Gain Compliance now offers organizations the ability to add Single Sign On capabilities for your team. SSO makes logging in easier by letting users access multiple systems with one login. This not only improves the user experience but also boosts security by reducing the need for multiple passwords. It keeps the login process simple and safe. With the help of your IT team, Gain will implement the SSO integration for seamless access.
SSO is a Paid Premium Feature. If you're interested in implementing SSO for your business, please reach out to [email protected] and we'll connect you with our sales team.
Your corporate IT department will manage access to the Gain Compliance Application, as well as provide any additional password or login support.
Gain Compliance Application with SSO: Login User Workflow
When navigating to the Gain Compliance Application login screen, users will type in their corporate email address and click continue. They will then be directed to your Corporate SSO Login screen, where they will be authenticated. After passing through your corporate login they will be returned to the Gain Application as an authenticated user.
SSO Implementation Steps and IT Configuration
To connect your organization to the Gain Compliance Application via SSO, we recommend utilizing a SAML connection. The following documentation provides information for establishing a SAML connection.
In SAML terminology Gain Compliance is the service provider. Your SSO solution is the identity provider. Connecting your SSO solution with Gain involves four steps:
Step 1: Gain Compliance will complete the initial configuration of SSO and provide a service provider metadata XML to your organization.
Step 2: You will then configure your SSO solution:
Utilize information provided in Step 1(service provider metadata XML) to configure your SSO solution.
Configure the following SAML attributes
Map the “nameidentifier” attribute to a unique, immutable ID
We do not support email address as an option for this unique identifier
We do not support “/” slashes in the unique identifier
For Microsoft Entra (Azure AD), consider utilizing “user.objectid”
For Okta, consider “Okta Username”, “Employee ID”, “SAM account name” or a custom alternative: user.getInternalProperty(“id”)
Provide Gain Compliance with the identity provider metadata XML. This can be in the form of a URL or a file.
Provide Gain Compliance with a list of all email domains that should be configured for SSO
Step 3: Gain Compliance will finalize the configuration on our side using the information in Step 2 (identity provider metadata XML). We will then schedule a cutover date and time with you.
Step 4: At the agreed upon time, we will configure one or more email domains associated with your account to require SSO. From that point forward all users with that domain will use their corporate credentials.
Gain Compliance SSO Implementation FAQs
❓Question: What happens if we need to add or remove a user to the Gain Compliance Application?
Answer: Please reach out to your corporate IT department, they will now manage adding and removing users from the Gain Compliance Application. We’ve typically seen organizations use a “group” to manage who has access. Once users are removed from the group on your end, you may remove them from the “User List” using the trash icon.
NOTE: Removing a user from the User List alone does not affect their access. You MUST work with your IT team to revoke access.
❓Question: Our internal team removed access for the SSO user, but they are still appearing in Gain's organization user list within the application.
Answer: This is expected. We have no notification from the customer side of SSO that a user has been removed. There is no connectivity between the SSO system and Gain's User Access for removals. After your IT team has removed their access from your end, Admins can remove the user from the User List in Gain to keep your list organized.
Important Notes:
Removing a user from the User List alone does not affect their access. You MUST work with your IT team to revoke access.
Until IT has removed them from the SSO group, users can still log into Gain even if you remove them from the list.
After IT has removed access, users will not be able to log in, but will still appear in the list until manually removed.
Users with Admin permission are able to remove users from the list.
❓Question: What forms of SSO does Gain Compliance support?
Answer: We currently support SAML integrations. Most of our integrations have been with Microsoft Entra and Okta. Please contact us if your organization requires a non SAML solution.
❓Question: How long does this take?
Answer: Gain Compliance can typically be ready in less than a business day, however for most customers we’ve found the process can take up to 2 to 4 weeks to coordinate with all parties involved.
❓Question: Will this involve downtime or disruption?
Answer: No. We will schedule with you a cutover date and time to minimize disruption. During the implementation phase, we will retain the ability to quickly revert to your current Gain Compliance Application username/password login if needed.
❓Question: Can we try this in a sandbox/staging environment?
Answer: We do not offer the ability for a staging environment. We will schedule an agreed upon cutover date and time to minimize disruption. During the implementation phase, we will retain the ability to quickly revert to your current Gain Compliance Application username/password login if needed.
❓Question: What happens to users' original Gain Compliance Application username and password?
Answer: Gain Compliance Application username and passwords will eventually no longer exist, as SSO will allow you to use your corporate username and password to log into the Gain Compliance Application.
❓Question: How are users provisioned?
Answer: Users are provisioned just-in-time (JIT) upon first login.
❓Question: How are users de-provisioned?
Answer: At this time, users remain in our database even after you have removed access from your end. However they will have no access to the system, because all users will be required to go through your SSO solution.
❓Question: How do user permissions work with SSO?
Answer: Your account will have one or more designated “Admins” who can manage role-based permissions within the Gain Compliance application. If you previously had non-SSO users set up with Gain, their permissions will migrate automatically to their new SSO user upon login. For brand new users, their role will default to “Viewer” upon first-time login. Roles can be updated by Admins after the SSO user logs in for the first time. Please reference our Managing Users & Role Based Permissions here.
❓Question: Are there any roles that need to be determined via SAML?
Answer: When a user logs in for the first time using SSO, they are defaulted to the “Viewer” application role. These can be updated by an Admin (after first login) using the User Management screen. These roles are not determined by SAML at this time.
❓Question: Does Gain Compliance support SCIM?
Answer: Currently we do not support SCIM. We would love to hear the benefits SCIM has brought to your organization so we can better prioritize when to invest into this solution.
❓Question: Does Gain offer a free option for improving login security?
Answer: Yes, Gain Compliance offers Multi-Factor Authentication. This feature will need to be enabled for your organization. To learn more about Multi-Factor Authentication, please visit this help article.
❓Question: Where can I go to learn more about Gain's security?
Answer: If you would like to learn more about Security at Gain Compliance, please visit this help article.