SendSafely supports Single Sign On (SSO) using the SAML2 authentication standard. SSO support is included in all SendSafely Team, Business and Enterprise plans. This article will walk you through the basics of how to set up and configure SSO for your organization's SendSafely Portal.
Step 1 - SAML Provider Configuration
The first step for enabling SAML within your SendSafely portal is to setup SendSafely as an app with your SAML Identification Provider (IDP).
Okta, OneLogin and Azure AD
SendSafely is listed in the application catalogs for Okta, OneLogin and Azure AD. To set up SSO using these providers, simply find SendSafely within the application directory and then you will be guided through the setup process. Once completed, proceed to step #2 below.
Other SAML Providers
The following configuration parameters can be used to configure SendSafely SSO with any product that uses SAML.
The [SENDSAFELY_URL] required below is the URL for your SendSafely Portal, and is typically in the format of companyname.sendsafely.com or companyname.sendsafely.eu. If you do not know your SendSafely portal URL you can contact firstname.lastname@example.org.
- Domain and URLs:
- Identifier: https://[SENDSAFELY_URL]/auth/saml2/
- Reply URL: https://[SENDSAFELY_URL]/auth/saml2/
- Sign-on URL: https://[SENDSAFELY_URL]/auth/saml2/
- Relay State: https://[SENDSAFELY_URL]/auth/saml2/
- User Attributes
- User Identifier: user.email
- Signing Settings
- Sign SAML response AND assertion
Note that we require the entire SAML response AND message to be signed and not just the assertions, which is a frequently overlooked configuration option.
Step 2 - SendSafely Configuration
After everything is set up with your SAML provider, you'll need to enable SSO within SendSafely. You must have administrative privileges in your SendSafely portal in order to complete this step.
- Sign into your SendSafely web portal and navigate to the Enterprise Console (Account Menu -> Enterprise Console)
- Scroll down to the Authentication Providers section and Enable SAML Single Sign-on
- Enter the public key certificate
- Enter the Sign-in and Sign-Out URLs that will be used to redirect users
Once saved, you will see a "Login using Single Sign-on" button on the portal login page:
Test the SSO login flow and confirm that you are able to authenticate successfully both from the SendSafely login page, and from the Identity Provider.
Enforcing Sign-on using SAML SSO
Once SSO is verified to be working, you may enforce SAML SSO login by submitting a request to email@example.com to disable all other login mechanisms.
For security and identity verification purposes, the request must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure package from the administrator’s SendSafely account. Administrators should log in to their SendSafely account, click the "Send" link, type a secure message with the request for disabling other login providers, and add firstname.lastname@example.org as a recipient.
When electing to enforce SSO, you may also want to consider enabling the following advanced recipient authentication options:
- Email Verification with SMS 2FA
- Mandatory Google Login for Unregistered Employees
More information on the above two options can be found in the Advanced Authentication Options section of this article: https://sendsafely.zendesk.com/hc/en-us/articles/204583645
For questions, please contact email@example.com