Skip to main content
gavAI supports SAML 2.0 SSO on Scale and Enterprise plans. Configure your identity provider once, then your members sign in with their existing corporate credentials.

Pick your IdP

What gavAI needs from you

After provisioning the IdP-side application, you’ll submit three values in /console/settings/sso/new:
  • Metadata URL — the IdP’s SAML metadata XML endpoint.
  • Entity ID — gavAI’s SP entity ID (shown in the wizard).
  • Domain(s) — the email domain(s) your members sign in with (e.g. acme.com). gavAI routes those email addresses to your IdP at sign-in.
After you submit, gavAI verifies each domain via a DNS TXT record, then activates SSO.

What gavAI sends back

Your IdP receives a SAML AuthnRequest with:
  • Audience: gavAI’s SP entity ID (workspace-scoped).
  • NameID format: emailAddress.
  • AssertionConsumerService URL: shown in the wizard.

Just-in-time provisioning

The first time a user signs in via SSO, gavAI creates their account and joins them to the workspace with the default role (member). Admins can promote them in /console/members. For automated lifecycle (deprovisioning when an employee leaves), use SCIM alongside SSO.