Skip to main content
This is the SAML reference for Single Sign-On: where each value goes in your IdP and the per-provider screens for Okta, Microsoft Entra ID, and Google Workspace. Set up the connection in the SSO portal first, then use this page to enter the values in your IdP.
Take your ACS URL, Entity ID, and metadata URL from the SSO portal (Settings > Single Sign-On & SCIM). The Entity ID contains an auto-generated connection ID (such as gecko-okta-72468ca55845447aa90c). Copy it exactly, and don’t build it from your team slug; a mismatch is the top cause of failed logins.

Service-provider values

These go into your IdP’s SAML app. The portal shows the exact strings:
FieldValue
ACS URL (Reply URL)shown in the SSO portal (https://auth.gecko.security/login/callback)
Entity ID (Audience)shown in the SSO portal (ends in your auto-generated connection ID)
Name ID formatEmailAddress
Name ID valuethe user’s work email
Instead of entering these by hand, import Gecko’s SP metadata into your IdP using the metadata URL from the portal. It carries the ACS URL, Entity ID, and Gecko’s signing certificate in one go, so the values can’t drift.
Attributes your IdP must send in the assertion:
AttributeClaim nameRequired
Emailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressYes
First namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameRecommended
Last namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameRecommended
GroupsgroupsOnly for group-based role mapping
The Name ID already carries the email, which satisfies the minimum. Send first and last name too so Gecko can show real names on assignees and in the audit log; providers that only expose atomic fields (such as Google Workspace) have no single display-name attribute, so map the two separately.

Provider setup

Set this up in the Google Admin console at admin.google.com as a super admin, not from Gmail or a regular user account.
  1. Go to Apps → Web and mobile apps, then Add app → Add custom SAML app.
  2. Name the app (for example, Gecko) and click Continue.
  3. On Google Identity Provider details, copy the SSO URL and download the Certificate (or Download metadata). These are the IdP details you enter back in the SSO portal.
  4. On Service provider details, paste Gecko’s ACS URL and Entity ID from the SSO portal. Set Name ID format to EMAIL and Name ID to Basic Information > Primary email.
  5. On Attribute mapping, map First name and Last name to the given-name and surname claims above. Google has no single display-name field, so map the two separately; Gecko composes the name from them. (Primary email is already covered by the Name ID.) Click Finish.
  6. Open the app, click User access, and turn it On for everyone or the org units that should use Gecko.
In the Okta admin console: Applications → Create App Integration → SAML 2.0. Enter Gecko’s ACS URL and Entity ID from the SSO portal, set the Name ID and attributes, then assign users. The app’s Sign On tab exposes the identity provider metadata URL you enter back in the portal.
In the Entra admin center: Enterprise applications → New application → Create your own application (non-gallery). Under Single sign-on → SAML, enter Gecko’s ACS URL (Reply URL) and Entity ID from the SSO portal, configure the claims, then assign users. The SAML Certificates section holds the Federation Metadata XML you enter back in the portal.
Once the app exists and users are assigned, return to the SSO portal to enter your IdP’s sign-in URL and signing certificate, verify, and test. That page also covers the common sign-in errors.