SAML SSO with ADFS

  • Updated on Mar 28, 2026
  • 5 minute(s) read
Prev Next

Plans supporting this feature: Enterprise

Before setting up Single Sign-On (SSO) between Document360 and ADFS using the SAML protocol, ensure you have administrative access to both Document360 and the ADFS server. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.

PRO TIP

It is recommended to open Document360 and ADFS in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

Adding an Application in ADFS

You'll need to create a new SAML application in ADFS:

  1. Log in to the ADFS Management console on your ADFS server.

  2. In the ADFS Management console, navigate to Relying Party Trusts.

  3. Right-click Relying Party Trusts and select Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, choose Claims aware and click Start.

  5. Select Enter data about the relying party manually and click Next.

  6. Provide a display name (e.g., "Document360 SAML SSO") and click Next.

  7. In the Configure Certificate step, click Next (you can skip this if not using a certificate).

  8. Under Configure URL, select Enable support for the SAML 2.0 Web SSO protocol.

Document360 Service Provider (SP) Configuration

Next, you will need to configure ADFS with the Service Provider (SP) details provided by Document360:

  1. Open Document360 in a separate tab or panel.

  2. Navigate to Settings > Users & permissions > SSO Configuration in Document360.

  3. Click the Create SSO button.

Settings page showing SSO configuration options and user permissions for identity providers.

  1. Select ADFS as your Identity Provider (IdP) to navigate to the Configure the Service Provider (SP) page automatically.

Select an Identity Provider for SSO configuration, highlighting ADFS option prominently.

  1. On the Configure the Service Provider (SP) page, select SAML radio button as the protocol.

  2. A set of parameters will be displayed to complete the SAML configuration in ADFS.

Configuration settings for SSO using SAML and ADFS management overview.

  1. Enter these parameters into the corresponding fields in the Configure URL and Identifiers steps in ADFS as shown below.

ADFS

Document360

Relying Party Identifier

Service provider entity ID

Sign-On URL

Callback path

Sign-Out URL

Signed out callback path

Relying Party Trust Identifier

Subdomain name

Metadata URL

Metadata path

  1. Click Next and complete the remaining steps in the wizard, such as setting up multi-factor authentication if required and permitting all users to access the application.

  2. Review your settings and click Next to add the relying party trust.

  3. On the final screen, check the box for Open the Edit Claim Rules dialog and click Close.

Configuring Claim Rules

  1. In the Edit Claim Rules dialog, click Add Rule.

  2. Select Send LDAP Attributes as Claims as the rule template and click Next.

  3. Provide a name for the claim rule (e.g., "Send LDAP Attributes").

  4. Configure the following:

    • Attribute Store: Select Active Directory.

    • Mapping:

      • LDAP Attribute: User-Principal-Name | Outgoing Claim Type: Name ID

      • LDAP Attribute: E-Mail-Addresses | Outgoing Claim Type: Email-Addresses

      • LDAP Attribute: Display-Name | Outgoing Claim Type: Name

  5. Click Finish to add the rule.

  6. Click Apply to save your changes and close the dialog.

Document360 SAML SSO Configuration

Now, configure the SSO settings in Document360:

  1. Return to the Document360 tab/panel displaying the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.

Configuration settings for Single Sign-On with highlighted fields for user input.

  1. The Configure an existing connection field allows you to inherit an SSO configuration that already has SCIM enabled from a parent project. By selecting this option, the current SSO configuration becomes the child and automatically inherits the SCIM settings from the parent project

  2. Enter the corresponding values from your ADFS configuration:

ADFS

Document360

SAML Sign-On URL

Identity Provider Single Sign-On URL

Identifier (Entity ID)

Identity Provider Issuer

X.509 Certificate

SAML Certificate

  1. Download the X.509 Certificate from ADFS and upload it to Document360 in the SAML Certificate field.

    NOTE

    When exporting the X.509 certificate from ADFS, select Base-64 encoded (.CER) format. The default DER encoded format is not supported for Document360 SAML configuration.

  2. Toggle on/off the Allow IdP initiated sign in option based on your project needs.

  3. Click Next to proceed to the SCIM provisioning page.

SCIM provisioning

If SCIM is needed,

  1. Turn on the Enable SCIM provisioning toggle.

Instructions for enabling SCIM provisioning in Document360 for user synchronization.

  1. A confirmation dialog will appear outlining the terms for enabling SCIM. Review the terms, select the checkbox, and click Agree.

  2. The parameters required to complete the SCIM configuration in ADFS will then be displayed.

 NOTE

SCIM provisioning in ADFS can be enabled using third-party tools or custom-built integrations only. ADFS does not natively support SCIM provisioning.

  1. Enter the required parameters from Document360 into the corresponding fields in your custom app.

Configuration settings for SCIM provisioning and identity provider setup in a web interface.

Assign Default role

  1. In the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.

  2. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.

  3. Click Next to navigate to the More Settings page.

More Settings

In the More settings page, configure the following:

  • SSO name: Enter a name for the SSO configuration.

  • Customize login button: Enter the text for the login button displayed to users.

  • Auto assign reader group: This option is only available for existing SSO configurations. For newly created SSO configurations, the Auto assign reader group toggle will not be displayed as SCIM automatically provisions users and groups.

  • Sign out idle SSO user: Toggle on/off based on your requirements.

Settings for creating a new SSO, including name and login button customization options.

Click Create to complete the SAML SSO configuration.

Managing Users in ADFS

Overview of reader management settings, highlighting user accounts and permissions synchronization.

To view the readers added through your custom app,

  1. Go to Document360 and navigate to Settings > Users & permissions > Readers & groups.

  2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an SSO-SCIM badge next to their name.

 NOTE

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can

only manage the content access from Document360.

Deleting a profile in your IdP does not remove it from Document360, the profile will remain with an Inactive status.

Manage content access of Readers, Users and Groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. To manage content access, select the desired reader and click Manage Content Access.

  2. Choose the desired access level from the dropdown and click Update.

Editing reader account settings, including content access and associated groups options.

 NOTE

You can also manage groups for a reader by clicking Manage groups under the Reader Group section.

Troubleshooting

SP-initiated SSO fails with a Responder error

If IdP-initiated SSO works but SP-initiated SSO fails, it is likely because the Document360 signing certificate is not configured or trusted in ADFS. In SP-initiated SSO, Document360 sends a signed AuthnRequest that the IdP must validate. If the signing certificate is missing, the IdP returns a Responder error.

To resolve this:

  1. Open the Properties of the Document360 relying party trust in ADFS.

  2. Navigate to the Signature tab.

  3. Upload the Document360 signing certificate.

You can obtain the Document360 signing certificate from the SAML metadata URL.

Related articles