esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Similar documents
esignlive for Microsoft Dynamics CRM

esignlive for Microsoft Dynamics CRM

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

esignlive Classic Application User's Guide Product Release: 6.5 Table Cell Outside Table:

Configuration Guide - Single-Sign On for OneDesk

Configuring Alfresco Cloud with ADFS 3.0

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Qualys SAML & Microsoft Active Directory Federation Services Integration

Integrating YuJa Active Learning into ADFS via SAML

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Five9 Plus Adapter for Agent Desktop Toolkit

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Webthority can provide single sign-on to web applications using one of the following authentication methods:

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

This section includes troubleshooting topics about single sign-on (SSO) issues.

Cloud Secure Integration with ADFS. Deployment Guide

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Integrating YuJa Active Learning with ADFS (SAML)

Integrating YuJa Active Learning into Google Apps via SAML

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

Microsoft ADFS Configuration

Centrify for Dropbox Deployment Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Quick Start Guide for SAML SSO Access

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Cloud Access Manager Configuration Guide

VMware Identity Manager Administration

NETOP PORTAL ADFS & AZURE AD INTEGRATION

All about SAML End-to-end Tableau and OKTA integration

Single Sign-On Administrator Guide

Configure Unsanctioned Device Access Control

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Single Sign-On Administrator Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

SAML-Based SSO Solution

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

D9.2.2 AD FS via SAML2

ComponentSpace SAML v2.0 Okta Integration Guide

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Google SAML Integration

ADFS Setup (SAML Authentication)

SAML-Based SSO Configuration

Oracle Utilities Opower Solution Extension Partner SSO

MyWorkDrive SAML v2.0 Okta Integration Guide

October 14, SAML 2 Quick Start Guide

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Quick Connection Guide

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Okta Integration Guide for Web Access Management with F5 BIG-IP

Authentication Guide

Oracle Access Manager Configuration Guide

Add OKTA as an Identity Provider in EAA

Introduction to application management

Table of Contents. Single Sign On 1

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Quick Start Guide for SAML SSO Access

October J. Polycom Cloud Services Portal

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

Integrating AirWatch and VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Vizru

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Morningstar ByAllAccounts SAML Connectivity Guide

AT&T Business Messaging Account Management

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Configuring Single Sign-on from the VMware Identity Manager Service to Collibra

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

SAML SSO Okta Identity Provider 2

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

WebEx Connector. Version 2.0. User Guide

SAML-Based SSO Solution

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

AD FS CONFIGURATION GUIDE

Colligo Console. Administrator Guide

Slack Connector. Version 2.0. User Guide

ServiceNow Deployment Guide

ArcGIS Server and Portal for ArcGIS An Introduction to Security

TACACs+, RADIUS, LDAP, RSA, and SAML

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Dropbox Connector. Version 2.0. User Guide

Identity Provider for SAP Single Sign-On and SAP Identity Management

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Setting Up Resources in VMware Identity Manager

AppScaler SSO Active Directory Guide

CA SiteMinder Federation

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

Quick Connection Guide

Transcription:

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5 Phone: 1-855-MYESIGN Fax: (514) 337-5258 Web: www.esignlive.com

esignlive Phone: 1-855-MYESIGN 8200 Decarie Blvd, Suite 300 Fax: (514) 337-5258 Montreal, Quebec sign.support@onespan.com H4P 2P5 Canada Remember to visit our Web site at: https://www.esignlive.com/ and our Resource Center at: https://www.esignlive.com/resource-center/ 1992-2018 esignlive North America Technology Inc. All rights reserved. Information in this document is subject to change without notice, and does not represent a commitment on the part of esignlive North America Technology Inc. The software and associated files described in this document are furnished under the software license agreement, and can be used or copied only in accordance with the terms of the agreement. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information and retrieval systems, for any purpose other than the purchaser s personal use, without express written permission of esignlive North America Technology Inc. Written and Produced in Canada. Protected by United States patents 5,606,609; 6,751,632; 6,912,660; 6,931,420; 7,340,608; 8,307,218; and 9,665,737; Canadian patents 2,340,780; 2,345,148; and 2,428,665; European patents 1,116,110; 1,153,352; 1,238,321; 1,270,179; 1,376,311; and 1,393,144; and Australian patents AU 2,002,215,782; and AU 2,003,204,747. Patents pending in the United States, Canada, Europe, and other countries. ApproveIt is a registered trademark of esignlive North America Technology Inc. in the United States and/or other countries. esignlive, e-witness, e-sign Enterprise, e-sign Desktop, e-vault Manager, Process Reviewer, LCD Tablet Process Navigator, e-mail Notification Manager, e-vault Manager Administration Console, e-vault Manager Console, Electronic Evidence, and When e-signatures matter to your business are trademarks of esignlive North America Technology Inc. Excel, Microsoft, Office, Outlook, Windows, Windows NT, and Word are registered trademarks of Microsoft Corporation. Adobe and Acrobat Reader are registered trademarks of Adobe Systems Incorporated. SignatureGem is a trademark of Topaz Systems Incorporated. THE CONTENT AND RELATED GRAPHICS PUBLISHED HEREIN COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. ONESPAN NORTH AMERICA TECHNOLOGY INC. RESERVES THE RIGHT TO CHANGE ANY AND ALL INFORMATION CONTAINED HEREIN AT ANY TIME WITHOUT NOTICE.

