Single sign-on

1. Overview
   

Signeasy provides Single sign-on (SSO) functionality for its customers to access the app through a single authentication source. This allows IT administrators to manage team access more efficiently and enhances information security. It offers flexibility to authenticate with external federated identity providers such as Okta Workforce, Microsoft Azure AD, and Google Workspace, among others. Alternatively, we can configure a custom SAML or OpenID Connect connection for greater versatility.

2. Benefits of SSO
   

• Simplify Login: Don’t juggle multiple passwords. SSO offers a smooth, seamless sign-in process. One set of credentials unlocks everything, providing a frictionless user experience.

• Enhance security: SSO isn’t just about convenience; it’s a fortress of security. By linking access to company credentials, sensitive documents are safeguarded, reducing the risk of unauthorized access.

• Streamline user management: Managing user access becomes a breeze with SSO. The unified dashboard allows administrators and IT teams to effortlessly configure, grant, or revoke permissions, ensuring the right people have the right access.

• Maximize efficiency: By simplifying password management, SSO minimizes the likelihood of lost passwords, reducing the need for constant resets and lowering associated cloud storage costs.

• Optimize IT support: Reduced Help Desk requests are a welcome benefit of SSO. Streamlining authentication processes alleviates the burden on IT support, freeing them to focus on more strategic tasks.

3. Availability and Access

This feature is available to customers who are on Signeasy Business and Business Plus Plans. To enable this feature, please contact our sales team.

Signeasy supports authentication with external federated identity providers like Okta Workforce, Microsoft Azure AD, Google Workspace, and more. 

Note: SSO must be enabled by the Signeasy admin for the team. If you are an admin in the Signeasy application and unable to access the SSO, please contact sales to enable it for your team.

4. Features Supported by SSO
   

• IdP-Initiated Login: Any new managed users created for the configured domain will get SSO enforced. The users will not be required to set up their password during the initial log-in and can continue with their corporate credentials.

• SSO Enforcement for Users Based on Domains: Signeasy SSO provides the ability to enforce SSO for users based on their email domains. Once you select the domains and enforce SSO on them.

Note: All existing Managed Users belonging to those domains will get SSO-enforced. Once SSO is enforced for a user, they can't log in using their password. They can log in only using SSO.

• Enable/Disable SSO for specific Managed Users: If you have any specific user(s) who should be allowed to log in without SSO then you can disable SSO for them using the ‘Account Settings’ and enable it again as needed.

• Multiple SSO Profiles: Signeasy supports multiple SSO profiles. So if you have more than one IdPs that you want to configure with Signeasy, you can do so by requesting sales or reaching out to support here.

5. Features not supported by SSO

• Just-In-Time User Provisioning

Info: Signeasy supports automated user provisioning for any new user that you add to your team.

• Configuring Roles or other attributes via SSO

• SCIM Provisioning and De-provisioning

6. Configuring SSO for your team

1. Prerequisites for SSO with Signeasy

• Your account must be on the Signeasy Business or Business Plus plan.

• Your Identity Provider (IdP) must support the SAML 2.0 standard.

• Purchased a Signeasy plan that includes SSO and has got the SSO feature enabled for your Signeasy Organisation.

• Only a Signeasy admin can configure SAML SSO for the Signeasy Team

• At least one domain has been verified and configured by the Signeasy Team.

2. Enable SAML SSO for your team

• Go to the 'Accounts & Settings' section in the Signeasy application.

• Navigate to 'Security' and you will find the single sign-on page

• SSO will only be enforced for users with verified domains and who have access to the Signeasy Team.

• Signeasy Team admins will always have the option to bypass SSO by using their email and password credentials. This is to allow them to access Signeasy in the event of IdP/SAML failure. They will be able to log in and disable or update their configuration.

Note: You will need to first set up an SSO profile before you can enable/disable SSO on specific managed users

3. Exclude specific team members from SSO requirement

After setting up SSO, you can exclude specific users from the SSO requirement to allow them to also log in with their Signeasy email/password or other social login options.

• In your Signeasy "Account Setting" click 'Security' in the main navigation bar.

• Under the LoginUnder Login method for your team, click the third option to define the exception list.

• In the dialog box, select the users that will be able to log in with their Signeasy accounts. For example, you can select partners and contractors if they lack a SSO login or user group who do not fall in the corporate licence.

• Click Save.

Note: If the admin selects the 1st option as a Login method for the team, every user by default would have to 'Login with SSO'. The changes cannot be made later hence we recommend using a third option basis your organisation's needs.

7. Getting started

1. You must first set up an SSO profile before you can ‘Log In with SSO’ or enable/disable SSO for specific managed users.

   • You can request SSO configuration for your team here. 

   • Once the configuration is completed, your team members can ‘Log In with SSO’ using these steps.

2. Visit Signeasy’s login page and click on ‘Login with SSO’.

3. Enter your email, and click on ‘Continue’. If the domain is not confirmed with Signeasy's identity provider, you will be prompted to support a request.
    
   

4. You can hit 'continue' if the domain is configured and you will be redirected to the Signeasy application.
   
   

8. FAQ
   
   

• How do I set up and configure the SSO solution for Signeasy?

Since various Identity Management Providers (IdPs) have different requirements, we encourage you to contact us here to discuss the setup steps.

• Which username format should I set in my SAML application?

Signeasy users are identified by email address. Ensure that your IdP is sending a nameID in email format that corresponds with their Signeasy user’s email address.

• What all identity providers do you support at Signeasy?
  We have the flexibility to authenticate with external federated identity providers such as Okta Workforce, Microsoft Azure AD, Google Workspace etc. to name a few.

• Why can’t I edit the SAML SSO settings from the SSO page?
  The most common reason is that you are trying to modify the verified domains or SSO configuration from a linked account. In a linked account, all domain management and your secrets are read-only. 
  To modify the SSO configuration or remove the configuration, you can reach-out to Signeasy support.

• I am a current Signeasy customer. Is SSO supported in my account?
  SSO is available with the Signeasy Business and Business Plus plan and requires additional fees. Contact our specialists today to request a custom quote.

• Have trouble setting up SSO? Here are some common issues:

  • We recommend testing the setup process with a test account before enforcing it for users.

  • Verify your corporate settings/IdP setting matches with the one configured with Signeasy

  • If these options don't help, reach out to support at support@signeasy.com