With Pro Plus and Enterprise plan, you can configure SAML 2.0 with OptiSigns via Azure AD. The Azure AD will be acting as the IDP (Identity Provider), and OptiSigns will be working as the SP(Service Provider).
Here is a quick video showing you how to set up SAML 2.0 with Azure AD:
Set up OptiSigns & Azure AD:
First, you need to do some setup in OptiSigns:
If you don't have a subdomain yet, you can set up one by going to:
https://app.optisigns.com/app/s/branding-settings
Fill in the subdomain field and click Activate. After that, you can use this subdomain for "
You can also map your domain like digitalsigns.yourcompany.com by following this article.
This will be the URL that you can share with your users so they can log in to use the app, once integration has set up. In our example, we will use https://optisignsdemo-ad.optisigns.net/
Next, go to the SAML Single Sign On setting page:
https://app.optisigns.com/app/s/saml-settings
Click Enable SAML SSO.
The settings are:
- Enable Username & Password login: Allow users to also log in with username/password. It’s recommended to disable it once the integration is all done. As Admin/Owner, it's recommended that you keep at least 1 account with a password login, in case there are issues, you can always log back in from app.optisigns.com to reconfigure.
- Enable User Creation: If users are authenticated, but do not exist in OptiSigns, they will be created in OptiSigns. You should enable this, because you likely already assign/approve users/groups to use OptiSigns, unless for some reason you want to be very strict and want to review the roles of users before they can start using OptiSigns.
- Enable User Override: Every time a user logs in, if their group assignment has changed on SAML, OptiSigns will update, and override new profile settings.
- Note the "Single Sign On URL" and "Audience URI (SP Entity ID) URL", you will need this to use in Azure AD later.
Next, add OptiSigns as an App in your Azure AD portal:
Log in to your Azure AD portal as admin -> Enterprise applications
Click Add new application
Select Create your application, in the popup window, enter OptiSigns as the name of the app, and choose Integrate any other application you don't find in the gallery(Non-gallery). Then click Create.
Click single sign-on, to start setting up the SAML-based SSO.
Click Edit of Basic SAML Configuration, this is where you should provide the Single Sign On URL, and SP Entity ID you get from your OptiSigns SAML SSO setting.
SP Entity ID from OptiSigns SAML SSO setting should be put under Identifier.
Single Sign On URL from OptiSigns SAML SSO setting should be put under Reply URL.
Then go to section SAML Signing Certificate and Set up OptiSigns. Get these 3 highlighted information(Certificate(Base64), Login URL, and Azure AD Identifier. These need to be maintained in the OptiSigns SAML SSO settings.
Go back to your OptiSigns account maintain above mentioned 3 fields, and save it.
- Put the Login URL from Azure under SAML 2.0 Endpoint.
- Put Azure AD Identifier under Identity Provider Issuer.
- Put the content from the downloaded base64 encoded public key under Public Certificate.
Then go back to the Azure AD portal, and click test in the section Test single sign-on with OptiSigns. It will show Azure AD can successfully issue SAML tokens to OptiSigns.
Now your login portal & integration are all set up.
Assign & map users, and groups from Azure AD to OptiSigns
It's not required, but recommended to create groups of users to be assigned, and map to OptiSigns Roles, and Teams so they will automatically have the right role & group.
IMPORTANT NOTE: If you don't configure this, all users will be assigned User Role & Default Team (screenshot see below)
To configure how OptiSigns should map the user groups to OptiSigns Roles by going to: https://app.optisigns.com/app/s/saml-settings
Scroll to Advanced Settings and create a mapping.
Group Name (group ID in Azure AD), Role (role in OptiSigns) mapping.
To find the group ID from Azure, go to Azure AD portal and select Groups.
Object ID can be found here for each of the groups you created.
It's best practice to create a group specifically for OptiSigns with name prefix with optisigns- and map to OptiSigns like below:
- optisigns-admins (SAML group) -> OptiSigns role: Admin
- optisigns-users (SAML group) -> OptiSigns role: Users
- optisigns-custom-role (SAML group) -> OptiSigns custom role that you create
How to handle Unmapped users/groups:
You can map the "Unmapped users/group" to No Team (Disabled)
This way they will receive an error when trying to log in and will have to reach out to Admins to get the correct teams, and roles assigned. This can be used as a safeguard, in case some users accidentally get assigned OptiSigns app but not the right groups.
Note that if you map a SAML group to a Team and then delete the team, it will result in new user being mapped to No Team and will have to contact you to be assigned to a team to use the app.
Next, go to your Azure AD portal. Click Enterprise Applications -> OptiSigns -> Single Sign On. Under section 2, this is where you maintain the mapping of the attributes.
Update the claim name or create a new claim or group claim. Currently, OptiSigns support attributes mapping of first name, last name, and group. You can change the claim name on Azure AD to get the claim name map to the same default attributes name used on OptiSigns.
Note: if you have not added the group yet, you can click "Add a group claim"
When you create a Group, you can input the "groups" in the Customize the name of the group claim and leave it blank in the Namespace (optional).
These mappings will pass information to OptiSigns on the user's Name and Group.
The "Claim Name" and "Group Claim Name" are corresponding to OptiSigns https://app.optisigns.com/app/s/saml-settings
OptiSigns accept firstName, lastName, and group by default. Instead of setting the claim names to the default attribute name used on OptiSigns, you can also change the attribute name on OptiSigns to match the claim name on Azure AD as well.
Note: If you want to the SAML SSO OptiSigns button from your office.com, you add https://<branding_domain>.optisigns.net/signin/saml to the Azure SAML Signal Sign On setting.
That's it!
You have configured SAML 2.0 for OptiSigns with Azure AD.
Now your users can log in using the subdomain that you configured (in this case it was https://optisignsdemo-ad.optisigns.net/signIn).
You can share the URL with your users and they can log in with their SSO credentials.
If you have any additional questions or any feedback about OptiSigns, feel free to reach out to our support team at support@optisigns.com