- 27 Feb 2024
- 10 Minutes to read
- Updated on 27 Feb 2024
- 10 Minutes to read
Configuring single sign-on (SSO) enables you to provision my.G2 admin access using your identity and access management (IAM) platform.
IAM software protects your systems from unauthorized access by only allowing authenticated, authorized users to access specific company systems and data. For more details about IAM solutions, refer to G2’s IAM category page.
SSO mitigates the burden and potential security risk of maintaining unique login credentials for each piece of software in your tech stack. Depending on your IAM platform, configuring SSO also enables you to conveniently access my.G2 alongside your other SSO-enabled software.
To access the Single Sign On tab, log in to my.G2, then navigate to Account > Single Sign On.
Basics of SSO in my.G2
This section describes the basics of using the Single Sign On tab. For more information on setting up SSO, refer to the Implementation section.
Access to my.G2 is typically granted via the Admin Users tab, which is scoped to a single product – if you have multiple products listed on G2, you must manage access for each product individually using the corresponding Admin Users tab.
By configuring SSO, you can provision my.G2 access to multiple products simultaneously using Groups.
The Groups tab enables you to manage product access and permission sets for subsets of your users.
When you set up SSO, G2 creates two groups (Marketing and Sales) and automatically migrates your existing users into these groups based on the role they had in the Admin Users tab.
To create a new group:
- Log in to my.G2, then navigate to Account > Single Sign On > Groups.
- Select Add a new Group.
- Enter a Name and Description for your group.
- Choose a Role for the group. All users in this group will be assigned this role.
The Admin role gives full access to my.G2, including modifying organization settings, inviting users, and creating groups.
The User role can access all pages in my.G2, but cannot modify organization settings via the Single Sign On tab. This role has the same permissions as the Marketing role in the Admin Users tab.
The Viewer role provides content-only access. This role has the same permissions as the Sales role in the Admin Users tab.
- From the Assigned products dropdown, search for and select the products that you want your users to access in my.G2. If you leave this field empty, all products will be included.
- From the Assigned users dropdown, search for and select the users to add to the group.
- Select Save changes.
By default, new users added via SSO are assigned to the Marketing group. To update your default group for SSO, navigate to the Single Sign On tab. Select Settings, then from the Default Group for New Users dropdown, choose a group.
Users can be assigned to multiple groups. If a user is assigned the Viewer role for a product in one group, but the Admin role for the same product in another group, they will have Admin permissions for that product.
You can also sync groups settings between my.G2 and the IAM platform you use for SSO. For more information, refer to the Syncing groups with your IAM platform section.
The Users tab provides basic information about each of your users, including their email, name, group(s), and status.
You can directly modify a user's groups from the Groups dropdown.
For more information on using groups, refer to the Groups section.
To invite new users to manage your product(s) in my.G2:
- Go to my.G2, then Account > Single Sign On.
- Navigate to the Users tab, then select Invite your team.
- Choose a group, then share the invite URL with your new users. They will be prompted to create a new G2 account or link an existing one.
Logging in with SSO
When members of your organization authenticate via SSO, their personal G2 accounts are granted permission to manage your product(s) in my.G2. In order to access my.G2, each user must have (and be logged into) a personal G2 account.
Users who are authenticated with SSO but not logged into their personal G2 account will be prompted to log in or create an account before they can access my.G2.
Before getting started
Before proceeding with the following implementation steps, please contact your G2 representative to configure SSO for your organization.
1. Access your SAML configuration details in my.G2
There are several configuration details you must provide to your identity and access management (IAM) platform to initiate the authentication process.
2. Configure SAML in your IAM platform
G2 offers step-by-step configuration instructions for creating a new SAML integration in common IAM platforms. If your platform is not included, please contact your IAM platform representative for assistance creating a new SAML integration.
G2 can pass supplemental user attributes to your SAML assertion, including first name, last name, and company.
If your IAM platform supports SCIM provisioning, you'll be able to update these my.G2 user attributes directly from your IAM platform.
You must define this mapping relationship in your IAM platform using the key names of
company before providing this information to G2 in the next step.
3. Add your identity provider credentials to my.G2
After configuring your SAML integration, your IAM platform will generate access credentials for G2, including an Identity Provider Single Sign-On URL and an Identity Provider Certificate.
To add these credentials:
- Navigate to my.G2, then Single Sign On > Single Sign On.
- Open the Settings dropdown, then enter your credentials into the corresponding fields.
- (Optional) If you added supplemental attribute statements to your SAML assertion, enter the associated values in the Attribute Statements section.
- Select Save.
4. Activate SSO
To activate SSO, select Connect, then select Login with SSO. If you successfully configured SSO, you will be redirected to the Single Sign On tab and a checkmark will be displayed.
If your connection attempt fails, verify that you assigned yourself SSO access in your IAM platform.
After successfully connecting, set the Manage this Organization with SSO slider to ON to enable SSO.
