Setup Single Sign-On (SSO) with SAML

Follow

SendSafely supports Single Sign On (SSO) using the SAML2 authentication standard. SSO support is included in all Enterprise plans. This article will walk you through the basics of how to set up and configure SSO for your SendSafely Enterprise Portal.

Once the setup is complete, you will need to provide the following items to support@sendsafely.com so that we can activate and test the SSO profile:

  • The public key certificate so we can validate the SAML signatures
  • The Sign-in and Sign-Out URLs that we should redirect users to

NOTE: For security and identity verification purposes, the request for SSO must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure package from the administrator’s SendSafely account. (Administrators should log in to their SendSafely account, click the "Send" link and upload the metadata into a new package with support@sendsafely.com listed as a recipient.)

Okta and OneLogin

SendSafely is listed in the application catalogs for both Okta and OneLogin. To set up SSO using these two providers, simply find SendSafely within the application directory and then you will be guided through the setup process. Once completed, send the public key certificate and sign-in/sign-out URLs to support@sendsafely.com following the identity verification procedure outlined above.

Other SAML Providers

The following configuration parameters can be used to configure SendSafely SSO with any product that uses SAML.

The [SENDSAFELY_URL] required below is the URL for your SendSafely Portal, and is typically in the format of companyname.sendsafely.com or companyname.sendsafely.eu. If you do not know your SendSafely portal URL you can contact support@sendsafely.com

  • Domain and URLs:
    • Identifier: https://[SENDSAFELY_URL]/auth/saml2/
    • Reply URL: https://[SENDSAFELY_URL]/auth/saml2/
    • Sign-on URL: https://[SENDSAFELY_URL]/auth/saml2/
    • Relay State: https://[SENDSAFELY_URL]/auth/saml2/
  • User Attributes
    • User Identifier: user.email
  • Signing Settings
    • Sign SAML response AND assertion

Note that we require the entire SAML response AND message to be signed and not just the assertions, which is a frequently overlooked configuration option.  

After everything is set up on your end, you'll need to send the following to support@sendsafely.com following the identity verification procedures listed above:

  • The public key certificate so we can validate the SAML signatures
  • The Sign-in and Sign-Out URLs that we should redirect users to

Keep in mind that the endpoints listed above won't be activated until you send us the public key certificate and we verify everything works.

 

Have more questions? Submit a request






Powered by Zendesk