Single Sign-On(SSO) FAQs
This document addresses the frequently asked questions about SSO that are encountered by existing CS customers.
How does SSO benefit the end-users?
Users had to create different passwords for each of the Gainsight product instances, prior to the SSO implementation. With SSO, users only need to have one password to access all their Gainsight applications. Also, in case the user has multiple product instances, an app switcher is available that lists all their Gainsight instances and helps to switch to any other instance.
When can the user view the app switcher?
App switcher can be viewed by users, only when they have access to multiple product instances. In case, users have access to only one product instance, there will be no app switcher available in their instance.
Is admin configuration required to enable the app switcher?
Admin configuration is not required to enable the users to have single sign-on experience or the app switcher. Gainsight will be migrating the CS Production instances to SSO starting from the first week of August 2023 ( in a phased rollout). Admins who have multiple instances enabled in their org will receive a system-generated email as soon as their production instance is migrated. This email provides information on the further steps to be followed. The migration needs to be completed and the sandbox environments need to be refreshed for the users to experience SSO and view the app switcher.
Are there any changes that the admin needs to be aware of while adding or modifying user information in User Management?
There are no changes in the user management while adding or modifying the users. Admin needs to add users to each of their product instances. For example, if a user needs to be added to production and sandbox instances, the admin needs to add a user in the User Management section of both the production and sandbox environments.
Note: The username must be the same in both instances.
Are there any changes in the Welcome Email communication to the end users?
Yes, if the user is getting added to the Gainsight instances for the first time, the welcome email will contain the password reset instructions. But, if a user already exists in any one of the instances, and is getting added to a new instance, the user will be notified about the new instance, but without any reset password link. Users can continue using their existing credentials to log in to the new instances.
Are there changes to the SAML configuration that the admin needs to be aware of?
Currently, the SAML configuration is independent for each of the CS instances. This means that admin needs to configure SAML independently for each of the instances. With SSO, only one configuration is required and that is applied across all Gainsight CS instances. So, the admin has to perform configuration in the production instance, and that reflects in all instances including sandboxes.
Note: The same SAML configuration can be viewed in all your instances.
Are there any changes in the SAML/Google configuration in Sandboxes?
Yes, in Sandboxes now super admins cannot create a new SAML configuration or modify the existing SAML configuration. As the configuration is common in production and sandbox environments, admins can have read-only access to view the SAML configuration in sandbox instances.
Is there any changes in the Gainsight applications list view in the Identity Provider home page?
Currently, admin has to configure multiple Gainsight applications for each of the CS instances in the Identity Provider. With SSO, admins need to maintain only one instance configured on the Identity Provider home page.
How does the above change impact the end users?
The end users view only one Gainsight instance in the Identity Provider. While accessing that instance, they are navigated to the last used instance directly. In case they need to navigate to other instances, they can use the app switcher within the application to switch to another instance.
What happens when a user clicks on the Forgot Password link from the login page?
The user receives an email to reset the password. With SSO, users have one single credential. Resetting the password will change it all the instances and user must use the new password to access all the CS Gainsight instances.