You should ensure that your users are assigned SSO access in your IAM platform. Users will not be able to log into my.G2 until they are assigned access.
5. Configure group access
G2 automatically migrates your existing users to SSO while maintaining their existing permission sets based on the role they had in the Admin Users tab.
You can create new access groups directly in the Groups tab, or import them from your IAM platform via SCIM. For an example of how to sync access groups between my.G2 and your IAM platform, refer to the Syncing groups with your IAM platform section.
Configuring SAML in your IAM platform
G2 offers instructions for configuring SAML integrations in commonly-used identity and access management (IAM) platforms. These instructions should be used to complete step 2 of the implementation process.
1. Create a new app in Okta
To get started, log in to Okta, then navigate to the Applications tab.
To create a new app:
- Select Create App Integration.
- Select SAML 2.0 as your authentication method, then select Next.
- In the General Settings panel, enter the following information, then select Next.
|Download G2’s logo from this link, then select the Upload icon to add the logo to your Okta app.
|G2 recommends selecting the corresponding checkbox to hide your application from users until you have completed the full implementation process.
2. Configure SAML
After entering your General Settings, you can configure SAML for your my.G2 app.
To configure your SAML settings:
- In the SAML Settings panel, enter your G2-provided Single sign on URL and Audience URI.
For more information, refer to the Access your SAML configuration details in my.G2 section.
- From the Name ID format dropdown, select EmailAddress.
- (Optional) If you want to include custom user attributes in your SAML assertion, use the Attribute Statements section to map the Name and Value relationships.
- Select Next.
3. Feedback for Okta Support
Okta requests that you provide two supplemental pieces of information about your new app. Enter the following information, then select Finish.
|Are you a customer or partner?
|I’m an Okta customer adding an Internal app
|This is an internal app that we have created
4. Assign access
You must assign SSO access to yourself to complete the implementation process in my.G2. Navigate to the Assignments tab, then select Assign > Assign to People to search for and select your user account.
You can also assign access to other members of your organization at this step. Users will not be able to log into my.G2 until they are assigned app access in Okta.
5. (Optional) Enable SCIM provisioning
SCIM provisioning enables you to add, update, and remove my.G2 users directly from Okta. You can also use SCIM to import Okta access groups into my.G2.
In order to use SCIM provisioning to update user information, you must map the
company user attributes in your SAML assertion.
If you did not map custom attributes when configuring your SAML settings, refer to step 3 of the Configure SAML section before proceeding.
You will use your G2-provided SCIM Base URL and SCIM Authentication Token to configure SCIM provisioning in Okta. For more information on accessing your SCIM Base URL and SCIM Authentication Token, refer to the Access your SAML configuration details in my.G2 section.
To activate SCIM provisioning:
- Navigate to the General tab, then select Edit to access your App Settings.
- From the Provisioning section, select the Enable SCIM provisioning checkbox, then select Save.
- Navigate to the Provisioning tab, then select Edit to access your SCIM Connection settings.
- In the SCIM connector base URL section, enter your G2-provided SCIM Base URL.
- In the Unique identifier field for users field, enter
- In the Supported provisioning actions section, select the checkboxes for Import New User and Profile Updates, Push New Users, Push Profile Updates, and Push Groups.
- Set the Authentication Mode dropdown to HTTP Header, then paste your G2-provided SCIM Authentication Token into the Authorization field.
- Select Save to test your configuration. If successful, you will be redirected to the Provisioning to App tab.
- Select Edit, then select the Enable checkboxes for Create Users, Update User Attributes, and Deactivate Users.
- Select Save.
6. Access your SAML setup instructions
To access your SAML credentials:
- Navigate to the Sign On tab.
- From the SAML Setup section, select View SAML setup instructions.
- Copy the information in the Identity Provider Single Sign-On URL and X.509 Certificate sections.
- Proceed with step 3 of implementation, entering your Identity Provider Single Sign-On URL and X.509 Certificate into the corresponding fields in my.G2.
Syncing groups with your IAM platform
After configuring SCIM, you can sync access groups between my.G2 and your IAM platform.
This section demonstrates how to perform group actions in Okta, which can be adapted to your particular IAM platform.
To access group actions in Okta, go to your my.G2 SAML application in Okta, then navigate to the Push Groups tab.
If you cannot access the Push Groups tab, you might need to enable the corresponding setting in your SCIM configuration.
Push groups to my.G2
To push groups from Okta to my.G2, select Push Groups > Find groups by name, then search for and select the group you want to push.
After selecting your Okta group, use the Match result & push action section to choose whether you want to create a new group in my.G2 or link your Okta group to an existing my.G2 group using the corresponding dropdown.
Import groups from my.G2
To import your access groups from my.G2, select Refresh App Groups.
You can now map my.G2 groups to their corresponding Okta groups, or create a new Okta group for mapping.