Gemfury uses just-in-time provisioning: users are added to your organization when they first log in through your IdP. No manual invitation is required, but users must initiate login themselves.
How It Works
When a user logs in through your SAML provider for the first time:
- Gemfury validates the SAML assertion
- Creates or links their Gemfury account
- Adds them to your organization with the default role
Subsequent logins authenticate the user without changing their membership or role.
New Users
Users without a Gemfury account must create one on first login:
- Created account is linked to their SAML identity
- Added to your organization with the default role
Existing Users
Users with an existing Gemfury account:
- SAML identity linked to their account on first SAML login
- Added to organization if not already a member
- Existing memberships are preserved
Role Assignment
The default role (pull, push, or owner) is configured in your SAML settings. If you
are enabling SAML for an organization with prior memberships, just-in-time provisioning
will not be modify those existing memberships.
| Scenario | Result |
|---|---|
| User not in organization | Added with default role |
| User already a member | Role unchanged |
Login Methods
IdP-Initiated
Users start from your IdP (e.g., Okta dashboard):
- Click the Gemfury application
- Redirected to Gemfury, authenticated
Removing Users
To fully revoke a user’s access:
- Remove them from the SAML application in your IdP
- Remove their membership in Gemfury collaboration settings
Important: Removing a user from the IdP only prevents future logins. To fully revoke access, you must also remove their Gemfury organization membership. Existing API tokens and deploy tokens created by the user may continue to work until membership is removed.