Single Sign On (SSO)
      Back to home
      1. Knowledgebase
      2. User Management
      3. Single Sign On (SSO)

      Single Sign-On (SSO) using SAML v2.0

      This article covers setting up Single Sign-On (SSO) with your IdP using the Gatekeeper Generic SAML v2.0 Connector.

       Restore Visibility

        Safeguard Compliance   

       Estimated Read Time: 4 Minutes

      Sections in this article:

      Note:

      • Before proceeding with the configuration of Single Sign-On (SSO) using SAML v2.0, follow the recommendations in our SSO Best Practices Guide.
      • When configuring SSO using our generic SAML v2.0 connector, you will need details from your Identity Provider (IdP) and once configured in Gatekeeper, you will have additional details to add to your IdP. This will likely require support from your IT/Technical team.
      • This feature is available with our Enterprise and Custom Enterprise Plans only. Essentials and Pro Customers have access to Microsoft SSO and Google SSO

      What you will need:

      • Ensure you have at least one user set up in both your Gatekeeper tenant and your Identity Provider (IdP).
      • You will need either your IdP Metadata URL, or you can use your IdP Metadata XML.

      Part 1 - Prepare Gatekeeper for Configuration

      1. From the navigation menu, expand Settings then click Configuration.
      2. Click Authentication.
        authentication
      3. Select the Allow All Authentication Methods radio button.
      4. Click Save.

      Note: Do not select the Require SAML 2.0 authentication radio button at this stage. Without configuring and testing this setting, you may lock yourself out of your Gatekeeper tenant.

      If you have done this and locked your tenant, inform our Support team here.

      Part 2 - Configure Your IdP/AD App

      Create the custom App for Gatekeeper in your Portal. 

      • Email should be used as NameID in the SAML Token.

      • Your Login URL for users can be found under SSO URL in Gatekeeper - see Part 3 for further details.

         

      Note: Gatekeeper has a dedicated oAuth feature for SSO. This means URLs for our login pages are:

      auth-eu.gatekeeperhq.com when using our European instance

      auth-us.gatekeeperhq.com when using our US instance

      auth-ca.gatekeeperhq.com when using our Canada instance

      auth-apac.gatekeeperhq.com when using our Australia/Asia-Pacific instance

      This auth- URL might be what you need to use for your Base URL when configuring your app.

      Part 3 - Configure Gatekeeper

      1. From the navigation menu, expand Settings then click Configuration.
      2. Click Authentication, then click Configure SAML 2.0.
      3. Enter the values obtained from your IdP/AD, using either the IdP Metadata URL or XML.
      4. Once entered, click Create.

      Screenshot 2019-09-03 at 14.49.17

      Gatekeeper will then reload the configuration page, displaying the information that was retrieved from the URL/XML entered,

      This will also provide the necessary Metadata to complete the configuration of your SAML v2.0 SSO integration within your IdP:

      Part 4 - Test the SSO Connection

      1. Log out of Gatekeeper.
      2. On the log in screen, click LOGIN WITH SSO.
      3.  Enter your credentials and sign in.

      When troubleshooting login issues, verifying the case sensitivity of both the email address and password is essential.

      Note: It's recommend to verify if other users can log in successfully by checking their login history: To find this, from the navigation menu, expand Settings then click Users. Click on a user's Name then go to the Logins tab.

      Part 5 - Restrict Access to Only Allow SAML SSO

      After testing the SAML SSO configuration, you can restrict access to only allow this as the login method for your users.

      1. From the navigation menu, expand Settings then click Configuration.
      2. Click Authentication.
      3. Select the Require SAML 2.0 authentication radio button.
        1. Enable the Support Access toggle to allow tenant users with the @gatekeeperhq.com domain to bypass your SSO authentication requirements, so that they can assist with any support enquiries related to your tenant. It is strongly recommended to enable this. enable support access
      4. Click Save.

      If you restrict your Gatekeeper tenant to only allow login via SAML SSO, the other options will remain on the log in screen, but users will not be able to use them. Ensure that all users are aware of the correct login method to avoid access issues.