Contents x
    Single Sign-On
    • 15 Apr 2024
    • 10 Minutes to read
    • Dark
      Light
    Contents

    Single Sign-On

    • Updated on 15 Apr 2024
    • 10 Minutes to read
    • Dark
      Light
    Article Summary

    Configuring single sign-on (SSO) enables you to provision my.G2 admin access using your identity and access management (IAM) platform.

    sso demo

    IAM software protects your systems from unauthorized access by only allowing authenticated, authorized users to access specific company systems and data. For more details about IAM solutions, refer to G2’s IAM category page.

    SSO mitigates the burden and potential security risk of maintaining unique login credentials for each piece of software in your tech stack. Depending on your IAM platform, configuring SSO also enables you to conveniently access my.G2 alongside your other SSO-enabled software.

    sso app launch

    To access the Single Sign On tab, log in to my.G2, then navigate to Account > Single Sign On.

    Basics of SSO in my.G2

    This section describes the basics of using the Single Sign On tab. For more information on setting up SSO, refer to the Implementation section.

    Access to my.G2 is typically granted via the Admin Users tab, which is scoped to a single product – if you have multiple products listed on G2, you must manage access for each product individually using the corresponding Admin Users tab.

    sso current provisioning per product

    By configuring SSO, you can provision my.G2 access to multiple products simultaneously using Groups.

    Groups

    The Groups tab enables you to manage product access and permission sets for subsets of your users.

    A screenshot showing the Groups tab. Each group has view, edit, or delete functionality.

    When you set up SSO, G2 creates two groups (Marketing and Sales) and automatically migrates your existing users into these groups based on the role they had in the Admin Users tab.

    To create a new group:

    1. Log in to my.G2, then navigate to Account > Single Sign On > Groups.
    2. Select Add a new Group.
    3. Enter a Name and Description for your group.
    4. Choose a Role for the group. All users in this group will be assigned this role.

    The Admin role gives full access to my.G2, including modifying organization settings, inviting users, and creating groups.

    The User role can access all pages in my.G2, but cannot modify organization settings via the Single Sign On tab. This role has the same permissions as the Marketing role in the Admin Users tab.

    The Viewer role provides content-only access. This role has the same permissions as the Sales role in the Admin Users tab.

    1. From the Assigned products dropdown, search for and select the products that you want your users to access in my.G2. If you leave this field empty, all products will be included.
    2. From the Assigned users dropdown, search for and select the users to add to the group.
    3. Select Save changes.

    A screenshot of the configuration for an individual groups. The fields listed are name, role, description, assigned products, and assigned users. There is also an Edit button to modify the group.

    By default, new users added via SSO are assigned to the Marketing group. To update your default group for SSO, navigate to the Single Sign On tab. Select Settings, then from the Default Group for New Users dropdown, choose a group.

    This screenshot shows the Default Group for New Users dropdown within the Single Sign On tab.

    Users can be assigned to multiple groups. If a user is assigned the Viewer role for a product in one group, but the Admin role for the same product in another group, they will have Admin permissions for that product.

    You can also sync groups settings between my.G2 and the IAM platform you use for SSO. For more information, refer to the Syncing groups with your IAM platform section.

    Users

    The Users tab provides basic information about each of your users, including their email, name, group(s), and status.

    This screenshot shows the Users tab, including the users table, with the columns email, name, groups, and active. Users can also use the corresponding dropdowns to filter the table by Group or Activity status. Or use the search bar to find individual users

    You can directly modify a user's groups from the Groups dropdown.

    How to modify the groups associated with a user by using the dropdown in the Groups column

    For more information on using groups, refer to the Groups section.

    To invite new users to manage your product(s) in my.G2:

    1. Go to my.G2, then Account > Single Sign On.
    2. Navigate to the Users tab, then select Invite your team.
    3. Choose a group, then share the invite URL with your new users. They will be prompted to create a new G2 account or link an existing one.

    This screenshot shows the dropdown for setting the group

    Logging in with SSO

    When members of your organization authenticate via SSO, their personal G2 accounts are granted permission to manage your product(s) in my.G2. In order to access my.G2, each user must have (and be logged into) a personal G2 account.

