/console/settings/sso/new/generic.
Prerequisites
- Admin access to your IdP.
- Workspace admin in gavAI on a Scale or Enterprise plan.
- One or more email domains you control.
What gavAI expects
The Service Provider config gavAI runs:| Field | Value |
|---|---|
| Entity ID (Audience) | shown in the wizard at /console/settings/sso/new/generic |
| ACS URL | shown in the wizard |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Binding | HTTP-POST for ACS; HTTP-Redirect for AuthnRequest |
| Signed AuthnRequest | Not required (gavAI accepts unsigned) |
| Signed Assertion | Required. Signed by your IdP’s signing certificate. |
| Signed Response | Optional; if your IdP signs the Response envelope, gavAI verifies it. |
| Encrypted Assertion | Not required. |
Attributes
Map the following at minimum:| SAML attribute | Source |
|---|---|
email (or NameID) | user’s primary email address |
firstName (or givenName) | user’s first name |
lastName (or surname) | user’s last name |
1. Register gavAI as a Service Provider in your IdP
Use the Entity ID + ACS URL above. Most IdPs accept those two values plus the SP metadata XML, which gavAI exposes at the URL shown in the wizard.2. Hand IdP metadata to gavAI
The simplest path: paste your IdP’s metadata URL into the gavAI wizard. gavAI fetches it, validates the certificate, and stores the SSO config. If your IdP doesn’t expose a metadata URL, paste the raw metadata XML instead.3. Verify domains
gavAI shows a TXT record for each email domain. Add it to your DNS, then wait for re-verification.4. Test
Sign in athttps://gavai.io/login with an IdP-managed account. Audit-log traffic appears at /console/activity.
Troubleshooting
| Symptom | Likely cause |
|---|---|
InvalidSignature in audit log | Your IdP’s signing cert rotated; refresh the metadata URL in /console/settings/sso/<provider>. |
AudienceMismatch | Entity ID in your IdP config doesn’t exactly match gavAI’s. Re-copy from the wizard. |
RequestExpired | Clock skew between your IdP and gavAI’s runtime exceeds 5 minutes. |
EmailDomainNotAllowed | The signed-in user’s email domain isn’t in the verified list yet. |