CONTENTS Introduction 1 Getting Started 2 Configuring One or More Accounts 2 Configuring a Single Account 2 Configuring Multiple Accounts 2 Optional Account Settings 2 Force SSO Login 2 Custom Redirection URLs 3 Sender Email Templates 3 Configuring Your Identity Provider 5 Configuring ADFS for SAML 6 Configuring OKTA for SAML 9 SAML Metadata 11 Configuring SAML on Your esignlive Account 12 Testing Your SSO Functionality 13 2018 - OneSpan North America Inc. iii

Introduction SSO Using SAML (your are here) Getting Started Identity Providers Configuring SAML on esignlive Testing The product called esignlive provides a complete e-signature platform for the Web, including preparing, distributing, reviewing, signing, and downloading documents. SAML (Security Assertion Markup Language) is a format for exchanging authentication and authorization data between an Identity Provider and a Service Provider. To facilitate integration with third-party applications that provide Web SSO (Single Sign-On), esignlive supports the SAML 2.0 protocol. By performing the procedures listed below, you can enable any member of a selected esignlive account to log in to esignlive using SSO via SAML 2.0 tokens. SAML logins to esignlive enable: A better User Experience, since users are logged in to esignlive transparently No need for the user to remember a password to log in Less time spent re-entering a password The option of automatically creating a new sender for the esignlive account upon a user's very first login to esignlive Reduced IT costs (via centrally-managed accounts and credentials) Enabling a SAML login to esignlive generally entails successively performing the following procedures: 1. Getting Started 2. Configuring Your Identity Provider 3. Configuring SAML on Your esignlive Account 4. Testing Your SSO Functionality NOTE: The protocol binding for SAML 2.0 is HTTP-Redirect and HTTP-POST. NOTE: SSO is a service designed for an organization's esignlive users, not for signers who do not belong to a esignlive account, and who typically reside outside the organization. To authenticate such signers, please use one of esignlive's alternate Authentication Methods, described here (New Application User's Guide), here (Classic Application User's Guide), and here (Integrator's Guide). 2018 - OneSpan North America Inc. 1

Getting Started SSO Using SAML Getting Started (you are here) Identity Providers Configuring SAML on esignlive Testing The following sections contain information that is relevant to getting started with SAML on esignlive: Configuring One or More Accounts (below) Optional Account Settings (below) Configuring One or More Accounts One of the following topics applies to your situation: Configuring a Single Account (below) Configuring Multiple Accounts (below) Configuring a Single Account esignlive has a setting for single accounts, called Sender Auto Provisioning. This feature is enabled by default. If this feature is enabled, the first time a sender tries to log in via SSO, esignlive will create an account for them, and will give them access to esignlive's User Interface for senders. If this feature is disabled, an organization must manually add a sender to a esignlive account before they can log in via SSO. Configuring Multiple Accounts Optionally, multiple esignlive accounts can be configured to use the same Identity Provider for SSO. WARNING: This approach does not support the Sender Auto Provisioning feature described above. Thus senders must be manually added to accounts. TIP: Senders can be provisioned programmatically via esignlive's REST API or SDK, without the senders receiving notifications to sign up for an account. For help with this, please contact Technical Support (sign.support@onespan.com; 1-855- MYESIGN). Optional Account Settings The following optional SSO-related settings can be configured at the account level: Force SSO Login (below) Custom Redirection URLs (on the next page) Sender Email Templates (on the next page) Force SSO Login To force the senders on an account to log in to esignlive via SSO, use esignlive BackOffice to enable SSO login at the account level. This setting will block users from accessing esignlive via its Login page. The following screens illustrate how the Login and Forgot Password pages appear when this setting is enabled. 2018 - OneSpan North America Inc. 2

