SAML SSO lets your organization members authenticate with Gemfury using your
corporate Identity Provider (IdP). When enabled, users log in through your
IdP and are automatically added to your organization.
Gemfury works with any SAML 2.0 compliant Identity Providers (IdP) like Okta,
Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, JumpCloud,
PingIdentity, etc.
This guide walks through enabling SAML authentication for your Gemfury
organization. Setup requires two phases: initial configuration and
finalization after receiving your Provider ID.
Service Provider Information
Configure your IdP with these Gemfury settings. Replace PROVIDER_ID with the identifier
assigned after initial setup.
Persistent — Uses an opaque identifier (recommended for stability)
Email — Uses email address as identifier (simpler fallback)
If you also use SCIM provisioning, prefer Persistent and have your IdP
send a SCIM externalId equal to the persistent Name ID. This gives a stable,
exact match between SAML logins and SCIM-provisioned users that survives email or
username changes.
Rather than entering these by hand, you can download Gemfury’s SP metadata XML
from the dashboard and import it into your IdP.
Signing and encryption: Sign the SAML response or assertion using
SHA-256. Do not require signed authentication requests,
and do not enable assertion encryption — Gemfury does not sign AuthnRequests
and cannot decrypt assertions.
Gemfury uses just-in-time provisioning: users are added to your organization when they first log
in through your IdP. No manual invitation is required, but users must initiate login themselves.
How It Works
When a user logs in through your SAML provider for the first time:
Subsequent logins authenticate the user without changing their membership. When
group mapping is configured, their role is re-synced from their
IdP groups on each login.
Gemfury can automatically assign membership roles to users based on their group
claims sent by your Identity Provider in the SAML assertion. This lets you
control access levels without manually assigning roles to each new user.
How It Works
Group mapping is configured with two settings on your SAML provider:
Setting
Description
Group Mapping
A mapping of IdP group names to Gemfury roles.
Default Role
Fallback role (Download only) when no group mapping matches.
Each time a user logs in via SAML, Gemfury resolves their role from the groups
in the assertion as follows:
SCIM (System for Cross-domain Identity Management) automates user lifecycle
management for your Gemfury organization. When enabled, your Identity Provider
manages organization membership directly — provisioning, deprovisioning, and
reactivating users as you assign and unassign them in the IdP.
SCIM is a companion to SAML SSO, not a replacement. SAML handles
authentication (logging in); SCIM handles provisioning (managing who has
access). Both require an active SAML provider on the organization.