With Pro Plus and Enterprise plan, you can configure SAML 2.0 with OptiSigns via OneLogin using Shibboleth. Shibboleth is based on SAML, setup the authentication using Shibboleth connector on OneLogin will be similar to the normal SAML connector.
OneLogin will be acting as the IDP (Identify Provider), and OptiSigns will be working as the SP(Service Provider).
Set up OptiSigns & OneLogin:
First you need to do some set up in OptiSigns:
If you don't have a sub domain yet, you can set up one by going to:
Fill in subdomain field and click Activate. After that you can use this sub domain for "
You can also map your own domain like digitalsigns.yourcompany.com by following this article.
This will be the URL that you can share with your users so they can log in to use the app, once integration has set up. In our example we will use https://advanced.optisigns.net/
Next go to SAML Single Sign On setting page:
Click Enable SAML SSO.
The settings are:
- Enable Username & Password login: Allow users to also log in with username/password. It’s recommended to disable once integration is all done. As Admin/Owner, it's recommended that you keep at least 1 account with password log in, in case there's issues, you can always log back in from app.optisigns.com to reconfigure.
- Enable User Creation: If users are authenticated, but do not exist in OptiSigns, they will be created in OptiSigns. You should enable this, because you likely already assign/approve users/groups to use OptiSigns, unless for some reason you want to be very strict and want to review roles of users before they can start using OptiSigns.
- Enable User Override: Every time a user logs in, if their group assignment have changed on SAML, OptiSigns will update, override new profile settings.
- Note the "Single Sign On URL" and "Audience URI (SP Entity ID) URL", you will need this to use in OneLogin later.
Next, add OptiSigns as an App in your OneLogin admin portal:
Log in to your OneLogin portal as admin -> Applications
Click Add app
In the next page, search for "SAML" in the search box, and then select the "SAML Custom Connector (SP Shibboleth)".
Enter "OptiSigns" in the display name, then click Save. You can also upload the OptiSigns logo here as well.
After save, go to the configuration page.This is where you should provide the Single Sign On URL, and SP Entity ID you get from your OptiSigns SAML SSO setting.
SP Entity ID from OptiSigns SAML SSO setting should be put under Login URL.
Single Sign On URL from OptiSigns SAML SSO setting should be put under ACS URL and ACS URL validator. Please remember to escape the special character in the ACS URL validator.
Then go to SSO page. Get these 3 highlighted information, these need to be maintained in the OptiSigns SAML SSO settings. After click View Details of the certificate, you can find the encoded content of the certificate, this will be needed in the next step.
Go back to your OptiSigns account and maintain above mentioned 3 fields, and save it.
Put the SAML 2.0 endpoint from OneLogin under SAML 2.0 Endpoint.
Put Issuer URL from OneLogin under Identity Provider Issuer.
Put the content from base64 encoded x509 certificate under Public Certificate.
Now your log in portal & integration is all set up.
Assign & map users, groups from OneLogin to OptiSigns
It's not required, but recommended to create groups of users to be assigned, map to OptiSigns Roles, Teams so they will automatically have the right role & group.
IMPORANT NOTE: If you don't configure this, all users will be assigned User Role & Default Team (screenshot see below)
To configure how OptiSigns should map the user groups to OptiSigns Roles by going to: https://app.optisigns.com/app/s/saml-settings
Scroll to Advanced Settings and create mapping.
Group Name (roles assigned to user from OneLogin), Role (role in OptiSigns) mapping.
It's best practice to create group specifically for OptiSigns with name prefix with optisigns- and map to OptiSigns like below:
- optisigns-admins (SAML group) -> OptiSigns role: Admin
- optisigns-users (SAML group) -> OptiSigns role: Users
- optisigns-custom-role (SAML group) -> OptiSigns custom role that you create
How to handle Unmapped users/group:
You can map the "Unmapped users/group" to No Team (Disabled)
This way they will receive an error when trying to log in and will have to reach out to Admins to get correct teams, roles assigned. This is can be use as safe guard, in case some user accidently got assigned OptiSigns app but not the right groups.
Note that if you map a SAML group to a Team and then delete the team, it will result in new user being mapped to No Team and will have to contact you to be assigned to a team to use the app.
Next, go to your OneLogin portal. Go to parameters page of the OptiSigns application. This is where you maintain the mapping of the attributes.
Create new custom parameters here by clicking the + icon. Currently, OptiSigns support attributes mapping of first name, last name and group. You can set the customer parameter name to the same default attributes name used on OptiSigns, and then assign it to the corresponding values from OneLogin.
Shibboleth has many predefined standard attributes. In this case, the givenName can be mapped to firstName on OptiSigns, and surname can be mapped to lastName on OptiSigns.
These mappings will pass information to OptiSigns on what's user's Name and Groups.
The parameter names are corresponding to OptiSigns
OptiSigns accept firstName, lastName, group by default. Instead of setting the parameter names to the default attributes name used on OptiSigns, you can also change the attribute name on OptiSigns to match the parameter names you defined on OneLogin as well.
Shibboleth uses standard name space and id for the predefined standard attributes. In the case of names, the id should be used in the attributes mapping on OptiSigns.
firstName (givenName) : urn:oid:220.127.116.11
You have configured SAML 2.0 for OptiSigns with OneLogin using Shibboleth connector.
Now your users can log in using the sub domain that you configured (in this case it was https://advanced.optisigns.net/signIn).
You can share the URL with your users and they can log in with their SSO credential.