Skip to main content
Gainsight Inc.

Single Sign-On (SSO) for Gainsight Applications

This article describes the single sign-on authentication in Gainsight to access all the Gainsight products and/or instances with single credentials.

This article describes the single sign-on authentication in Gainsight to access all the Gainsight products and/or instances with single credentials.

Overview

The implementation of a global authentication mechanism enhances user experience, security, and efficiency by allowing seamless authentication and access across multiple products or product instances. Single Sign-On(SSO) enables users to log in once and access all four Gainsight products (CS, PX, CC, and CE) without the need for multiple login credentials. This eliminates the hassle of remembering and managing multiple usernames and passwords, improving user productivity and reducing the risk of security breaches.

The SSO capability between CS, PX, CC, and CE is a strategic initiative that enhances security, simplifies user management, and improves collaboration and productivity across multiple products.

For more information frequently asked questions, refer to the Single Sign-On(SSO) FAQs article.

Gainsight Authentication

Before proceeding,  Gainsight recommends reading how to authenticate mechanisms supported in Gainsight NXT.

For more information on the authentication, refer to the Gainsight Authentication article.

Note: All Customer Success instances are migrated, and the Sandboxes once refreshed after your Production instance SSO migration, are automatically moved to SSO. In case, your sandbox is not refreshed yet, doing so will migrate them to Platform SSO.

Authentication

Once the SSO is enabled, any modifications done to the authentication of one instance will reflect on all your other instances.

User Management screen showing authentication methods with options for GSuite, DB, and SAML, and a button to add new authentication methods.

When Admins want to edit, delete, or change the Status of the authentication mechanism, a confirmation dialog appears.

Note: The message does not appear in case of Sandbox environment or if the user has only one instance.

Dialog box showing that changes to authentication settings will affect all product instances, with options to confirm or cancel.

To confirm the changes, click I Understand. All the edits or changes made to the authentication mechanism will now be applied to all product instances.

Admins can also decide on how users will be redirected when they log in through an Identity Provider (IDP).

To select the redirect method:

  1. Navigate to Administration > User Management > Authentication.
  2. Click Settings. The Settings slide-out panel appears.
  3. Select either of the two options:
    • Automatically redirect users to the instance they last logged into.
    • Give users the option to choose which instance to log into.
      Note: By default, Give users the option to choose which instance to log into is selected.
  4. Click Save.

Settings screen in User Management showing options for redirecting users during login, including automatic redirection and user choice of instance.

Accessing Gainsight Applications After SSO Enablement Using Identity Providers

Once SSO is enabled, users view a single Gainsight app in their identity provider portal such as Okta, instead of multiple products or instances.

Okta dashboard displaying various applications, with an arrow pointing to the Gainsight NXT app under the "My Apps" section

When users click the app, they are navigated to the Product Instance selection page. From here, users can select the instance they want to login.

Note:

  • Only those instances are shown that the user has access to.
  • If user has only one instance, the selection page is not displayed.

Gainsight login screen with options to choose product instances labeled CS, PX, CC, and CE, and a dropdown menu to select an instance

Users can use the App Switcher to navigate to other instances or products.

Screenshot 2023-09-15 at 2.39.14 PM.png

IMPORTANT

  • Users with access to multiple instances and who are logged in to Gainsight Hybrid org or tries to log in via SFDC click the app switcher, and they are navigated to Gainsight NXT. However, when they are accessing the NXT version, there is no option to navigate back to Hybrid version.
  • For customers who have SAML or G-Suite as identity providers, Super Admin only needs to perform configuration only once in any one of Gainsight instances, and the configurations gets applied to all their Gainsight instances. Super Admins do not have the option to create or update configurations from the Sandbox environments.
  • A Magic Link is enabled in the SSO login page whenever the Auth0 server is down. A temporary access mechanism is activated where users can log in to the system by providing a username. An email is sent with a Magic Link to the registered email ID, provided the email address is valid.
  • In a multi-product scenario, if the username is changed in Gainsight CS, this update will not automatically reflect in Gainsight PX. A new user with the same username must be created in Gainsight PX in order for the user to log in.
  • Was this article helpful?