    Users who are authenticated with SSO but not logged into their personal G2 account will be prompted to log in or create an account before they can access my.G2.

    sso without g2 login

    Implementation

    Before getting started

    Before proceeding with the following implementation steps, please contact your G2 representative to configure SSO for your organization.

    1. Access your SAML configuration details in my.G2

    There are several configuration details you must provide to your identity and access management (IAM) platform to initiate the authentication process.

    Navigate to my.G2, then Single Sign On > Single Sign On. Retain the information in the Details section for configuring SAML in the next step.

    access configuration credentials

    2. Configure SAML in your IAM platform

    G2 offers step-by-step configuration instructions for creating a new SAML integration in common IAM platforms. If your platform is not included, please contact your IAM platform representative for assistance creating a new SAML integration.

    G2 can pass supplemental user attributes to your SAML assertion, including first name, last name, and company.

    If your IAM platform supports SCIM provisioning, you'll be able to update these my.G2 user attributes directly from your IAM platform.

    You must define this mapping relationship in your IAM platform using the key names of first_name, last_name, and company before providing this information to G2 in the next step.

    You can also sync SSO access groups between my.G2 and your IAM platform via SCIM. For more information on group permissions, refer to the Groups section.

    For an example of how to sync groups with your IAM provider, refer to the Syncing groups with your IAM platform section.

    3. Add your identity provider credentials to my.G2

    After configuring your SAML integration, your IAM platform will generate access credentials for G2, including an Identity Provider Single Sign-On URL and an Identity Provider Certificate.

    To add these credentials:

    1. Navigate to my.G2, then Single Sign On > Single Sign On.
    2. Open the Settings dropdown, then enter your credentials into the corresponding fields.

    sso add idp credentials

    1. (Optional) If you added supplemental attribute statements to your SAML assertion, enter the associated values in the Attribute Statements section. The company field is optional.

    sso add idp credentials

    1. Select Save.

    4. Activate SSO

    To activate SSO, select Connect, then select Login with SSO. If you successfully configured SSO, you will be redirected to the Single Sign On tab and a checkmark will be displayed.

    sso test SAML

    If your connection attempt fails, verify that you assigned yourself SSO access in your IAM platform.

    After successfully connecting, set the Manage this Organization with SSO slider to ON to enable SSO.

    sso toggle active

    You should ensure that your users are assigned SSO access in your IAM platform. Users will not be able to log into my.G2 until they are assigned access.

    5. Configure group access

    G2 automatically migrates your existing users to SSO while maintaining their existing permission sets based on the role they had in the Admin Users tab.

    You can create new access groups directly in the Groups tab, or import them from your IAM platform via SCIM. For an example of how to sync access groups between my.G2 and your IAM platform, refer to the Syncing groups with your IAM platform section.

    Configuring SAML in your IAM platform

    G2 offers instructions for configuring SAML integrations in commonly-used identity and access management (IAM) platforms. These instructions should be used to complete step 2 of the implementation process.

    Okta

    1. Create a new app in Okta

    To get started, log in to Okta, then navigate to the Applications tab.

    sso okta create app

    To create a new app:

    1. Select Create App Integration.
    2. Select SAML 2.0 as your authentication method, then select Next.
    3. In the General Settings panel, enter the following information, then select Next.
    FieldValue
    App namemy.G2
    App logoDownload G2’s logo from this link, then select the Upload icon to add the logo to your Okta app.
    App visibilityG2 recommends selecting the corresponding checkbox to hide your application from users until you have completed the full implementation process.

    sso okta general settings

    2. Configure SAML

    After entering your General Settings, you can configure SAML for your my.G2 app.

    sso okta configure saml

    To configure your SAML settings:

    1. In the SAML Settings panel, enter your G2-provided Single sign on URL and Audience URI.

    For more information, refer to the Access your SAML configuration details in my.G2 section.

