Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gumloop.com/llms.txt

Use this file to discover all available pages before exploring further.

Enterprise organizations can configure single sign-on (SSO) authentication and automated user provisioning through SAML and SCIM integrations. This enables centralized identity management, enhanced security, and streamlined user lifecycle management.

​
Overview

Dedicated Login Pages

Custom gumloop.com/org login portals for your organization

SAML Authentication

Enterprise SSO via Okta, Entra ID, Google AD, and more

SCIM Provisioning

Automated user provisioning and custom-role sync

​
Dedicated SSO Login Pages

Enterprise customers can request a dedicated login page at gumloop.com/{your-org}. This provides a branded entry point for your organization’s users with configurable authentication options.
To request a custom login page, contact support@gumloop.com. Delivery is typically within a few hours after SAML connection setup.

​
Available Authentication Methods

Organizations can choose which authentication providers to enable or restrict:
ProviderDescriptionRecommendation
SAML SSOEnterprise identity providers (Okta, Entra ID, etc.)Recommended for enterprise
Google SSOSign in with Google WorkspaceSuitable for Google-based organizations
Microsoft SSOSign in with Microsoft 365Suitable for Microsoft-based organizations
Email/PasswordTraditional username and passwordNot recommended for enterprise
Email/password authentication is not recommended for enterprise deployments. SAML or OAuth-based SSO provides stronger security controls and centralized identity management.

​
SAML Configuration

SAML (Security Assertion Markup Language) enables enterprise single sign-on through your organization’s identity provider.

​
Supported Identity Providers

Okta

Microsoft Entra ID

Google Workspace

JumpCloud

Ping Identity

Active Directory

​
Setting Up SAML

1

Access SSO Settings

Navigate to gumloop.com/settings/organization/sso
SAML and SCIM settings require the Admin organization role and an Enterprise subscription. SCIM-provisioned users land with the baseline Member role and receive additional roles only when explicitly mapped from your identity provider.
2

Generate Setup Link

Click Generate Setup Link to create a SAML connection configuration. This generates the SP (Service Provider) details needed for your identity provider.
3

Configure Your Identity Provider

Use the generated details to configure a SAML application in your IdP. For step-by-step instructions, see the guides for your provider:
4

Request Custom Login Page

After completing SAML setup, contact support@gumloop.com to request your dedicated login page at gumloop.com/{your-org}.

​
SP-Initiated vs IdP-Initiated Login

Gumloop supports SP-initiated login only. This means users must start their login flow from Gumloop (the Service Provider) rather than from your identity provider’s app dashboard.
SP-Initiated Flow:
  1. User navigates to gumloop.com/{your-org}
  2. Clicks the SSO login button
  3. Redirects to your IdP for authentication
  4. Upon successful auth, returns to Gumloop with a valid session
This approach ensures Gumloop controls the full authentication handshake, including session token generation and storage.
For more technical details on SP vs IdP-initiated SSO, see SSOReady’s guide.

​
SAML Best Practices

Use SP-Initiated Login

Configure IdP tiles to redirect to your Gumloop login page rather than using IdP-initiated flows

Disable IdP-Initiated

Prevent IdP-initiated logins in your IdP settings to avoid session handling issues

Test Before Rollout

Verify the SAML connection with test users before enabling for your entire organization

Document for Users

Provide clear instructions to users on how to access Gumloop via your organization’s login page

​
SAML vs SCIM: User Provisioning

Just-In-Time (JIT) ProvisioningWith SAML alone, users are provisioned when they first log in:
  • User authenticates via SAML for the first time
  • Gumloop automatically creates their account on successful auth
  • No pre-provisioning or advance user management
Best for: Organizations that don’t need advance user visibility or automated deprovisioning.

​
SCIM Provisioning

SCIM (System for Cross-domain Identity Management) enables automated user provisioning, deprovisioning, and custom-role synchronization between your identity provider and Gumloop.
SCIM is an add-on feature. Contact support@gumloop.com to request SCIM enablement for your organization. The team will evaluate your use case to determine if SCIM is the right solution for your needs.

