Guide-Saml

SAML Single Sign-On

SAML SSO lets your organization members authenticate with Gemfury using your corporate Identity Provider (IdP). When enabled, users log in through your IdP and are automatically added to your organization.

Requirements

  • Gemfury organization account
  • Administrator access to your Identity Provider
  • IdP SAML metadata XML file

Supported Identity Providers

Gemfury works with any SAML 2.0 compliant Identity Providers (IdP) like Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, JumpCloud, PingIdentity, etc.

 

Getting Started with SAML SSO

This guide walks through enabling SAML authentication for your Gemfury organization. Setup requires two phases: initial configuration and finalization after receiving your Provider ID.

Service Provider Information

Configure your IdP with these Gemfury settings. Replace PROVIDER_ID with the identifier assigned after initial setup.

Setting Value
ACS URL https://manage.fury.io/auth/saml/PROVIDER_ID/callback
Entity ID https://manage.fury.io/auth/saml/PROVIDER_ID
Name ID Format Persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)

Name ID Format options:

  • Persistent — Uses an opaque identifier (recommended for stability)
  • Email — Uses email address as identifier (simpler fallback)

If you also use SCIM provisioning, prefer Persistent and have your IdP send a SCIM externalId equal to the persistent Name ID. This gives a stable, exact match between SAML logins and SCIM-provisioned users that survives email or username changes.

 

Configuring Your Identity Provider

After setting up SAML in Gemfury, configure your IdP with the Gemfury service provider details.

Required Settings

All IdPs need these values (replace PROVIDER_ID with your assigned identifier):

ACS URL:    https://manage.fury.io/auth/saml/PROVIDER_ID/callback
Entity ID:  https://manage.fury.io/auth/saml/PROVIDER_ID

Rather than entering these by hand, you can download Gemfury’s SP metadata XML from the dashboard and import it into your IdP.

Signing and encryption: Sign the SAML response or assertion using SHA-256. Do not require signed authentication requests, and do not enable assertion encryption — Gemfury does not sign AuthnRequests and cannot decrypt assertions.

 

User Provisioning

Gemfury uses just-in-time provisioning: users are added to your organization when they first log in through your IdP. No manual invitation is required, but users must initiate login themselves.

How It Works

When a user logs in through your SAML provider for the first time:

  1. Gemfury validates the SAML assertion
  2. Creates or links their Gemfury account
  3. Adds them to your organization with the appropriate role

Subsequent logins authenticate the user without changing their membership. When group mapping is configured, their role is re-synced from their IdP groups on each login.

 

Group Mapping

Gemfury can automatically assign membership roles to users based on their group claims sent by your Identity Provider in the SAML assertion. This lets you control access levels without manually assigning roles to each new user.

How It Works

Group mapping is configured with two settings on your SAML provider:

Setting Description
Group Mapping A mapping of IdP group names to Gemfury roles.
Default Role Fallback role (Download only) when no group mapping matches.

Each time a user logs in via SAML, Gemfury resolves their role from the groups in the assertion as follows:

 

SCIM User Management

SCIM (System for Cross-domain Identity Management) automates user lifecycle management for your Gemfury organization. When enabled, your Identity Provider manages organization membership directly — provisioning, deprovisioning, and reactivating users as you assign and unassign them in the IdP.

SCIM is a companion to SAML SSO, not a replacement. SAML handles authentication (logging in); SCIM handles provisioning (managing who has access). Both require an active SAML provider on the organization.

Requirements

  • An active SAML SSO provider configured on your organization
  • A SCIM Bearer token (see Setup below)
  • Administrator access to your Identity Provider

How It Works

SCIM manages organization membership, not user accounts. The lifecycle is:

 

Troubleshooting SAML SSO

Common issues and solutions for SAML authentication.

Error Messages

Error Cause Solution
Unauthorized Provider not active Contact support to activate your provider
Login expired Session timeout or clock drift Re-initiate SAML login; check server time sync
Invalid credentials Assertion validation failed See detailed causes below
Invalid Credentials — Detailed Causes

This error indicates SAML assertion validation failed. Check these items in order:

  1. Unsigned assertion — Assertions must be signed. Verify signing is enabled in your IdP (see IdP Configuration)
  2. Signature algorithm mismatch — Gemfury supports SHA-256. If your IdP uses SHA-1, update to SHA-256
  3. Expired assertion — Assertion timestamp outside validity window. Check clock synchronization
  4. Audience mismatch — Entity ID in IdP doesn’t match https://manage.fury.io/auth/saml/PROVIDER_ID
  5. Missing email attribute — Assertion must include email attribute
  6. Name ID format mismatch — Verify Name ID format matches your Gemfury configuration
  7. Unsupported Name ID format — Only emailAddress, persistent, and unspecified formats are accepted; others (e.g. transient) are rejected
  8. Certificate mismatch — IdP certificate was rotated but metadata wasn’t updated in Gemfury

Configuration Issues

Assertions Not Signed

Gemfury requires signed SAML assertions. In your IdP settings, enable: