How to Connect Your Existing SSO to Documoto
This article and the attached guide describes how to connect your existing Single Sign-On ("SSO") implementation to Documoto facilitate user authentication.
Article Topics
- What is SSO?
- Documoto SSO Requirements
- How Documoto Supports SSO
- Documoto SSO Communication Workflow
- How to Configure SSO
- Initial Identity Provider Setup
- Documoto Setup
- Validate SSO Setup
- SSO Support
- Attachments
What is Single Sign-On?
Single Sign-On ("SSO") is an authentication method that enables users to securely authenticate with multiple applications, such as Documoto, and websites by using just one set of credentials.
Documoto SSO Requirements
- Documoto exclusively supports SP-initiated SSO and SAML 2.0.
- Your metadata file needs to be publicly accessible via URL.
- SHA-256 encryption is recommended.
- Documoto does not support SSO logout functionality.
- SSO implementation must use SAML Assertion signing.
- SSO can be combined with URL Parameters for various purposes, such as auto-navigation within the application and configuration settings customization.
- SSO is not supported if Documoto is iframed.
How Documoto Supports SSO
Documoto supports SSO access to Documoto accounts via Secure Assertion Markup Language (SAML). SAML is an XML-based standard data format for exchanging authentication and authorization data between web-based applications.
- Principal: the user trying to authenticate in to a web-based application
- Identity Provider (IdP): your server or authorization authority the user initially authenticates with
When connecting you existing SSO to Documoto, the Identity Provider (IdP) is your server.
- Service Provider (SP): the web-based application that the user tries to access
When connecting your existing SSO to Documoto, the Service Provider is Documoto.
Documoto SSO Communication Workflow
- Your Identity Provider has a public and private key.
- Provide a metadata endpoint URL that advertises your public key.
- Your Identity Provider makes an authentication/authorization decision and either:
- Redirects the user to Documoto with a signed SAML response.
- Informs the user they do not have an active session.
- Documoto uses your IdP’s public key to verify the signature. If the signature is valid, Documoto authenticates the user using the organization/user group(s)/email address provided by the SAML response.
- SSO is initiated by forwarding a user to the Documoto sign-on URL:
- Integration (Test) environment: https://[tenantkey].integration.documoto.com/ui/login?sso=true
- Production environment: https://[tenantkey].app.documoto.com/ui/login?sso=true
- Upon receiving the sign-on URL, Documoto knows that the user wants to login via SSO.
- If the Identity Provider passes valid attributes to Documoto, the user is authenticated, and redirects with an Authnrequest.
How to Configure SSO
To setup SSO with Documoto, follow these steps:
Identity Provider Setup
Import the relevant Documoto metadata URL to populate all necessary fields in your Identity Provider:
| Documoto Environment | Metadata URL |
| Integration ("Test") | https://integration.digabit.com/saml/metadata |
| Production | https://documoto.digabit.com/saml/metadata |
If metadata import is not feasible, manually configure the following settings:
| Documoto Environment | Identifier or Entity ID | Reply URL (Assertion Consumer Service) |
| Integration (Test) | com:documoto:int:sp | https://integration.digabit.com/saml/SSO |
| Production | com:documoto:prod:sp | https://documoto.digabit.com/saml/SSO |
Documoto Setup
The following information must be provided to Documoto for configuration:
- The URL to your Identity Provider's metadata file
- The maximum session timeout for your Identity Provider
- Definition of the following field names, as specified by your Identity Provider:
- IdP attribute used to send Documoto Organization
- IdP attribute used to send Documoto User Group
- IdP attribute used to send Documoto Email Address
Because Documoto maps the IdP email address field to the Documoto username field, Documoto cannot support usernames that are not an email address.
Documoto will map these IdP field names to the corresponding Documoto fields and set the IdP max session timeout accordingly.
Validate SSO Setup
After configuring the Identity Provider and Documoto, initiate an SSO session by directing a user to the relevant sign-on URL using a web browser:
| Documoto Environment | Sign-On URL |
| Integration ("Test") | https://[tenantkey].integration.documoto.com/ui/login?sso=true |
| Production | https://[tenantkey].app.documoto.com/ui/login?sso=true |
If you do not know your Tenant Key, please reach out to you designated Customer Success Manager or support@documoto.com.
SSO Support
If you are interested in adding SSO to your Documoto subscription or need support configuring SSO in Documoto, please contact your Documoto Customer Success Manager.
Attachments