​
What SCIM Provides

When users are assigned to the Gumloop application in your IdP, they are automatically provisioned in Gumloop. Users appear in your organization’s member list and can be viewed before they first log in (pre-provisioning).
When users are removed from the Gumloop application in your IdP, they are automatically deprovisioned—removing their access and freeing up seats.
IdP groups can be mapped to Gumloop Custom Roles, enabling centralized access control management.
This is group-based synchronization, not role-based access control (RBAC). Restrictions are managed through Gumloop’s Custom Roles system.

​
Setting Up SCIM

1

Request SCIM Enablement

Contact support@gumloop.com to have SCIM enabled for your organization. The team will evaluate your use case to ensure SCIM is the right solution.
2

Generate SCIM Credentials

Once enabled, navigate to gumloop.com/settings/organization/sso and use Generate Setup Link to create SCIM directory credentials.
3

Configure Your Identity Provider

Set up SCIM provisioning in your IdP using the base URL and bearer token from Gumloop. See provider-specific guides:
SCIM is currently supported for Okta and Microsoft Entra ID only.
4

Create Custom-Role Mappings (Optional)

To manage Custom Roles via SCIM, create matching IdP groups and Gumloop custom roles, then map IdP groups to custom roles in the SSO settings.
Custom-role mappings are optional. If no mappings are configured, SCIM sync will not modify users’ custom roles, allowing you to manage them directly in Gumloop. SCIM only changes a user’s custom role when an explicit mapping matches.
5

Enable Directory Sync

Select your SCIM directory on the /sso page and enable synchronization. You can trigger manual syncs or configure automated periodic syncs.

​
SCIM and Custom Roles

IdP groups are mapped to Gumloop Custom Roles. When users are synced, they are assigned to the mapped custom role.Important considerations:
  • If no group mappings are configured, SCIM sync leaves users’ custom-role assignments alone.
  • Create groups in your IdP first, then map them to Gumloop custom roles.
  • Group names don’t need to match exactly — you define the mapping.
  • If mappings exist but no IdP group matches, the user is placed in the default custom role.

​
Sync Operations

TriggerDescription
ScheduledAutomatic periodic sync (every 15 minutes)
ManualOn-demand sync triggered by organization admin

​
Pre-Provisioned Users

Users assigned to Gumloop in your IdP are visible in your organization’s member list before they log in for the first time. This enables:
  • Advance seat planning
  • Pre-assigning users to teams
  • Visibility into pending onboarding
Pre-provisioned users don’t consume active seats until they complete their first login.

​
SCIM Best Practices

Map Groups If Needed

Set up custom-role mappings only if you want SCIM to manage role assignments. Without mappings, users keep their current Gumloop custom roles.

Define Group Priority

Establish an ordered priority for custom-role mappings to handle users in multiple IdP groups

Test with Pilot Group

Enable SCIM for a small test group before rolling out to the entire organization

Monitor Audit Logs

Review SCIM-related audit events to verify provisioning is working as expected

​
SCIM Audit Events

SCIM operations are tracked in your organization’s audit logs:
EventDescription
SCIM_SYNC_STARTEDDirectory sync operation initiated
SCIM_SYNC_COMPLETEDSync completed with summary stats
SCIM_SYNC_FAILEDSync failed with error details
SCIM_USER_PROVISIONEDNew user provisioned via SCIM
SCIM_USER_DEPROVISIONEDUser removed via SCIM
SCIM_USER_PERMISSION_GROUP_CHANGEDUser’s custom-role assignment updated

​
Security & Compliance

Gumloop’s SSO implementation follows industry security standards:

SOC 2 Type II

Certified compliance with SOC 2 Type II controls for security, availability, and confidentiality

SAML 2.0

Industry-standard SAML 2.0 protocol for secure assertion exchange

Encrypted Transit

All authentication traffic encrypted via TLS 1.3

Session Management

Configurable session timeouts and secure token handling
For detailed security information and certifications, visit trust.gumloop.com.

Custom Roles

Configure granular permissions for synced users

Audit Logging

Monitor authentication and provisioning events

Okta Integration

Configure Okta for service authentication (Snowflake, NetSuite)

Organization Roles

Understand organization member roles and permissions

​
Need Help?