How to enable Single Sign-On (SSO)
Last updated
🇬🇧 English
Last updated
Single Sign-On (SSO) means that users can login to the SignSpace application using their organisation-provided account, such as a Microsoft login account, without needing a separate login.
Users do not need to remember and store separate passwords for SignSpace, which enhances your organisation's protection against password-based cyberattacks.
Overall security improves further if multi-factor authentication is used with your login accounts.
Your organisation can implement a comprehensive identity services integration, enabling centralised access rights management via Entra ID.
The cost of Single Sign-On depends on the number of users and the extent of the configuration required.
For more information, contact a SignSpace expert and we will help you find a solution that suits you.
At its simplest, the basic SSO setup enables users added in the SignSpace user management system to log in to the SignSpace service using SSO.
If your organisation requires centralised access management via Entra ID, the integration can be expanded to enable complete control over user management from Entra ID.
This basic SSO configuration allows logging into the SignSpace service using Entra ID credentials. The integration does not support adding users via your organisation’s identity service. This means new users must be added manually to SignSpace before they can log in using SSO. This requires defining accounts and information both in Entra ID and in the customer-specific configuration of SignSpace.
SignSpace includes features that enable centralised user management directly from your organisation’s Entra ID. To activate these features, user information must be transmitted from your organisation’s identity service to SignSpace via an SSO token, in a predefined format.
One or more of the following custom features can be enabled:
Adding new users directly from your organisation’s identity service
Assigning SignSpace roles, permissions, organisations, and groups to new users directly from your organisation’s identity service
Managing SignSpace roles, permissions, and organisations from your organisation’s identity service
Additionally, if desired, removal of users from the SignSpace service can be implemented by using either the SignSpace API or utilise custom notifications available in the Microsoft tools.
Your organisation must use the Entra ID identity service (IdP), which complies with the standard SSO (Single Sign-On) protocol.
Depending on the features of the integration being implemented, the setup may require changes to your organisation’s identity management to ensure that the necessary information can be transmitted from your system to the SignSpace service.
This chapter outlines the steps for enabling SSO in the SignSpace service.
The SignSpace contact person provides the customer with the parameters needed to create the SAML.xml file: Entity ID and Reply URL.
The customer configures Entra ID, see How to set up Entra ID Enterprise App for SignSpace SSO
The customer sends the Federation metadata XML file SAML.xml (or a URL where the latest file can be downloaded) to the SignSpace contact person, who updates the information in the customer account configuration.
The SignSpace contact person finalises the account configuration and enables single sign-on for the desired domain(s).
Once single sign-on is enabled, the customer may activate SSO for specific users in the SignSpace interface. This applies to users with email addresses linked to the domains included in the configuration. Activation is done in the user management section by selecting SSO enabled checkbox.
SSO is enabled as default for a new user added via Entra ID. The user is not added to SignSpace account users, until the user signs in the 1st time with SSO.
Communication to each new user needs to be organised by the customer, since SignSpace is not aware of the new user added to customer’s IdP. Here is an example message, you can modify for your need:
You have been granted access to SignSpace, which is the electronic signing service used by our company. Log in to the service from this link: https://app.signspace.com/srv/login/sso , using your Microsoft account credentials.
This chapter describes the main functionalities.
A new users is added via Entra ID to SignSpace organisation users. Once the user signs in the 1st time with SSO, in the sign in process, user is asked to authenticate via Entra ID, verify his personal data used in the authentication and accept Terms of Service and Privacy policy.
The user is registered as a new user in Entra ID.
The new user logs into the service for the first time via the link: https://app.signspace.com/srv/login/sso
The user has not yet logged into Entra ID and is redirected to sign in.
After logging in, the user accepts the service terms and privacy policy.
The user is redirected to the service. The user is assigned a role and permissions within the organisation based on the information provided via the SSO token.
Users with SSO enabled cannot sign in using a username and password. This workflow demonstrates the process that occurs when a user attempts to sign in with a username and password.
The user attempts to sign in using an email address.
The user is redirected to a page informing them that their organisation has taken single sign-on in use.
The user is redirected to the single sign-on page.
If the user is already signed into Entra ID, they are redirected directly to the SignSpace service.
The user is informed that the email address is not under SSO and is advised to check the email address or log in using their username and password.
Permissions changed in at Entra ID side apply to the next login of the respective user.
User removed from Entra ID cannot login anymore, but user is not removed from SignSpace.
