Skip to main content
All CollectionsTeam managementAccount and user management
Restricting how users can accept invitations to join your team
Restricting how users can accept invitations to join your team

Can I control the OAuth or login method for my new teammates?

Ross Jenkins avatar
Written by Ross Jenkins
Updated over 8 months ago

As a team owner, you can ensure that users accepting team invitations are using a specific SSO provider and Google Workspace domain, or Salesforce My Domain.

Doing so will improve your team's security, by ensuring that users can't join your team using accounts that your organization doesn't have control over.

Additionally, this should make the process smoother for your users, as they will no longer have to make sure that they accept an invitation using the correct login method.

Note that existing teammates in the Gearset team are unaffected in their ability to login with whichever method they've set up with before the restriction comes into place.

Restricting permitted SSO providers

By default, your team will allow users to accept invitations using any of the four SSO providers supported by Gearset:

  • Google

  • Salesforce (Production/Developer)

  • Salesforce (Sandbox)

  • LinkedIn

You can restrict your team’s permitted SSO providers from the Team Management settings page:

From this page, clicking on the Configure identity restrictions... button (shown below) will open a modal dialog. From here you can make adjustments to which providers you wish to allow or block. You can also configure which particular Google Workspace domains, or Salesforce My Domains to allow.

From this modal, you simply toggle on/off the SSO providers according to your desired configuration, before clicking Save restrictions.

For example, if a team owner requires Gearset team members to use a Salesforce Production/Developer account, then they can toggle off the other providers:

After saving this configuration by clicking Save restrictions, if a user attempts to accept a team invite using a Google, Salesforce Sandbox, or LinkedIn account, then they won't be added to your team. Instead, they'll be shown the message below:

You cannot join this team with your chosen single sign-on identity provider. Please ask the Team Owner which identity provider you should use.

Restricting team invitation acceptances to your specific Workspace domain

By default, if you permit Google accounts to accept team invitations, then any Google account will be able to do so.

However, for organizations using Google Workspace accounts with Gearset, we also support restricting team invitation acceptances to your specific Workspace domain (or set of domains, if your organization has more than one).

Opening the configuration modal using the Configure identity restrictions... button shown above, you should see an input field labelled Google Workspace email domain(s). By entering your Google Workspace’s domain and saving the configuration, users must use a Google account on that domain to accept team invitations.

For example, if a team owner needs to restrict the ability to accept team invitations to Google accounts on the gearset.com Google Workspace, then they would add the following configuration:

Additionally, if using a single domain, the login page that Google routes the user to will be adapted to make sure the user can only log in with accounts on the gearset.com domain:

Note that @gearset.com on the right-hand side of the email input prevents users from logging in with any other Google account.

If your organization is using multiple Google Workspace domains, then these should be given as a comma-separated list of domain names, for example: gearset.com, mycompany.com, custom-org-domain.com etc.

After saving your configuration, if a user attempts to accept a team invite using any Google account outside of your domain(s), then they won't be added to your team. Instead, they'll be shown the message below:


You cannot join this team as your user is not in an allowed domain. Please ask the Team Owner which domains you can use.

Restricting team invitation acceptances to your organization’s Salesforce My Domains subdomains

By default, if you permit Salesforce (Production/Developer, Sandbox, or both) accounts to accept team invitations, then any such account will be able to do so.

However, for organizations using Salesforce accounts we also support restricting team invitation acceptances to one or more specific My Domains.

Opening the configuration modal using the Configure identity restrictions... button, you should see an input for adding both your permitted Salesforce Production/Developer orgs and permitted Sandbox orgs.

By entering your Salesforce org's full My Domain or the subdomain and saving the configuration, users must use a Salesforce account within that org to accept team invitations.

For example, if a team owner needs to restrict the ability to accept team invitations to Salesforce Production/Developer accounts within the https://gearset.my.salesforce.com org, then they would add the following configuration:

Additionally, this input also accepts My Domain subdomains, therefore a team owner could also restrict to the Gearset Salesforce org with the following:

Similarly, you can restrict to individual sandboxes by putting the sandbox My Domain into sandbox configuration.

For example, https://gearset--test.sandbox.my.salesforce.com can be restricted by specifying either the full URL or gearset--test in the allow list. You can also restrict to any sandboxes within a parent My Domain by specifying only the parent My Domain (without the --). For example, specifying gearset will allow for https://gearset--*.sandbox.my.salesforce.com sandboxes.

If your organization is using multiple Salesforce My Domains, then these should be given as a comma-separated list.

After saving your configuration, if a user attempts to accept a team invite using any Salesforce account outside of your My Domain(s), then they won't be added to your team. Instead, they'll be shown the message below:

You cannot join this team as your user is not in an allowed domain. Please ask the Team Owner which domains you can use.

Did this answer your question?