Setting up SSO and SCIM
Single Sign-On (SSO) allows users to access multiple applications with a single set of login credentials managed by an Identity Provider (IdP). Companies implement SSO to streamline authentication and reduce the need for multiple usernames and passwords. Guru supports SSO and automatic user and group provisioning via the SCIM (System for Cross-domain Identity Management) standard. To set up automatic provisioning, SSO must first be configured and enabled for your team.
Access Required
You must be a Guru workspace admin to access the SSO/SCIM page and to enable SSO for your workspace.
Setting up SSO
Step 1: Set up the connection within your Identity Provider
To get started, you’ll need to set up a connection for Guru Single Sign-On (SSO) with your organization's Identity Provider (IdP). While you're building this new connection in your IdP, you're going to need some information from the "SSO/SCIM" page in Guru's web app to complete the fields in the IdP.
- In Guru's web app, navigate to Manage, then click SSO/SCIM.
| Things Guru's SSO Integrations page provides | Things you'll need from your IDP |
|---|---|
| - Your Guru Team ID | - IdP Issuer |
| - Guru Single Sign-On URL | - IdP Single Sign-On URL |
| - Audience URI | - X.509 Certificate |
Step 2: Set up SSO in Guru
Now that you've entered and gathered the necessary information from your IdP, a Guru admin can enable SSO by filling in the required information on the workspace's "SSO/SCIM" page.
- In Guru's web app, navigate to Manage*.
- Click on SSO/SCIM.
- Fill in all the required fields with the information you gathered from your IDP:
- Identity Provider Single-Sign on URL
- Identity Provider Issuer
- X.509 Certificate
- Choose your Provision Type:
- Automatically add users. Guru will add the user to the workspace the first time they log in via SSO. Note that this has a billing implication as Guru bills by user seats.
- Require users to be invited. You must explicitly invite users to your Guru Team. These invited users must additionally have access to your Identity Provider (IdP), otherwise, they won't be able to sign in to Guru.
- Select your Session Timeout in days. Guru's default is 14 days.
- When you're ready to turn it on, change the SSO state to Enabled.
Frequently Asked Questions about SSO
How do I add users outside of my organization to Guru after SSO is enabled?
After SSO is enabled, all non-Admin users are required to log in through the Identity Provider. Outside or guest users would first need to be added to the Identity Provider in order to access your Guru Team. If guest users cannot be added to the Identity Provider, add them to the Guru Team as Admin. Admins can always log in to Guru natively with their username and password.
What happens to users who are logged in to Guru before SSO is enabled?
If a user is logged in to Guru before SSO is enabled, they will not be automatically logged out but will have to log in through the Identity Provider upon their next login.
If a user's session times out, Guru will direct the user back to the Identity Provider to re-authenticate. If the user logs out of Guru, the user will have to log into Guru via the Identity Provider.
What is the difference between SSO and domain discovery?
- Domain discovery is a setting in Guru that allows anyone with a specific email domain name to automatically join your Guru team.
- SSO enables users to securely authenticate with multiple applications and websites by logging in only once with one set of credentials (username and password) through a third-party Identity Provider (such as Okta, OneLogin, etc.).
Setting Up SCIM
Note
If your team has single sign-on (SSO) and SCIM enabled, Guru admins can no longer invite users via the Guru web app. You must invite new Guru users and remove existing (synced) users via your organization's identity provider.
- In Guru's web app, navigate to Manage and then click on the** SSO/SCIM tab.
- Toggle the button next to Authorize SCIM Provisioning to ON.
Specific SSO/SCIM Provider Instructions
The provisioning setup varies depending on the identity provider (IdP) your team uses. Guru is featured as a member of the Okta network, but this functionality works for any IdP that supports the SCIM 2.0 standard. Here is a list of some identity providers teams have integrated with:
If your IdP is not listed above and you need help navigating the setup, please reach out to Guru by filling out this form: Contact Guru Support.
Note
Guru currently does not support automatic provisioning through Office 365. We only support SSO through Google and standard SAML using a third-party identity provider. Please share your feedback and feature request with our Product team in the Product Feedback category of the Guru Community.
Frequently asked Question about SCIM
What can I expect to happen after I enable SCIM for my team?
Typically, users, Groups, and Group assignments from your identity provider will be moved into Guru immediately. Any users, Groups, and Group assignments with pre-existing exact matches in Guru will be merged. Once they've merged, these become uneditable in Guru. Users or Groups that are synced with your chosen identity provider will display a sync icon (🔄) next to their name. You will not be able to manage these users or their Groups in the Guru web app and must manage them in your team's identity provider.
Users or Groups in Guru that do not match Users or Groups in your identity provider will not sync back into your identity provider. These users will not have a sync icon (🔄) next to their name. You will be able to manage these users and add them to Groups from the Manage > All Members page in in Guru's web app.
How will I know who is synced through my identity provider and who is not?
All users who were synced via SCIM will have a sync icon (🔄) next to their name.
Does Guru support group linking?
Guru also supports group linking which creates a 1:1 linkage that will merge a SCIM group (and users within it) into the Guru Group, while maintaining the Collection permissions of the Guru Group. This allows for easy user management through SCIM.
You don't need to do anything to enable this, existing Guru Groups will show within the IDP Group Link menu. If a Guru Group has the same name as the group being linked it will automatically select that linkage.
What happens when I remove a user from Guru in my identity provider?
When users are de-provisioned through SCIM they will be immediately deleted in Guru. You will not be prompted to re-assign verification responsibilities so remember to update that before removing them from SCIM.
If you do not update the verifier on the user's Cards before removing the user from your identity provider, the Cards that they are currently a verifier of will be reassigned to the Collection owner of the Collection that Card lives in. If the Collection does not have a Collection owner it will be assigned to the top verifier in that Collection.
Can I manage users & Groups in Guru after SCIM is enabled?
- If a Group is not synced with SCIM, you can add/remove that Group in Guru and any users (synced or not) to that Group in Guru.
- If a Group is synced with SCIM (has the sync icon 🔄 ), you cannot manage that Group at all in Guru. That includes removing the Group or adding/deleting users in that Group.
- A synced user can be added/removed from a non-synced Group
Can I use SCIM to populate employee profile attributes in Guru?
No, SCIM cannot be used to populate Guru profiles. However, an HRIS sync can auto-populate fields from many HR platforms into Guru profiles.
Updated 2 months ago