1. OptiSigns
  2. How-To
  3. Advanced Topics

How to set up SAML 2.0 with OptiSigns and Azure AD

Avatar
Paul Lai

With Pro Plus and Enterprise plan, you can configure SAML 2.0 with OptiSigns via Azure AD. The Azure AD will be acting as the IDP (Identify Provider), and OptiSigns will be working as the SP(Service Provider).
Here is a quick video showing you how to set up SAML 2.0 with Azure AD: 

 

Set up OptiSigns & Azure AD:

First you need to do some set up in OptiSigns:

If you don't have a sub domain yet, you can set up one by going to:
https://app.optisigns.com/app/s/branding-settings

Fill in subdomain field and click Activate. After that you can use this sub domain for "
You can also map your own domain like digitalsigns.yourcompany.com by following this article.

This will be the URL that you can share with your users so they can log in to use the app, once integration has set up. In our example we will use https://optisignsdemo-ad.optisigns.net/

Next go to SAML Single Sign On setting page:

https://app.optisigns.com/app/s/saml-settings

Click Enable SAML SSO.

The settings are:

  • Enable Username & Password login: Allow users to also log in with username/password. It’s recommended to disable once integration is all done. As Admin/Owner, it's recommended that you keep at least 1 account with password log in, in case there's issues, you can always log back in from app.optisigns.com to reconfigure.
  • Enable User Creation: If users are authenticated, but do not exist in OptiSigns, they will be created in OptiSigns. You should enable this, because you likely already assign/approve users/groups to use OptiSigns, unless for some reason you want to be very strict and want to review roles of users before they can start using OptiSigns.
  • Enable User Override: Every time a user logs in, if their group assignment have changed on SAML, OptiSigns will update, override new profile settings.
  • Note the "Single Sign On URL" and "Audience URI (SP Entity ID) URL", you will need this to use in Azure AD later.

 

Next, add OptiSigns as an App in your Azure AD portal:

Log in to your Azure AD portal as admin -> Enterprise applications

Click Add new application

mceclip0.png

Select Create your own application, in the popup window, enter OptiSigns as the name of the app, and choose integrate any other application you don't find in the gallery(Non-gallery). Then click create.

mceclip2.png

 

Click single sign on, to start setting up the SAML based SSO. 

mceclip3.png

Click Edit of Basic SAML Configuration, this is where you should provide the Single Sign On URL, and SP Entity ID you get from your OptiSigns SAML SSO setting.

SP Entity ID from OptiSigns SAML SSO setting should be put under Identifier.

Single Sign On URL from OptiSigns SAML SSO setting should be put under Reply URL.

Then go to section SAML Signing Certificate and Set up OptiSigns. Get these 3 highlighted information(Certificate(Base64), Login URL, and Azure AD Identifier. These need to be maintained in the OptiSigns SAML SSO settings.

 

Go back to your OptiSigns account and maintain above mentioned 3 fields, and save it.

  • Put the Login URL from Azure under SAML 2.0 Endpoint.
  • Put Azure AD Identifier under Identity Provider Issuer.
  • Put the content from downloaded base64 encoded public key under Public Certificate.

 

Then go back to the Azure AD portal, and click test in section Test single sign-on with OptiSigns. It will show Azure AD is able to successfully issue SAML token to OptiSigns.

mceclip7.png

Now your log in portal & integration is all set up.

 

Assign & map users, groups from Azure AD to OptiSigns

It's not required, but recommended to create groups of users to be assigned, map to OptiSigns Roles, Teams so they will automatically have the right role & group.

IMPORANT NOTE: If you don't configure this, all users will be assigned User Role & Default Team (screenshot see below)

 

To configure how OptiSigns should map the user groups to OptiSigns Roles by going to: https://app.optisigns.com/app/s/saml-settings

Scroll to Advanced Settings and create mapping.
Group Name (group id in Azure AD), Role (role in OptiSigns) mapping. 
mceclip0.png

To find the group ID from Azure, go to Azure AD portal and select Groups.

mceclip1.png

Object ID can be found here for each of the groups you created.

mceclip2.png

It's best practice to create group specifically for OptiSigns with name prefix with optisigns- and map to OptiSigns like below:

  • optisigns-admins (SAML group) -> OptiSigns role: Admin
  • optisigns-users (SAML group) -> OptiSigns role: Users
  • optisigns-custom-role (SAML group) -> OptiSigns custom role that you create

How to handle Unmapped users/group:

You can map the "Unmapped users/group" to No Team (Disabled)

This way they will receive an error when trying to log in and will have to reach out to Admins to get  correct teams, roles assigned. This is can be use as safe guard, in case some user accidently got assigned OptiSigns app but not the right groups.

mceclip3.png

Note that if you map a SAML group to a Team and then delete the team, it will result in new user being mapped to No Team and will have to contact you to be assigned to a team to use the app.

 

Next, go to your Azure AD portal. Click Enterprise applications -> OptiSigns -> Single Sign On. Under section 2, this is where you maintain the mapping of the attributes.

mceclip5.png

Update the claim name or create new claim or group claim. Currently, OptiSigns support attributes mapping of first name, last name and group. You can change the claim name on Azure AD to get the claim name map to the same default attributes name used on OptiSigns.

Note: if you have not added the group yet, you can click "Add a group claim"

When you create a Group, you can input the "groups" in the Customize the name of the group claim and leave it blank in the Namespace (optional).

These mappings will pass information to OptiSigns on what's user's Name and Group.

The "Claim Name" and "Group Claim Name" are corresponding to OptiSigns https://app.optisigns.com/app/s/saml-settings

OptiSigns accept firstName, lastName, group by default. Instead of setting the claim names to the default attributes name used on OptiSigns,  you can also change the attribute name on OptiSigns to match the claim name on Azure AD as well.


Note: If you want to SAML SSO OptiSigns button from your office.com, you add https://<branding_domain>.optisigns.net/signin/saml to the Azure SAML Signal Sign On setting.

 

That's it!

You have configured SAML 2.0 for OptiSigns with Azure AD.

Now your users can log in using the sub domain that you configured (in this case it was https://optisignsdemo-ad.optisigns.net/signIn).

You can share the URL with your users and they can log in with their SSO credential.

 

If you have any additional questions or any feedback about OptiSigns, feel free to reach out to our support team at support@optisigns.com or just submit a ticket here.

 

 

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.