I’m not an expert on SSO, but it all depends on what data is passed along when they sign up. 

Or what data can you get from your own system via an API call after they sign up. 

I do this same thing via Salesforce (using Zapier for the automation, but other tools could do the same thing).

1. User logs-in via SSO, but they’re new so they have to create a new profile
   • this triggers the automation via the Zapier trigger (or this webhook)
2. Finds user in {your system, for me it’s salesforce}
   • Gets the data on the type of user they are (for us it’s Account Type)
3. Assigns the role via API (or pre-built Zapier action)
   • based on conditions from #2

--

I could be wrong, but I don’t think SSO will allow you to skip step 2 above and do a simpler “SSO says what type of user, so apply X custom role.” My understanding that SSO is mostly removing the need for a password and just passes over the unique email identifier. 

1. User logs-in to your product
2. User logs-in to community via SSO
   1. SSO gives a green light that the user is valid, logged-in
   2. SSO passes the email to Gainsight CC to it knows which profile to log-in as

That’s at least how ours works. 

Hey @jwren - it’s possible to do this via Zapier, like Danny says above.  But it is also possible to directly assign a custom role as part of the SSO payload.  You can find an example in this article:

You can indeed create some personalisation based on the custom role in your community.  That currently requires some scripts to show/hide HTML widgets based on the role, but our ambition is to also develop native personalisation features.

Thanks to both of you for the guidance. We’ll see what we can come up with :)

Does anyone know of a way to do this without SSO as well? 

My use case is that we have two customer bases, one of which that signs in through SSO and automatically gets assigned permissons. The second, that logs in through username/pass. How do I automatically assign for the latter group? 

Pardon my ignorance if this is not the right thread, I just recently began work within CC. 

Best, 

Will

Hi @KantataWill - yes, the alternative to SSO is to do something like what @DannyPancratz suggested above.  I’m not a developer, but I suspect that for the community login (non-SSO) you could use the login webhook to trigger the automation that applies the custom role.

Yes, I almost suggested the login webhook as a suggestion for backfilling existing users upon login. 

However, that webhook will trigger each time any user logs in, so you’ll eventually have your automation running for users who don’t need it. Even if you have filter steps, it’s likely to cost you some consumption of your automation tool (ex. Zapier). 

@KantataWill For your use case, the same principles in my reply above apply. I recommend first doing a manual audit of custom roles for existing users. You could bulk-assign the custom roles via the User Overview bulk action: 

Or you could do a bulk backfill of custom roles via the API. 

Once you’ve covered all the existing users, then you just need to focus on assigning the role to net-new users upon registration. Whether they use SSO or a username/password, it’ll be the same. You could trigger you automation off the pre-built Zapier trigger for New Users or the IdentityAccess.UserRegistered webhook. From there it’s still this: 

• Finds user in {your system, for me it’s salesforce}
  • Gets the data on the type of user they are (for us it’s Account Type)
• Assigns the role via API (or pre-built Zapier action or similar tool)
  • based on conditions from #2

Ah yes, that makes more sense, thank you @DannyPancratz