Skip to main content
Gainsight Inc.

Configure SAML SSO with Okta in Gainsight

  1. Last updated
  2. Save as PDF
This article helps Gainsight admins configure Single Sign-On (SSO) between Okta and Gainsight using SAML 2.0.

This article helps Gainsight admins configure Single Sign-On (SSO) between Okta and Gainsight using SAML 2.0.

Overview

This document provides step-by-step guidance for admins to configure Single Sign-On (SSO) between Okta and Gainsight using the SAML 2.0 protocol. Enabling SSO helps ensure secure, centralized user authentication and simplifies access management across your organization.

The configuration setup consists of two stages:

  1. Create an Application in Okta
  2. Configure SAML Authentication in Gainsight

Create an Application in Okta

To start the integration, set up an App integration in Okta. This provides the SSO URL and Audience URI (SP Entity ID) required to configure SAML in Gainsight.

To set up the Okta App integration:

  1. Log in to the Okta Admin console.
  2. Navigate to Applications > Create App Integration. The Create a new app integration dialog box appears.

    New app integration setup screen selecting SAML 2.0 as the sign-in method for SSO
     
  3. Select SAML 2.0.
  4. Click Next. The Create SAML Integration page appears.
  5. Under the General Settings tab, enter the app name.
  6. Click Next.

    Create SAML integration screen with fields for app name, optional logo, and Next button highlighted
     
  7. Under the Configure SAML tab, configure the SAML Settings.
    1. Single sign-On URL:  Enter the location where the SAML assertion is sent. This is a temporary placehold URL. The value is only required to proceed with creating the Okta app and downloading thecertificate. For example, https://placeholder-url.com/  (replace with any valid dummy URL).
    2. Audience URI (SP Entity ID): Enter the application-defined unique identifier, which is the intended audience of the SAML assertion. This is a temporary identifier, used only to complete the initial app setup so that you an download the certificate. For example, placeholder-entitiy-ID (Replace with your own value).

      SAML configuration page showing fields for single sign-on URL and audience URI (SP entity ID)
       
  8. Click Next. The Feedback tab appears.
  9. Click Finish to complete the configuration.

Download SHA-2 Certificate

Once the configuration is complete, you need to download the SHA-2 certificate, which is used to upload it to the Gainsight instance, to complete the Okta authentication.

To download the certificate:

  1. Navigate to Applications > Select [ Above configured application] and click the Sign-On tab.
  2. Under the SAML Signing Certificates, select Actions next to the SHA-2 certificate.
  3. Click Download certificate.

SAML signing certificates page showing active and inactive certificates with option to download.

Configure SAML Authentication in Gainsight

In this step, use the Single Sign-On and the  SHA-2 certificate downloaded from Okta to configure SAML authentication in Gainsight.

To set up the authentication:

  1. Navigate to Administration > User Management and click the Authentication tab.
  2. From the Add Authentication dropdown menu, select SAML. The SAML Mechanism dialog box appears.

    User management authentication page showing list of login methods and option to add SAML authentication.
     
  3. Enter the following details to set up the SAML authentication:
    • Name:  Unique connection name for authentication.
    • Email Domain: Domain name for SAML authentication.
    • Sign-In URL: SAML login URL for authentication. Use the App Embedded Link from Okta in Applications > General settings.

      Okta app embed link settings showing generated embed URL for external sign-in access
       
    • Certificate: Upload the SHA-2 certificate downloaded from Okta.
  4. Click Save.

SAML mechanism setup form with fields for email domain, sign-in URLs, certificate upload, and field mapping

Update the SSO URL and Entity ID

After saving the SAML configuration, download the XML file to get the new SSO URL and Audience URI and update the information in Okta.

To obtain the new SSO URL and Audience URI:

  1. Navigate to Administration > User Management and click the Authentication tab.
  2. Click Edit next to the SAML connection. The SAML Mechanism dialog box appears.


    User management authentication page showing SAML connection with edit option selected.
     
  3. To download the XML file metadata, click Download.

    SAML mechanism configuration form showing fields for URLs, certificate upload, and a download option.
     
  4. Open the XML file and copy the following details:
    • Single Sign-on URL found at the bottom of the file.

      SAML XML snippet showing AssertionConsumerService element with highlighted Location attribute.
    • Audience URI (SP Entity ID) found at the start of the file.

      SAML metadata XML snippet showing EntityDescriptor tag with highlighted entityID attribute.
  5. Paste the newly copied SSO URL in the Gainsight SAML Mechanism and click Save.

Update Okta with SSO Information

With the new SSO URl and Audience URI (SP Entity ID) obtained from the XML file, update the application details in Okta.

  1. In Okta, navigate to Applications > Select [ Above configured application] > General tab.
  2. In the SAML Settings section, click Edit. The General setting tab opens.

    Okta app settings page showing application details and SAML settings section with Edit option highlighted.
     
  3. Click Next. The Configure SAML page appears.
  4. Update the Single Sign-On URL and Audience URI (SP Entity ID) fields.

    SAML configuration page showing fields for Single Sign-On URL and Audience URI (SP Entity ID).

Create Attributes and Assign Users in Okta

You can create email attributes to assign users to Okta. To create attributes:

  1. Navigate to Applications > Select [ Above configured application] and click the General tab.
  2. In the SAML Settings section, click Edit. The General setting page appears.
  3. Click Next. The Configure SAML page appears.
  4. Under the Attributes Statements, map the Email attribute to the corresponding Okta user value.

    SAML attribute statements section showing email attribute mapped to user.email.
     
  5. Click Next. The Feedback tab appears.
  6. Click Finish to complete the configuration.

The Okta integration setup is complete. Assign the app to the required users or user groups to enable access to Gainsight.