Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

Other configurations with OpenID SSO

Prev Next

Document360 supports OpenID Connect SSO with any Identity Provider (IdP) that supports the OpenID Connect protocol, even if it is not listed explicitly in Document360's IdP options. This article walks you through configuring SSO between Document360 and a custom or unlisted Identity Provider using OpenID Connect.

NOTE

Only users with the Owner or Admin project role can configure SSO in Document360.


Before you begin

  • You have administrative access to both Document360 and your Identity Provider.
  • You have Owner or Admin access in your Document360 project.
  • Open Document360 and your Identity Provider in two separate browser tabs before starting.

How to configure OpenID SSO with other providers in Document360

Step 1: Add a new application in your IdP

  1. Log in to your Identity Provider's admin console.
  2. Navigate to the section where you can create or manage applications (often labelled Applications, Enterprise Applications, or similar).
  3. Select the option to create a new application.
  4. Configure the basic settings:
    • Application Name: Enter a name, for example "Document360 OpenID SSO".
    • Application Type: Select OpenID Connect as the sign-in method.
  5. Save your application settings.

Step 2: Get the SP parameters from Document360

  1. Open Document360 in a separate tab.
  2. Navigate to Settings () > Users & permissions > SSO Configuration.
  3. Click Create SSO.
Settings page displaying SSO configuration options and user permissions for identity providers.
  1. Select Others as your Identity Provider on the Choose your Identity Provider (IdP) page to navigate to the Configure the Service Provider (SP) page.
Select your Identity Provider for SSO configuration from the available options listed.
  1. Choose OpenID as the protocol on the Configure the Service Provider (SP) page.
Configuration settings for OpenID SSO with subdomain and redirect URIs highlighted.

Step 3: Enter the Document360 parameters in your IdP

In your Identity Provider's OpenID configuration, enter the Document360 parameters using the mapping below.

Your IdP Document360
Subdomain name Subdomain name
Redirect URL (sign-in) Sign in redirect URL
Redirect URL (sign-out) Sign out redirect URL

Step 4: Configure scopes and claims in your IdP

Ensure the following scopes are included in your IdP configuration.

Scope Description
openid Required for OpenID authentication
email Access to the user's email
profile Access to the user's basic profile information

Map the following claims in your Identity Provider.

Claim Value
sub User ID or identifier
email user.email
name user.name

Review your settings and save the configuration.


Step 5: Configure the Identity Provider in Document360

  1. Return to Document360 on the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.
Configure the Identity Provider page for OpenID Connect in Document360.
  1. Enter the corresponding values from your Identity Provider using the mapping below.
Document360 Identity Provider
Client ID Client ID
Client Secret Client Secret
Authority Authorization URL or Endpoint
  1. Upload the necessary certificates or keys if required by your IdP.
  2. In the Scope (optional) field, type a scope value and click + to add it as a chip. This defines what user information or permissions Document360 requests from your Identity Provider. You can add up to 3 scopes.
  3. Click Next to proceed to the SCIM provisioning page.

Step 6: Configure SCIM provisioning

SCIM provisioning automates user and reader lifecycle management between your Identity Provider and Document360. This is available if your IdP supports SCIM.

If you do not need SCIM provisioning, skip to Step 7: Configure SSO name and login options.

  1. Turn on the Enable SCIM provisioning toggle.
SCIM provisioning settings for integrating Identity Provider with Document360.
  1. A confirmation dialog appears. Review the terms, select the checkbox, and click Agree.
  2. A set of parameters will be displayed. Use these to enable SCIM provisioning in your IdP.
Configuration settings for SCIM provisioning with highlighted tokens and roles.
  1. Turn on the Enable group sync toggle if needed. This automatically assigns users and readers based on your IdP group mappings.
  2. In the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.
  3. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
  4. Click Next to navigate to the More settings page.

Step 7: Configure SSO name and login options

  1. In the SSO name field, enter a name for the SSO configuration.
  2. In Customize login button, enter the text for the login button displayed to users.
  3. Auto assign reader group: This option is only available for existing SSO configurations. For newly created SSO configurations, this toggle will not be displayed as SCIM automatically provisions users and groups.
  4. Toggle Sign out idle SSO user on or off based on your requirements.
  5. Choose whether to invite existing user and reader accounts to SSO.
Settings for creating a new SSO, including name and login button customization options.
  1. Click Create to complete the OpenID SSO configuration.

The SSO configuration is now active in Document360 using your selected Identity Provider.


Managing users in your IdP

To view readers added through your IdP integration:

Overview of reader management settings, highlighting user accounts and permissions synchronization.
  1. In Document360, navigate to Settings () > Users & permissions > Readers & groups.
  2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an SSO-SCIM badge next to their name.

NOTE

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can only manage content access from Document360. Deleting a profile in your IdP does not remove it from Document360, the profile will remain with an Inactive status.

Manage content access of readers, users, and groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. Select the desired reader and click Manage Content Access.
  2. Choose the desired access level from the dropdown and click Update.
Editing reader account settings, including content access and associated groups options.
NOTE

You can also manage groups for a reader by clicking Manage groups under the Reader Group section.