    1. From the Name ID format dropdown, select EmailAddress.
    2. (Optional) If you want to include custom user attributes in your SAML assertion, use the Attribute Statements section to map the Name and Value relationships.
    NameName formatValue
    first_nameBasicuser.firstName
    last_nameBasicuser.lastName
    companyBasicuser.company

    sso okta attribute statements

    1. Select Next.

    3. Feedback for Okta Support

    Okta requests that you provide two supplemental pieces of information about your new app. Enter the following information, then select Finish.

    FieldValue
    Are you a customer or partner?I’m an Okta customer adding an Internal app
    App typeThis is an internal app that we have created

    sso okta feedback

    4. Assign access

    You must assign SSO access to yourself to complete the implementation process in my.G2. Navigate to the Assignments tab, then select Assign > Assign to People to search for and select your user account.

    sso okta assign app

    You can also assign access to other members of your organization at this step. Users will not be able to log into my.G2 until they are assigned app access in Okta.

    5. (Optional) Enable SCIM provisioning

    SCIM provisioning enables you to add, update, and remove my.G2 users directly from Okta. You can also use SCIM to import Okta access groups into my.G2.

    In order to use SCIM provisioning to update user information, you must map the first_name, last_name, and company user attributes in your SAML assertion.

    If you did not map custom attributes when configuring your SAML settings, refer to step 3 of the Configure SAML section before proceeding.

    You will use your G2-provided SCIM Base URL and SCIM Authentication Token to configure SCIM provisioning in Okta. For more information on accessing your SCIM Base URL and SCIM Authentication Token, refer to the Access your SAML configuration details in my.G2 section.

    To activate SCIM provisioning:

    1. Navigate to the General tab, then select Edit to access your App Settings.
    2. From the Provisioning section, select the Enable SCIM provisioning checkbox, then select Save.

    okta enable SCIM

    1. Navigate to the Provisioning tab, then select Edit to access your SCIM Connection settings.

    okta access SCIM configuration

    1. In the SCIM connector base URL section, enter your G2-provided SCIM Base URL.
    2. In the Unique identifier field for users field, enter userName.
    3. In the Supported provisioning actions section, select the checkboxes for Import New User and Profile Updates, Push New Users, Push Profile Updates, and Push Groups.

    okta add SCIM credentials and permissions

    1. Set the Authentication Mode dropdown to HTTP Header, then paste your G2-provided SCIM Authentication Token into the Authorization field.

    okta add SCIM HTTP auth bearer token

    1. Select Save to test your configuration. If successful, you will be redirected to the Provisioning to App tab.

    example successful auth

    1. Select Edit, then select the Enable checkboxes for Create Users, Update User Attributes, and Deactivate Users.

    select SCIM permissions checkboxes

    1. Select Save.

    6. Access your SAML setup instructions

    sso saml setup

    To access your SAML credentials:

    1. Navigate to the Sign On tab.
    2. From the SAML Setup section, select View SAML setup instructions.
    3. Copy the information in the Identity Provider Single Sign-On URL and X.509 Certificate sections.
    4. Proceed with step 3 of implementation, entering your Identity Provider Single Sign-On URL and X.509 Certificate into the corresponding fields in my.G2.

    sso saml credentials

    Syncing groups with your IAM platform

    After configuring SCIM, you can sync access groups between my.G2 and your IAM platform.

    This section demonstrates how to perform group actions in Okta, which can be adapted to your particular IAM platform.

    To access group actions in Okta, go to your my.G2 SAML application in Okta, then navigate to the Push Groups tab.

    Highlight the push groups tab in Okta.

    If you cannot access the Push Groups tab, you might need to enable the corresponding setting in your SCIM configuration.

    Push groups to my.G2

    To push groups from Okta to my.G2, select Push Groups > Find groups by name, then search for and select the group you want to push.

    How to begin finding the groups you want to push to my.G2.

    After selecting your Okta group, use the Match result & push action section to choose whether you want to create a new group in my.G2 or link your Okta group to an existing my.G2 group using the corresponding dropdown.

    Choose your push option, either create group or link to an existing group.

    Import groups from my.G2

    To import your access groups from my.G2, select Refresh App Groups.

    How to import groups in Okta.

    You can now map my.G2 groups to their corresponding Okta groups, or create a new Okta group for mapping.

    Import Okta groups example

    What's Next