ADFS with OpenID SSO

Plans supporting single sign on (SSO)

Professional
Business
Enterprise






Before setting up Single Sign-On (SSO) between Document360 and ADFS using the OpenID protocol, ensure you have administrative access to both Document360 and the ADFS server. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.

PRO TIP

It is recommended to open Document360 and ADFS in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

Adding an Application in ADFS

You'll need to create a new OpenID application in ADFS:

  1. Log in to the ADFS Management console on your ADFS server.

  2. In the ADFS Management console, navigate to Relying Party Trusts.

  3. Right-click Relying Party Trusts and select Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, choose Claims aware and click Start.

  5. Select Enter data about the relying party manually and click Next.

  6. Provide a display name (e.g., "Document360 OpenID SSO") and click Next.

  7. In the Configure Certificate step, click Next (you can skip this if not using a certificate).

Document360 Service Provider (SP) Configuration

Next, you will need to configure ADFS with the Service Provider (SP) details provided by Document360:

  1. Open Document360 in a separate tab or window.

  2. Navigate to Settings > Users & security > SAML/OpenID in Document360.

  3. Click the Create SSO button.

  1. Select ADFS as your identity provider to automatically navigate to the Configure the Service Provider (SP) page.

  1. In the Configure the Service Provider (SP), select the OpenID radio button.  

  2. The Configure the Service Provider (SP) page contains the following values:

    • Choose OpenID as the protocol.

    • Subdomain name

    • Sign in redirect URI

    • Sign out redirect URI

  1. Switch to the ADFS Management console tab/window and enter these values into the corresponding fields in the Configure URL step:

    • Relying Party Identifier: Use the Subdomain name provided by Document360.

    • Sign-On URL: Enter the Sign in redirect URI.

    • Sign-Out URL: Enter the Sign out redirect URI.

  2. Click Next and complete the remaining steps in the wizard, such as setting up multi-factor authentication if required and permitting all users to access the application.

  3. Review your settings and click Next to add the relying party trust.

  4. On the final screen, check the box for Open the Edit Claim Rules dialog and click Close.

Configuring Claim Rules

  1. In the Edit Claim Rules dialog, click Add Rule.

  2. Select Send LDAP Attributes as Claims as the rule template and click Next.

  3. Provide a name for the claim rule (e.g., "Send LDAP Attributes").

  4. Configure the following:

    • Attribute Store: Select Active Directory.

    • Mapping:

      • LDAP Attribute: User-Principal-Name | Outgoing Claim Type: Name ID

      • LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: Email

      • LDAP Attribute: Display-Name | Outgoing Claim Type: Name

  5. Click Finish to add the rule.

  6. Click Apply to save your changes and close the dialog.

Document360 OpenID SSO Configuration

Now, configure the SSO settings in Document360:

  1. Return to the Document360 tab/window displaying the Configure the Service Provider (SP) page.

  2. Click Next to navigate to the Configure the Identity Provider (IdP) page and enter the corresponding values from your ADFS configuration:

ADFS

Document360

Client Identifier (Client ID)

Client ID

Client Secret

Client Secret

Issuer URL

Authority (Authorization URL or Endpoint)

  1. Ensure that the Client Identifier matches the Relying Party Identifier configured in ADFS.

  2. Toggle on/off the Allow IdP initiated sign in option based on your project needs.

  1. Click Next to proceed to the More settings page.

More Settings

In the More settings page, configure the following:

  • SSO name: Enter a name for the SSO configuration.

  • Customize login button: Enter the text for the login button displayed to users.

  • Auto assign reader group: Toggle on/off as needed.

  • Sign out idle SSO team account: Toggle on/off based on your requirements.

  • Choose whether to invite existing team and reader accounts to SSO.

  1. Click Create to complete the OpenID SSO configuration.