Custom Redirection URLs In response to certain events, esignlive by default redirects users back to esignlive's main Login page. This may be undesirable when using SSO, since a typical user will not have a username or password for that page (instead they use an SSO login URL). The best practice is to override these redirection URLs. Thus you should provide URLs of your choice for the following: URL Handover URL Session timeout for sender Sender logout Session timeout for signer Definition For more information, see Handover URLs. Senders will be redirected to this URL when their session times out. Senders will be redirected to this URL when they log out of the esignlive application. Signers will be redirected to this URL when their session times out. Sender Email Templates esignlive's SAML feature has email templates that can be used to send email notifications to senders under the following conditions:. Forgot your password Opt out Decline Account invitation Expire Bounced Complaint Out of the office Reassign sender Ready to complete Lock signer Login lockout KBA failure WARNING: The above email templates contain the variable $LINK_URL;, which redirects senders to esignlive's Login page. Instead, you will want to redirect senders to the SSO URL. To arrange this, please contact Technical Support (sign.sup- 2018 - OneSpan North America Inc. 3

port@onespan.com; 1-855-MYESIGN). Note: Switching to the SSO URL prevents senders from using the Forgot Password link on esignlive's main page. NOTE: The Account invitation email will not be sent to senders if they are auto-provisioned upon SSO login (see Configuring a Single Account (on page 2)), or if they are provisioned via the REST API or SDK. 2018 - OneSpan North America Inc. 4

Configuring Your Identity Provider SSO Using SAML Getting Started Identity Providers (you are here) Configuring SAML on esignlive Testing Many organizations can serve as your Identity Provider for SAML. The following sections describe how to configure two such providers: Configuring ADFS for SAML Configuring OKTA for SAML No matter which Identity Provider you use, you should do the following:. 1. Set the Signature algorithm name for SAML to SHA1withRSA. 2. On your Identity Provider, configure the following Attribute Mappings (esignlive will use them to identify the user who is logging in): User email first name last name Attributes One of the following: email emailaddress mail One of the following: firstname givenname cn One of the following: lastname surname sn TIP: If you need to import the required metadata into your keystore, see SAML Metadata (on page 11) 2018 - OneSpan North America Inc. 5

Configuring ADFS for SAML SSO Using SAML Getting Started ADFS for SAML (you are here) Configuring SAML on esignlive Testing Microsoft's Active Directory Federation Services (ADFS) can serve as a SAML 2.0 Identity Provider for esignlive. To configure ADFS to serve as a SAML Identity Provider for esignlive: 1. Start the ADFS 2.0 Management Console. 2. Open the Trust Relationships folder, and right-click Relying Party Trusts. 3. Select Add Relying Party Trust, and then Start. 4. In the Add Relying Party Trust wizard, select Import data about the relying party from a file. 5. Import the required metadata into your keystore. To download it, see SAML Metadata (on page 11). 6. Complete the wizard as necessary, entering your Display Name, and the Authorization Rules you want to use. 2018 - OneSpan North America Inc. 6

7. On the Advanced tab, change the Secure hash algorithm to SHA-1. 8. Create new Claims Rule for LDAP Attributes using the following template: 9. Edit the rule so your screen looks as follows: 10. Create another Claims Rule to Transform an Incoming Claim. This will add email to the Subject of the response as NameID. 11. This Claim Rule will reference the first Claim Rule. For this reason, the latter must remain Rule 1. 2018 - OneSpan North America Inc. 7

