Skip to main content
This page is the universal SAML 2.0 reference for IdPs that don’t have a vendor-specific guide (PingFederate, Auth0 as IdP, Keycloak, Shibboleth, ADFS, etc.). The gavAI-side counterpart is the wizard at /console/settings/sso/new/generic.

Prerequisites

  • Admin access to your IdP.
  • Workspace admin in gavAI on a Scale or Enterprise plan.
  • One or more email domains you control.

What gavAI expects

The Service Provider config gavAI runs:
FieldValue
Entity ID (Audience)shown in the wizard at /console/settings/sso/new/generic
ACS URLshown in the wizard
NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
BindingHTTP-POST for ACS; HTTP-Redirect for AuthnRequest
Signed AuthnRequestNot required (gavAI accepts unsigned)
Signed AssertionRequired. Signed by your IdP’s signing certificate.
Signed ResponseOptional; if your IdP signs the Response envelope, gavAI verifies it.
Encrypted AssertionNot required.

Attributes

Map the following at minimum:
SAML attributeSource
email (or NameID)user’s primary email address
firstName (or givenName)user’s first name
lastName (or surname)user’s last name

1. Register gavAI as a Service Provider in your IdP

Use the Entity ID + ACS URL above. Most IdPs accept those two values plus the SP metadata XML, which gavAI exposes at the URL shown in the wizard.

2. Hand IdP metadata to gavAI

The simplest path: paste your IdP’s metadata URL into the gavAI wizard. gavAI fetches it, validates the certificate, and stores the SSO config. If your IdP doesn’t expose a metadata URL, paste the raw metadata XML instead.

3. Verify domains

gavAI shows a TXT record for each email domain. Add it to your DNS, then wait for re-verification.

4. Test

Sign in at https://gavai.io/login with an IdP-managed account. Audit-log traffic appears at /console/activity.

Troubleshooting

SymptomLikely cause
InvalidSignature in audit logYour IdP’s signing cert rotated; refresh the metadata URL in /console/settings/sso/<provider>.
AudienceMismatchEntity ID in your IdP config doesn’t exactly match gavAI’s. Re-copy from the wizard.
RequestExpiredClock skew between your IdP and gavAI’s runtime exceeds 5 minutes.
EmailDomainNotAllowedThe signed-in user’s email domain isn’t in the verified list yet.