Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gumloop.com/llms.txt

Use this file to discover all available pages before exploring further.

Enterprise organizations can configure single sign-on (SSO) authentication and automated user provisioning through SAML and SCIM integrations. This enables centralized identity management, enhanced security, and streamlined user lifecycle management.

​
Overview

Dedicated Login Pages

Custom gumloop.com/org login portals for your organization

SAML Authentication

Enterprise SSO via Okta, Entra ID, Google AD, and more

SCIM Provisioning

Automated user provisioning plus custom-role and team sync from IdP groups

​
Dedicated SSO Login Pages

Enterprise customers can request a dedicated login page at gumloop.com/{your-org}. This provides a branded entry point for your organization’s users with configurable authentication options.
To request a custom login page, contact support@gumloop.com. Delivery is typically within a few hours after SAML connection setup.

​
Available Authentication Methods

Organizations can choose which authentication providers to enable or restrict:
ProviderDescriptionRecommendation
SAML SSOEnterprise identity providers (Okta, Entra ID, etc.)Recommended for enterprise
Google SSOSign in with Google WorkspaceSuitable for Google-based organizations
Microsoft SSOSign in with Microsoft 365Suitable for Microsoft-based organizations
Email/PasswordTraditional username and passwordNot recommended for enterprise
Email/password authentication is not recommended for enterprise deployments. SAML or OAuth-based SSO provides stronger security controls and centralized identity management.

​
SAML Configuration

SAML (Security Assertion Markup Language) enables enterprise single sign-on through your organization’s identity provider.

​
Supported Identity Providers

Okta

Microsoft Entra ID

Google Workspace

JumpCloud

Ping Identity

Active Directory

​
Setting Up SAML

1

Access SSO Settings

Navigate to gumloop.com/settings/organization/sso
SAML and SCIM settings require the Admin organization role and an Enterprise subscription. SCIM-provisioned users land with the baseline Member RBAC role; their custom roles and team memberships come from IdP-group mappings (or name-based resolution, if enabled) and don’t affect RBAC.
2

Generate Setup Link

Click Generate Setup Link to create a SAML connection configuration. This generates the SP (Service Provider) details needed for your identity provider.
3

Configure Your Identity Provider

Use the generated details to configure a SAML application in your IdP. For step-by-step instructions, see the guides for your provider:
4

Request Custom Login Page

After completing SAML setup, contact support@gumloop.com to request your dedicated login page at gumloop.com/{your-org}.

​
SP-Initiated vs IdP-Initiated Login

Gumloop supports SP-initiated login only. This means users must start their login flow from Gumloop (the Service Provider) rather than from your identity provider’s app dashboard.
SP-Initiated Flow:
  1. User navigates to gumloop.com/{your-org}
  2. Clicks the SSO login button
  3. Redirects to your IdP for authentication
  4. Upon successful auth, returns to Gumloop with a valid session
This approach ensures Gumloop controls the full authentication handshake, including session token generation and storage.
For more technical details on SP vs IdP-initiated SSO, see SSOReady’s guide.

​
SAML Best Practices

Use SP-Initiated Login

Configure IdP tiles to redirect to your Gumloop login page rather than using IdP-initiated flows

Disable IdP-Initiated

Prevent IdP-initiated logins in your IdP settings to avoid session handling issues

Test Before Rollout

Verify the SAML connection with test users before enabling for your entire organization

Document for Users

Provide clear instructions to users on how to access Gumloop via your organization’s login page

​
SAML vs SCIM: User Provisioning

Just-In-Time (JIT) ProvisioningWith SAML alone, users are provisioned when they first log in:
  • User authenticates via SAML for the first time
  • Gumloop automatically creates their account on successful auth
  • No pre-provisioning or advance user management
Best for: Organizations that don’t need advance user visibility or automated deprovisioning.

​
SCIM Provisioning

SCIM (System for Cross-domain Identity Management) enables automated user provisioning, deprovisioning, and synchronization of both custom roles and teams between your identity provider and Gumloop. Each direction is configured independently, and each can resolve IdP groups via a curated mapping table or by name match with auto-create on miss.
SCIM is an add-on feature. Contact support@gumloop.com to request SCIM enablement for your organization. The team will evaluate your use case to determine if SCIM is the right solution for your needs.

​
What SCIM Provides

When users are assigned to the Gumloop application in your IdP, they are automatically provisioned in Gumloop. Users appear in your organization’s member list and can be viewed before they first log in (pre-provisioning).
When users are removed from the Gumloop application in your IdP, they are automatically deprovisioned—removing their access and freeing up seats.
IdP groups can be mapped to Gumloop Custom Roles, enabling centralized access control management. Users in multiple mapped IdP groups receive the union of every matched role.
This is group-based synchronization, not role-based access control (RBAC). Restrictions are managed through Gumloop’s Custom Roles system.
IdP groups can be mapped to Gumloop teams (projects). The team direction is independent of the custom-role direction — you can configure either, both, or neither. Users in multiple mapped IdP groups join every mapped team.
Each direction (roles, teams) has its own Use mapping table toggle:
  • On (default): the curated mapping table is the source of truth. IdP groups not in the table are skipped — users keep their current memberships when no mapping matches.
  • Off (name-based): Gumloop matches each IdP group’s display name directly to a Gumloop role/team (case- and whitespace-insensitive). On miss, a new role or team is auto-created using the IdP group’s name on the next sync. In this mode the IdP is the source of truth, so users with no matching IdP groups have their roles/teams wiped.
Switching a direction to name-based mode is destructive on next sync for users whose IdP groups don’t match any Gumloop entity — the UI requires explicit confirmation before applying. Use it only when your IdP is the authoritative system of record for that direction.

