Gemfury uses just-in-time provisioning: users are added to your organization when they first log in through your IdP. No manual invitation is required, but users must initiate login themselves.
How It Works
When a user logs in through your SAML provider for the first time:
- Gemfury validates the SAML assertion
- Creates or links their Gemfury account
- Adds them to your organization with the appropriate role
Subsequent logins authenticate the user without changing their membership. When group mapping is configured, their role is re-synced from their IdP groups on each login.
New Users
Users without a Gemfury account must create one on first login:
- Created account is linked to their SAML identity
- Added to your organization with the appropriate role
Existing Users
Users with an existing Gemfury account:
- SAML identity linked to their account on first SAML login
- Added to organization if not already a member
- Existing memberships are preserved
Role Assignment
New members receive the default role (pull, push, or owner) configured in your SAML
settings. If group mapping is configured, the role comes from the user’s
IdP groups instead, and is re-synced on every login. SAML login never removes an existing
membership — it only updates the role.
| Scenario | Result |
|---|---|
| User not in organization | Added with group-mapped or default role |
| User already a member | Membership preserved; role re-synced from group mapping |
Login Methods
IdP-Initiated
Users start from your IdP (e.g., Okta dashboard):
- Click the Gemfury application
- Redirected to Gemfury, authenticated
Removing Users
To fully revoke a user’s access:
- Remove them from the SAML application in your IdP
- Remove their membership in Gemfury collaboration settings
Important: Removing a user from the IdP only prevents future logins. To fully revoke access, you must also remove their Gemfury organization membership. Existing API tokens and deploy tokens created by the user may continue to work until membership is removed.
To automate this process, enable SCIM provisioning. With SCIM, your IdP automatically removes a user’s organization membership when they are unassigned from the application. SCIM-managed members must be removed in your IdP — not from the Gemfury dashboard.