Users and Teams

Authentication

SSO Domains

To enable SSO authentication, enter the domain which users must have an email address associated with.

MFA

Users can enable a multi factor authentication for password based logins in Gremlin Company Settings under the Security tab. Currently, Time-based Token (Time-based One Time Passwords, TOTP) MFA is supported. An example of a compatible authenticator is the Google Authenticator, available on the Apple App Store and Google Play.

MFA can be forced for users across the entire company. When Enforce MFA is enabled all users who authenticate without MFA will be provided with a secret key and QR barcode to setup their authenticator. Certain user roles also have the ability to disable MFA for individual users within their company, useful in cases where a user loses their authenticator.

SAML

Companies who host their own SAML compatible Identity Provider (IDP) can utilize SAML sign-on for their users to authenticate with Gremlin. SAML provides your organization complete control over the users authentication process and experience. When using SAML, authentication requests are forwarded to your IDP, which performs authentication as your company specifies. Once a user has authenticated, their details such as their email address, are securely delivered to Gremlin and the user is granted access.

SAML configuration can be performed by users with the correct roles in Gremlin Settings on the Security tab.

In order to configure your IDP for SAML please use our Service Provider (SP) metadata, available with the following command:

curl https://api.gremlin.com/v1/users/auth/saml/metadata

Important SAML Fields

  • Assertion Consumer Service URL - https://api.gremlin.com/v1/users/auth/saml/acs: Represents the location your IDP will send the SAML assertion to be validated by our SP
  • Entity ID - https://api.gremlin.com/saml: Unique identifier for the Gremlin SP
  • RelayState - Gremlin Inc.|||https://app.gremlin.com/users/sso/saml/acs|||/: Sent to your IDP by our SP when the SAML login process is initiated, and is echoed back in the response by your IDP.
  • NameID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Specifies the format of the NameID within the SAML assertion. We require a valid email be used.