Leveraging SSO to automatically assign custom roles
We use SSO in a way so that our users sign up for our community using their existing product logins. We’d like to automatically assign a custom role to certain users as they sign up for community, based on specific criteria they meet on our product side.
Long story short, we’d like to create exclusive community spaces/content for specific subsets of our users.
Does anyone have experience in this?
Page 1 / 1
I’m not an expert on SSO, but it all depends on what data is passed along when they sign up.
Or what data can you get from your own system via an API call after they sign up.
I do this same thing via Salesforce (using Zapier for the automation, but other tools could do the same thing).
User logs-in via SSO, but they’re new so they have to create a new profile
this triggers the automation via the Zapier trigger (or this webhook)
Finds user in {your system, for me it’s salesforce}
Gets the data on the type of user they are (for us it’s Account Type)
Assigns the role via API (or pre-built Zapier action)
based on conditions from #2
--
I could be wrong, but I don’t think SSO will allow you to skip step 2 above and do a simpler “SSO says what type of user, so apply X custom role.” My understanding that SSO is mostly removing the need for a password and just passes over the unique email identifier.
User logs-in to your product
User logs-in to community via SSO
SSO gives a green light that the user is valid, logged-in
SSO passes the email to Gainsight CC to it knows which profile to log-in as
That’s at least how ours works.
Hey @jwren - it’s possible to do this via Zapier, like Danny says above. But it is also possible to directly assign a custom role as part of the SSO payload. You can find an example in this article:
You can indeed create some personalisation based on the custom role in your community. That currently requires some scripts to show/hide HTML widgets based on the role, but our ambition is to also develop native personalisation features.
Thanks to both of you for the guidance. We’ll see what we can come up with :)
Does anyone know of a way to do this without SSO as well?
My use case is that we have two customer bases, one of which that signs in through SSO and automatically gets assigned permissons. The second, that logs in through username/pass. How do I automatically assign for the latter group?
Pardon my ignorance if this is not the right thread, I just recently began work within CC.
Best,
Will
Hi @KantataWill - yes, the alternative to SSO is to do something like what @DannyPancratz suggested above. I’m not a developer, but I suspect that for the community login (non-SSO) you could use the login webhook to trigger the automation that applies the custom role.
Yes, I almost suggested the login webhook as a suggestion for backfilling existing users upon login.
However, that webhook will trigger each time any user logs in, so you’ll eventually have your automation running for users who don’t need it. Even if you have filter steps, it’s likely to cost you some consumption of your automation tool (ex. Zapier).
@KantataWill For your use case, the same principles in my reply above apply. I recommend first doing a manual audit of custom roles for existing users. You could bulk-assign the custom roles via the User Overview bulk action:
Or you could do a bulk backfill of custom roles via the API.
Once you’ve covered all the existing users, then you just need to focus on assigning the role to net-new users upon registration. Whether they use SSO or a username/password, it’ll be the same. You could trigger you automation off the pre-built Zapier trigger for New Users or the IdentityAccess.UserRegistered webhook. From there it’s still this:
Finds user in {your system, for me it’s salesforce}
Gets the data on the type of user they are (for us it’s Account Type)
Assigns the role via API (or pre-built Zapier action or similar tool)
based on conditions from #2
Ah yes, that makes more sense, thank you @DannyPancratz
@Kenneth R@DannyPancratz
We’re about to directly assign a custom role with our SSO payload, but I was curious about existing community members.
Once the payload is implemented, new community members who sign up and meet our specific criteria should be automatically provisioned to our custom role
But if there’s an existing member who meets the criteria, will they automatically receive the role? Or will existing members need to be manually assigned it?
Sorry in advance if that’s something we’d need to configure on our end
@jwren Manually assigned, I believe.
In Control > User Overview, you can use filters to find those who meet the criteria and then there’s a bulk Admin action that will allow you to add the custom role to up to 100 users at once.
If you ever had a profile with us, there's no need to create another one. Don't worry if your email address has since changed, or you can't remember your login, just let us know at community@gainsight.com and we'll help you get started from where you left.
Else, please continue with the registration below.