2018 - OneSpan North America Inc. 8

Configuring OKTA for SAML SSO Using SAML Getting Started OKTA for SAML (you are here) Configuring SAML on esignlive Testing OKTA (https://www.okta.com) can serve as a SAML Identity Provider for esignlive. NOTE: The following example configures OKTA as the Identity Provider for an esignlive US Sandbox instance. To configure OKTA to serve as a SAML Identity Provider for esignlive: 1. Navigate to https://www.okta.com/developer/signup/, and create a free OKTA Developer Edition organization. 2. Log in to the Admin Console, and click Add Applications. 3. Click Create New App, and select SAML 2.0 as the Sign On Method. 4. In the General Settings section, enter an App name. Then click Next. 5. In the Configure SAML section, paste the following URL into the Single sign on URL fields: https://sandbox.e-signlive.com/sso/saml/sso/alias/e-signlive NOTE: Keep the recipient URL and destination URL the same. 6. In the Audience Restriction field, enter the SP entity ID. For example: urn:saml:sso:sandbox:e-signlive:com. 7. For the default relay state value, enter https://sandbox.e-signlive.com/packages/inbox 8. Click Show Advanced Settings, and configure the settings in the following table: SETTING VALUE Name ID format Response Assertion Signature Signature Algorithm Digest Algorithm Assertion Encryption SAML Single Logout authcontextclassref Honor Force Authentication SAML Issuer ID EmailAddress Signed Unsigned RSA_SHA1 SHA1 Unencrypted Disabled Unspecified No http://www.okta.com/${org.externalkey} 9. In the Attribute Statements section, add the following three attribute statements, and then click Next: Name Name Format Value email URI Reference user.email firstname URI Reference user.firstname lastname URI Reference user.lastname 10. In the Feedback section, select This is an internal application that we created. Then click Finish. 2018 - OneSpan North America Inc. 9

You will now see the Sign On section of your newly created Example SAML Application. Keep this page open in a separate browser tab or window. You will need its Identity Provider metadata link when you perform the procedure Configuring SAML on Your esignlive Account. TIP: To copy the Identity Provider metadata link, right-click it and select Copy. 11. Right-click the People section of the Name of your application, and select Open Link In New Tab (so you can come back to the Sign On section later). 12. In the new tab that opens, click the Assign Application button. 13. A dialog box called Assign name of Application to up to 500 people appears. Type your username in the search box, and select the check box next to your username. Then click Next. 14. You will be prompted to enter user-specific attributes. Click Confirm Assignments to keep the defaults. TIP: You are now ready to perform the procedure Configuring SAML on Your esignlive Account. You will need the Identity Provider metadata link from Step 10. 2018 - OneSpan North America Inc. 10

SAML Metadata SSO Using SAML Getting Started Identity Providers Configuring SAML on esignlive Testing One of the following links to esignlive metadata may be required when you configure your Identity Provider: apps.e-signlive.ca apps.esignlive.com.au apps.esignlive.com apps.e-signlive.com apps.esignlive.eu sandbox.e-signlive.ca sandbox.esignlive.com sandbox.e-signlive.com 2018 - OneSpan North America Inc. 11

Configuring SAML on Your esignlive Account SSO Using SAML Getting Started Identity Providers Configuring SAML on esignlive (you are here) Testing To configure SAML on your esignlive account: 1. Complete the configuration of your Identity Provider, and gather the following information: The email address of the esignlive account on which SSO will be configured The Identity Provider's metadata This will be a SAML metadata URL, or a metadata XML file. The Identity Provider's Entity ID The Identity Provider's Public Certificate NOTE: esignlive supports importing metadata from an XML file to accommodate organizations whose Identity Provider's SAML metadata is not exposed on the web due to security concerns. 2. Contact Technical Support (sign.support@onespan.com; 1-855-MYESIGN), and give them the Identity Provider information gathered in the previous step. 3. Technical Support will give you up-to-date configuration information that includes: esignlive metadata (to download that data, see SAML Metadata (on the previous page) An Entity ID An SP consumer end-point URL (e.g,, https://sandbox.e-signlive.ca/sso/saml/sso/alias/e-signlive) 4. Use the information from the previous step to reconfigure your Identity Provider. 2018 - OneSpan North America Inc. 12

Testing Your SSO Functionality SSO Using SAML Getting Started Identity Providers Configuring SAML on esignlive Testing (you are here) Once your configurations are complete, you can use either your SP URL (obtained from esignlive) or the Identity Provider URL (obtained from your Identity Provider) to start a session and test your SSO functionality. To test your SSO functionality: 1. Navigate to the SSO URL (either the SP URL, or the Identity Provider URL). You should be redirected to the Identity Provider server's Login page. TIP: Your SP URL should look something like this: https://{server:port}/sso/saml/login/alias/esignlive?idp= {Entity ID of the Identity Provider} The following example SP URL is from our U.S. Production environment: https://apps.esignlive.- com/sso/saml/login/alias/esignlive?idp={entity ID of the Identity Provider} 2. Log in with your Identity Provider server credentials (SSO credentials). You should be redirected to esignlive's Inbox. Once that happens, you have successfully logged into esignlive using SSO via SAML 2.0 tokens. 2018 - OneSpan North America Inc. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback