SendSafely supports Single Sign On (SSO) using the SAML2 authentication standard. SSO support is included in all SendSafely Team, Business and Enterprise plans. This article will walk you through the basics of how to set up and configure SSO for your organization's SendSafely Portal. SendSafely is listed in the application catalogs for Okta, OneLogin and Entra (formerly Azure AD), and also supports Google SAML SSO.

Step 1 - SAML Provider Configuration 

The first step for enabling SAML within your SendSafely portal is to setup SendSafely as an app with your SAML Identification Provider (IDP). 

Okta, OneLogin and Azure AD

To set up SSO using these providers, simply find SendSafely within the application directory and then you will be guided through the setup process. Once completed, proceed to step #2 below.

Other SAML Providers

The following configuration parameters can be used to configure SendSafely SSO with any product that uses SAML.

The [SENDSAFELY_URL] required below is the URL for your SendSafely Portal, and is typically in the format of companyname.sendsafely.com or companyname.sendsafely.eu. If you do not know your SendSafely portal URL you can contact support@sendsafely.com. 

• Domain and URLs:
• Identifier: https://[SENDSAFELY_URL]/auth/saml2/
• Reply URL: https://[SENDSAFELY_URL]/auth/saml2/
• Sign-on URL: https://[SENDSAFELY_URL]/auth/saml2/
• Relay State: https://[SENDSAFELY_URL]/auth/saml2/

• User Attributes
• User Identifier: user.email

• Signing Settings
• Sign SAML response AND assertion

Note that we require the entire SAML response AND message to be signed and not just the assertions, which is a frequently overlooked configuration option.  

Step 2 - SendSafely Configuration

After everything is set up with your SAML provider, you'll need to enable SSO within SendSafely. You must have administrative privileges in your SendSafely portal in order to complete this step.

• Sign into your SendSafely web portal and navigate to the Enterprise Console (Account Menu -> Enterprise Console)
• Scroll down to the Authentication Providers section and Enable SAML Single Sign-on
• Enter the public key certificate
• Enter the Sign-in and Sign-Out URLs that will be used to redirect users

Once saved, you will see a  "Login using Single Sign-on" button on the portal login page:

Test the SSO login flow and confirm that you are able to authenticate successfully both from the SendSafely login page, and from the Identity Provider.  

Enforcing Sign-on using SAML SSO

Once SSO is verified to be working, you may enforce SAML SSO login by submitting a request to support@sendsafely.com to disable all other login mechanisms.

For security and identity verification purposes, the request must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure package from the administrator’s SendSafely account. Administrators should log in to their SendSafely account, click the "Send" link, type a secure message with the request for disabling other login providers, and add support@sendsafely.com as a recipient.

When electing to enforce SSO, you may also want to consider enforcing Two-Factor Authentication to protect any accounts exempt from SSO.

For information on external recipient authentication options, read here. 

For questions, please contact support@sendsafely.com