How to Connect Your Existing SSO to Documoto
This article and the attached guide describes how to connect your existing Single Sign-On ("SSO") implementation to Documoto facilitate user authentication.
Article Topics
- What is SSO?
- Documoto SSO Requirements
- How Documoto Supports SSO
- Documoto SSO Communication Workflow
- How to Configure SSO
- Initial Identity Provider Setup
- Documoto Setup
- Validate SSO Setup
- SSO Support
- Attachments
What is Single Sign-On?
Single Sign-On ("SSO") is an authentication method that enables users to securely authenticate with multiple applications, such as Documoto, and websites by using just one set of credentials.
Documoto SSO Requirements
- Documoto exclusively supports SP-initiated SSO and SAML 2.0.
- Your metadata file needs to be publicly accessible via URL.
- SSO implementation must use SAML Assertion signing.
- SHA-256 encryption is recommended.
- Documoto does not support SSO logout functionality.
- SSO is not supported if Documoto is iframed.
How Documoto Supports SSO
Documoto supports SSO access to Documoto accounts via Secure Assertion Markup Language (SAML).
SAML is an XML-based standard data format for exchanging authentication and authorization data between web-based applications.
- Principal: the user trying to authenticate in to a web-based application
- Identity Provider (IdP): your server or authorization authority the user initially authenticates with
When connecting you existing SSO to Documoto, the Identity Provider (IdP) is your server.
- Service Provider (SP): the web-based application that the user tries to access
When connecting your existing SSO to Documoto, the Service Provider is Documoto.
Documoto SSO Communication Workflow
- Your Identity Provider has a public and private key.
- Provide a metadata endpoint URL that advertises your public key.
- Your Identity Provider makes an authentication/authorization decision and either:
- Redirects the user to Documoto with a signed SAML response.
- Informs the user they do not have an active session.
- Documoto uses your IdP’s public key to verify the signature. If the signature is valid, Documoto authenticates the user using the organization/user group(s)/email address provided by the SAML response.
- SSO is initiated by forwarding a user to the Documoto sign-on URL:
- Integration (Test) environment: https://[tenantkey].integration.documoto.com/ui/login?sso=true
- Production environment: https://[tenantkey].app.documoto.com/ui/login?sso=true
- Upon receiving the sign-on URL, Documoto knows that the user wants to login via SSO.
- If the Identity Provider passes valid attributes to Documoto, the user is authenticated, and redirects with an Authnrequest.
The Documoto sign-on URL can be combined with additional URL parameters to enable auto-navigation to a specific location or content within the application, as well as customized configuration settings.
How to Configure SSO
To setup SSO with Documoto, follow these steps:
Identity Provider Setup
Import the relevant Documoto metadata URL to populate all necessary fields in your Identity Provider:
| Documoto Environment | Metadata URL |
| Integration ("Test") | https://integration.digabit.com/saml/metadata |
| Production | https://documoto.digabit.com/saml/metadata |
If metadata import is not feasible, manually configure the following settings:
| Documoto Environment | Identifier or Entity ID | Reply URL (Assertion Consumer Service) |
| Integration (Test) | com:documoto:int:sp | https://integration.digabit.com/saml/SSO |
| Production | com:documoto:prod:sp | https://documoto.digabit.com/saml/SSO |
Documoto Setup
The following information must be provided to Documoto for configuration:
- IdP Metadata URL: the URL to your Identity Provider metadata file
- Maximum Session Timeout: the maximum session timeout value configured in your Identity Provider
- IdP Attribute Mappings: the Identity Provider attribute names used to pass the following values:
- Documoto Organization
- Must exactly match a Documoto Organization
- Documoto User Group(s)
- Must exactly match one, or more, existing Documoto User Group(s)
- Documoto Username
- If this IdP attribute is not specified, the default is “NameID”
- Documoto Organization
Documoto will map these IdP field names to the corresponding Documoto fields and configure the Documoto session timeout to match the Identity Provider maximum session timeout.
Validate SSO Setup
After configuring the Identity Provider and Documoto, initiate an SSO session by directing a user to the relevant sign-on URL using a web browser:
| Documoto Environment | Sign-On URL |
| Integration ("Test") | https://[tenantkey].integration.documoto.com/ui/login?sso=true |
| Production | https://[tenantkey].app.documoto.com/ui/login?sso=true |
The Documoto sign-on URL can be combined with additional URL parameters to enable auto-navigation to a specific location or content within the application, as well as customized configuration settings.
SSO Support
If you are interested in adding SSO to your Documoto subscription or need support configuring SSO in Documoto, please contact your Documoto Customer Success Manager.
Attachments