Gemfury uses just-in-time provisioning: users are added to your organization when they first log in through your IdP. No manual invitation is required, but users must initiate login themselves.
How It Works
When a user logs in through your SAML provider for the first time:
- Gemfury validates the SAML assertion
- Creates or links their Gemfury account
- Adds them to your organization with the appropriate role
Subsequent logins authenticate the user without changing their membership or role.
New Users
Users without a Gemfury account must create one on first login:
- Created account is linked to their SAML identity
- Added to your organization with the appropriate role
Existing Users
Users with an existing Gemfury account:
- SAML identity linked to their account on first SAML login
- Added to organization if not already a member
- Existing memberships are preserved
Role Assignment
New members receive the default role (pull, push, or owner) configured in your SAML
settings. If group mapping is configured, the role is determined by the
user’s IdP group membership instead. Existing memberships are not modified by SAML login.
| Scenario | Result |
|---|---|
| User not in organization | Added with group-mapped or default role |
| User already a member | Role unchanged |
Login Methods
IdP-Initiated
Users start from your IdP (e.g., Okta dashboard):
- Click the Gemfury application
- Redirected to Gemfury, authenticated
Removing Users
To fully revoke a user’s access:
- Remove them from the SAML application in your IdP
- Remove their membership in Gemfury collaboration settings
Important: Removing a user from the IdP only prevents future logins. To fully revoke access, you must also remove their Gemfury organization membership. Existing API tokens and deploy tokens created by the user may continue to work until membership is removed.