Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). In simple terms, SAML allows a user to log in once through their organization's identity system and access Document360 without needing a separate username and password.
Document360 acts as the Service Provider (SP). Your chosen identity platform, such as Okta, Microsoft Entra, or Google Workspace acts as the Identity Provider (IdP). When a user signs in, the IdP verifies their identity and sends a digitally signed assertion to Document360, which grants access.
Why use SAML SSO
- Centralized access control. Manage who can access Document360 from your existing identity platform without creating separate accounts.
- Improved security. Authentication happens through your IdP, which can enforce MFA, conditional access policies, and session controls.
- Better user experience. Users sign in once through their organization's portal and access Document360 directly, without additional logins.
- Simplified offboarding. Deactivating a user in your IdP immediately prevents access to Document360.
How SAML SSO configuration works in Document360
Configuring SAML SSO in Document360 always follows the same three-stage pattern, regardless of which Identity Provider you use:
- Create a SAML application in your Identity Provider using the Service Provider (SP) parameters from Document360.
- Complete the SSO configuration in Document360 using the parameters from your Identity Provider, including the Sign on URL, Entity ID, and X.509 certificate.
- Configure optional settings such as SCIM provisioning, SSO name, login button customization, and user invitation options.
Select your Identity Provider below to follow the step-by-step setup guide.
Supported Identity Providers
Document360 supports SAML SSO with the following Identity Providers. Select your provider to get started.
Google Workspace
Configure SAML SSO with Google Workspace. Note: SCIM is not supported.
Set up Google →Other providers
Configure SAML SSO with any SAML 2.0-compatible Identity Provider.
Set up other IdP →SAML capabilities by provider
| Identity Provider | Team member auth | Reader auth | IdP-initiated sign-in | SCIM provisioning |
|---|---|---|---|---|
| Okta | Yes | Yes | Yes | Yes (users and readers) |
| Microsoft Entra | Yes | Yes | Yes | Yes (users and readers) |
| Google Workspace | Yes | Yes | Yes | No |
| OneLogin | Yes | Yes | Yes | Yes (readers only) |
| ADFS | Yes | Yes | Yes | Yes (via third-party tools) |
| Other providers | Yes | Yes | Yes | Yes (if IdP supports SCIM) |
IdP-initiated sign-in
By default, users start the sign-in flow from the Document360 login page (SP-initiated sign-in). When IdP-initiated sign-in is enabled, users can instead sign in directly from their Identity Provider's dashboard and access Document360 without visiting the Document360 login page first.
The following Identity Providers support IdP-initiated sign-in with Document360: Okta, Microsoft Entra, Google Workspace, OneLogin, and ADFS.
How it works:
- Once the Allow IdP initiated sign in toggle is enabled, an exclusive IdP-initiated sign-on URL is obtained from the IdP and shared with SSO users.
- Users use this link to log in to their Identity Provider's dashboard.
- The user selects the configured project and accesses Document360 directly.
To enable IdP-initiated sign-in during initial SSO setup, turn on the Allow IdP initiated sign in toggle on the Configure the Identity Provider (IdP) page.
To enable it on an existing SSO configuration:
- Navigate to Settings () > Users & permissions > SSO Configuration.
- Hover over the existing SSO configuration and click the Edit () icon.
- Navigate to the IdP configurations tab.
- Turn on the Allow IdP initiated sign in toggle.
- Click Save.
If you receive an error when trying to access Document360 from your IdP dashboard, it is likely because the Allow IdP initiated sign in toggle is not enabled. Follow the steps above to enable it.
Managing the SSO certificate
Document360 uses an X.509 certificate to validate SAML assertions from your Identity Provider. Certificates have expiry dates. When a certificate expires, SSO authentication will fail for all users.
A SAML Certificate Rotation Notice banner appears on the SSO Configuration page 15 days before expiry, allowing you to download the updated certificate and renew it in your Identity Provider before access is disrupted.
Learn more about managing SSO certificates →
Other SAML resources
SCIM provisioning
Automate user and reader lifecycle management using SCIM with Okta or Entra.
Learn about SCIM →Remove a SAML SSO configuration
Learn what happens when you remove a configured SAML SSO and how to do it safely.
Remove SAML SSO →FAQ
Can I use SAML and JWT at the same time?
Yes. SAML and JWT can coexist in Document360. SAML handles user and reader authentication through an Identity Provider, while JWT is typically used by developers to authenticate readers programmatically through their own application. Both can be active in the same project at the same time.
Can I configure more than one SAML SSO in a single Document360 project?
Yes. You can configure multiple SAML SSO configurations in the same project, each with a different Identity Provider. For example, you can have separate configurations for Okta, Microsoft Entra, and Google Workspace active at the same time.