Plans supporting single sign on (SSO)
Professional | Business | Enterprise |
---|---|---|
Before setting up Single Sign-On (SSO) between Document360 and ADFS using the SAML protocol, ensure you have administrative access to both Document360 and the ADFS server. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.
PRO TIP
It is recommended to open Document360 and ADFS in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.
Adding an Application in ADFS
You'll need to create a new SAML application in ADFS:
Log in to the ADFS Management console on your ADFS server.
In the ADFS Management console, navigate to Relying Party Trusts.
Right-click Relying Party Trusts and select Add Relying Party Trust.
In the Add Relying Party Trust Wizard, choose Claims aware and click Start.
Select Enter data about the relying party manually and click Next.
Provide a display name (e.g., "Document360 SAML SSO") and click Next.
In the Configure Certificate step, click Next (you can skip this if not using a certificate).
Under Configure URL, select Enable support for the SAML 2.0 WebSSO protocol.
Document360 Service Provider (SP) Configuration
Next, you will need to configure ADFS with the Service Provider (SP) details provided by Document360:
Open Document360 in a separate tab or window.
Navigate to Settings > Users & security > SAML/OpenID in Document360.
Click the Create SSO button.
Select ADFS as your Identity Provider (IdP) to navigate to the Configure the Service Provider (SP) page automatically.
On the Configure the Service Provider (SP) page, choose SAML as the protocol.
You will be directed to the Configure the Service Provider (SP) page, which contains the following values:
Subdomain name: The unique subdomain of your Document360 instance (e.g., yourcompany.document360.io).
Callback path: The URI where users will be redirected after signing in.
Signed out callback path: The URI where users will be redirected after signing out.
Metadata path: The URL where the SAML metadata for Document360 can be retrieved.
Service provider entity ID: The unique identifier for the Document360 service provider.
Enter these values into the corresponding fields in the Configure URL and Identifiers steps in ADFS:
Relying Party Identifier: Use the Service provider entity ID provided by Document360.
Sign-On URL: Enter the Callback path.
Sign-Out URL: Enter the Signed out callback path.
Relying Party Trust Identifier: Use the Subdomain name.
Metadata URL: Enter the Metadata path to configure ADFS to retrieve the SAML metadata from Document360 automatically.
Click Next and complete the remaining steps in the wizard, such as setting up multi-factor authentication if required and permitting all users to access the application.
Review your settings and click Next to add the relying party trust.
On the final screen, check the box for Open the Edit Claim Rules dialog and click Close.
Configuring Claim Rules
In the Edit Claim Rules dialog, click Add Rule.
Select Send LDAP Attributes as Claims as the rule template and click Next.
Provide a name for the claim rule (e.g., "Send LDAP Attributes").
Configure the following:
Attribute Store: Select Active Directory.
Mapping:
LDAP Attribute: User-Principal-Name | Outgoing Claim Type: Name ID
LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: Email
LDAP Attribute: Display-Name | Outgoing Claim Type: Name
Click Finish to add the rule.
Click Apply to save your changes and close the dialog.
Document360 SAML SSO Configuration
Now, configure the SSO settings in Document360:
Return to the Document360 tab/window displaying the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.
Enter the corresponding values from your ADFS configuration:
ADFS | Document360 |
---|---|
SAML Sign-On URL | Identity Provider Single Sign-On URL |
Identifier (Entity ID) | Identity Provider Issuer |
X.509 Certificate | SAML Certificate |
Download the X.509 Certificate from ADFS and upload it to Document360 in the SAML Certificate field.
Toggle on/off the Allow IdP initiated sign in option based on your project needs.
Click Next to proceed to the More settings page.
More Settings
In the More settings page, configure the following:
SSO name: Enter a name for the SSO configuration.
Customize login button: Enter the text for the login button displayed to users.
Auto assign reader group: Toggle on/off as needed.
Sign out idle SSO team account: Toggle on/off based on your requirements.
Click Create to complete the SAML SSO configuration.