This article describes the steps to set up your own identity provider (IdP) for authenticating your SendSafely guest users via single sign-on. Once configured, SSO login is available for all external guests, including package recipients, Workspace collaborators and Dropzone uploaders. Guest SSO login is optional, external guests can still choose to authenticate via email/SMS pin code or Login with Google. You can configure any SAML2 based IdP including Okta, Auth0 and ADFS, and the IdP can be completely separate from the one used for authenticating your registered SendSafely users.

Guest SSO login is available to all SendSafely Business and Enterprise customers and is currently an early access feature. To participate in early access, please contact success@sendsafely.com. 

Step 1 - SAML Provider Configuration 

The first step in configuring Guest SSO login is to setup SendSafely as an app with your SAML Identification Provider (IdP). 

Okta, OneLogin and Azure AD

To set up SendSafely using these providers, simply find SendSafely within the application directory, where you will be guided through the setup process. Once completed, proceed to step #2 below.

Other SAML Providers

The following configuration parameters can be used to configure SendSafely in any product that uses SAML.

The [SENDSAFELY_URL] required below is the URL for your SendSafely Portal, and is typically in the format of companyname.sendsafely.com or companyname.sendsafely.eu. If you do not know your SendSafely portal URL you can contact support@sendsafely.com. 

• Domain and URLs:
• Identifier: https://[SENDSAFELY_URL]/auth/saml2/
• Reply URL: https://[SENDSAFELY_URL]/auth/saml2/
• Sign-on URL: https://[SENDSAFELY_URL]/auth/saml2/
• Relay State: https://[SENDSAFELY_URL]/auth/saml2/

• User Attributes
• User Identifier: user.email

• Signing Settings
• Sign SAML response AND assertion

Note that we require the entire SAML response AND message to be signed and not just the assertions, which is a frequently overlooked configuration option.  

Step 2 - SendSafely Configuration

After everything is set up with your SAML provider, the SendSafely support team will enable Guest SSO login within your SendSafely portal. For authorization purposes, an admin in your SendSafely portal must send a SendSafely package to support@sendsafely.com to request Guest SSO Login configuration. The package should contain the following information.

• guest SAML Sign-in Url
  • • URL that will be used to redirect users on sign in
• guest SAML Sign-out Url
  • • URL that will be used to redirect users on sign out
• guest SAML Verification Certificate
  • • The public key certificate
• guest SAML Custom Name 
  • • The text displayed on the login button, eg,  “Login with [Company] SSO
• guest SAML Contact
  • • A contact email at your organization that is displayed in SSO related error messages.
• guest SAML Custom Logo
  • • A url link to your SSO logo in the format https://somelogo.com/logo/image
    • This logo is displayed on the login button.

Step 3 - Validate setup.

Once Guest SSO Login has been configured, guests will see a "Login using SSO" button on the "How should we verify you?" step of the authentication process. Confirm that guests can authenticate to SendSafely using SSO.