​
Setting Up SCIM

1

Request SCIM Enablement

Contact support@gumloop.com to have SCIM enabled for your organization. The team will evaluate your use case to ensure SCIM is the right solution.
2

Generate SCIM Credentials

Once enabled, navigate to gumloop.com/settings/organization/sso and use Generate Setup Link to create SCIM directory credentials.
3

Configure Your Identity Provider

Set up SCIM provisioning in your IdP using the base URL and bearer token from Gumloop. See provider-specific guides:
SCIM is currently supported for Okta and Microsoft Entra ID only.
4

Create Mappings (Optional)

Map IdP groups to Gumloop entities under Group to Custom Role Mappings and Group to Team Mappings in the SSO settings. Each direction is independent.
Mappings are optional. With the Use mapping table toggle on (default) and the table empty, SCIM sync will not modify users’ role or team assignments — you can manage them directly in Gumloop. SCIM only changes a user’s memberships when an explicit mapping matches.
For each direction you can instead toggle Use mapping table off to switch to name-based mode, where IdP group names auto-resolve to existing Gumloop entities and unmatched names auto-create new ones on the next sync.
5

Enable Directory Sync

Select your SCIM directory on the /sso page and enable synchronization. You can trigger manual syncs or configure automated periodic syncs.

​
SCIM and Custom Roles / Teams

IdP groups are mapped to Gumloop Custom Roles and/or teams (projects), independently per direction. When users are synced, they are assigned the union of every matched mapping.Important considerations:
  • If a direction’s mapping table is empty (and Use mapping table is on), SCIM leaves that direction’s assignments alone for existing users.
  • Create groups in your IdP first, then map them to Gumloop custom roles or teams.
  • Group names don’t need to match exactly when the mapping table is on — you define the mapping by selecting the Gumloop entity per row.
  • If mappings exist but no IdP group matches, the user is placed in the default custom role (and the default team for new provisions).

​
Sync Operations

TriggerDescription
ScheduledAutomatic periodic sync (every 15 minutes)
ManualOn-demand sync triggered by organization admin

​
Pre-Provisioned Users

Users assigned to Gumloop in your IdP are visible in your organization’s member list before they log in for the first time. This enables:
  • Advance seat planning
  • Pre-assigning users to teams
  • Visibility into pending onboarding
Pre-provisioned users don’t consume active seats until they complete their first login.

​
SCIM Best Practices

Map Groups If Needed

Configure role and team mappings only when you want SCIM to manage those assignments. With Use mapping table on and the table empty, users keep their current Gumloop memberships.

Prefer Mapping Table Mode

Default mapping-table mode is non-destructive — users with no matching IdP group are left alone. Use name-based mode only when your IdP is authoritative and you accept that descoped users will lose roles/teams.

Confirm Before Going Name-Based

Switching a direction off the mapping table will wipe roles/teams for users whose IdP groups don’t match any Gumloop entity on the next sync. The UI gates this behind a confirmation modal — read it.

Test with Pilot Group

Enable SCIM for a small test group before rolling out to the entire organization.

Monitor Audit Logs

Review SCIM-related audit events to verify provisioning, mapping changes, and auto-creates land as expected.

Disable = Fresh Start

Disabling SCIM clears all mapping tables, per-direction toggles, and SCIM tracking rows. Re-enabling starts clean — users remain in the org as if added manually.

​
SCIM Audit Events

SCIM operations are tracked in your organization’s audit logs:
EventDescription
SCIM_SYNC_STARTEDDirectory sync operation initiated
SCIM_SYNC_COMPLETEDSync completed with summary stats
SCIM_SYNC_FAILEDSync failed with error details
SCIM_SYNC_ENABLEDSCIM sync enabled for the organization
SCIM_SYNC_DISABLEDSCIM sync disabled for the organization
SCIM_USER_PROVISIONEDNew user provisioned via SCIM
SCIM_USER_DEPROVISIONEDUser removed via SCIM
SCIM_USER_PERMISSION_GROUP_CHANGEDUser’s custom-role assignments updated (union of mapped roles)
SCIM_USER_TEAM_CHANGEDUser’s team memberships updated (union of mapped teams)
SCIM_GROUP_MAPPING_UPDATEDCurated role mappings table replaced
SCIM_TEAM_MAPPING_UPDATEDCurated team mappings table replaced
SCIM_AUTO_CREATED_ENTITYA new role or team was auto-created from an unmatched IdP group name (name-based mode)
SCIM_USE_MAPPING_TABLE_CHANGEDA per-direction toggle (role or team) flipped between mapping-table and name-based modes

​
Security & Compliance

Gumloop’s SSO implementation follows industry security standards:

SOC 2 Type II

Certified compliance with SOC 2 Type II controls for security, availability, and confidentiality

SAML 2.0

Industry-standard SAML 2.0 protocol for secure assertion exchange

Encrypted Transit

All authentication traffic encrypted via TLS 1.3

Session Management

Configurable session timeouts and secure token handling
For detailed security information and certifications, visit trust.gumloop.com.

Custom Roles

Configure granular permissions for synced users

Audit Logging

Monitor authentication and provisioning events

Okta Integration

Configure Okta for service authentication (Snowflake, NetSuite)

Organization Roles

Understand organization member roles and permissions

​
Need Help?