainsight
      2. Download Gainsight Metadata XML
      3. Extract ACS URL and Entity ID from the XML
    4. Enter the following information that you extracted from the XML file after Gainsight SAML setup [refer to step c (iii)]:
      1. ACS URL: Paste the value you copied from the AssertionConsumerService > Location attribute in the XML file.
      2. Entity ID: Paste the Entity ID value you copied from the XML file.
      3. Click CONTINUE

        Enter the following information that you extracted from the XML file after Gainsight SAML setup.
         
    5. Attribute mapping: Define which user attributes, such as email or name, is sent from Google to the application. 
      1. Click ADD MAPPING to map Google directory attributes to App attributes. 

        Click ADD MAPPING to map Google directory attributes to App attributes.
         
      2. Select a field from the Select field dropdown list. Example: Primary Email. 
      3. Enter the corresponding App attribute. Example: Username. 
      4. Click FINISH. The custom SAML app is added. 

Once the custom SAML app is added in Google, you must assign users or groups to the SAML app. For more information on how to assign users, refer to the Assign Users or Groups to the SAML App section.

Create the SAML Authentication in Gainsight

To configure SAML in Gainsight:

  1. Navigate to Administration > User Management and click the Authentication tab.
  2. Click Add Authentication and select SAML. The SAML Mechanism dialog box appears.

    Add Authentication and select SAML.
     
  3. Enter the following authentication details to create the authentication record:
    • Name: Provide a name for the application (example, GoogleSSO).
    • Email Domain: Enter your organization's domain.
    • Sign In URL: Paste the SSO URL copied from the Google Identity Provider (IdP).
    • Certificate: Upload the Certificate downloaded from the Google IdP. 

      SAML Mechanism with Name, Email Domain.
       
  4. Click Save to save the connection.

Download Gainsight Metadata XML

Once the SAML authentication is created, you must download the Gainsight metadata XML.

To download the XML file:

  1. Navigate to Administration > User Management and click the Authentication tab.
  2. From the three-dots vertical menu, click Edit

    three-dots vertical menu with Edit
     
  3. In the SAML Mechanism dialog box, click Download to download the Gainsight metadata XML file.

    SAML Mechanism dialog box with download option.
     

Once the XML file is downloaded, extract the ACS URL and Entity ID. 

Extract ACS URL and Entity ID from the XML

To complete the configuration, open the downloaded metadata XML file and copy the following values, which are required for Google to establish the SAML connection with Gainsight:

  • AssertionConsumerService → Location: This value appears near the bottom of the XML file. Copy the full URL. It corresponds to the blurred section shown in the image below. 

    AssertionConsumerService copied link
     
  • Entity ID: This value appears near the top of the XML file. Copy the full Entity ID string. It corresponds to the blurred section in the image below. 

    Entity ID value appears near the top of the XML file.

These values must be entered in the Service Provider Details section (Step 4 (d) in Create a Custom SAML App in Google) in Google Workspace. 

Assign Users or Groups to the SAML App

Once the SAML application setup is complete, you must assign users to a group to grant them access to the application. To assign users to SAML app:

  1. Navigate to Apps > Web and mobile apps.
  2. Click on the SAML app. 

    Web and mobile app with Gainsight app.
     
  3. Expand User access. The Service status screen appears.

    User access dropdown in gainsight.
     
  4. Select a desired service status from the available options:
    • ON for everyone
    • OFF for everyone

      Service status option in Gainsight google app.
       
  5. Click SAVE.

Test and Finalize SAML SSO

Use this process to test, validate, and roll out SAML SSO access in Gainsight, and remove temporary authentication once confirmed.

  • Test SAML Access
    • Sign in as a test user who has been assigned the SAML app in Google Workspace.
    • Verify that the user can successfully log in to Gainsight using SSO.
  • Roll Out to Users: After successful testing, roll out SAML access to admins and then to end users, as appropriate for your organization.
  • Disconnect Temporary DB Authentication: Once SAML is fully functional for all required users, Submit a ticket to Gainsight Support requesting removal of temporary DB authentication for your org or specific users.