Skip to main content
All CollectionsAdmin HubSSO
SSO implementation
SSO implementation

PandaDoc now supports SSO via IdPs like Okta or OneLogin, using SAML 2.0 for secure, password-free, and fast access across domains.

Updated today

Availability: Enterprise plan

Single Sign-On (SSO) allows employees to access PandaDoc securely through an identity provider (IdP) such as Okta, OneLogin, or Microsoft AD FS, eliminating the need for passwords and ensuring fast, secure access.

What is SSO?

SSO in PandaDoc is based on Security Assertion Markup Language 2.0 (SAML 2.0), an industry-standard protocol for enabling Single Sign-On across web applications. During the authentication process, no passwords are exchanged with PandaDoc. Instead, PandaDoc receives a temporary, digitally signed SAML assertion that verifies the user's identity.

Benefits of SSO for PandaDoc

  • Simplifies secure access to PandaDoc for users.

  • Centralizes user authentication and access control for IT and security teams.

  • Reduces the need for password management, enhancing security and efficiency.

  • Enforces additional security measures like password complexity, expiration, and two-factor authentication (depending on your identity provider’s features).

Enabling SSO

Before enabling SSO it’s important to confirm that:

  1. The email address associated with each user's PandaDoc account matches their email in the company directory.

  2. Confirm compatibility. Confirm that your identity or SSO provider supports federated authentication using SAML 2.0

The list of compatible SSO solutions includes, but is not limited to Okta, OneLogin, and Microsoft AD FS.

Configuring SSO for your account

Note: Only the Account Owner can access the Single Sign-On configuration page.

  1. Select your profile image located in the lower-left corner to open Settings, then choose Single-sign-on.

  2. Choose the Enable Single-sign-on option.

  3. Specify your company domain and click +Add domain name.

Verify domain ownership

  1. Log in to the account where you manage your domain (e.g., GoDaddy, Namecheap, Cloudflare).

  2. Navigate to the DNS settings or DNS management area for the domain you want to verify.

Add a new TXT record:

  • Select TXT as the record type.

  • Fill out the fields based on the information provided by your SSO provider:

    • Host/Name: @

    • Value/Content: pandadocYqfPmHTEjUzLAhj6shVtSX (this value is an example, you can copy your unique value from the SSO configuration page).

    • TTL: You can usually leave this at the default (e.g., 3600 seconds or 1 hour).

Save the changes to add the TXT record to your DNS.

Complete the verification process:

Once the TXT record is added, return to PandaDoc platform and complete the domain verification process. Click the Verify domain button. It can take anywhere from a few minutes to up to 48 hours for DNS propagation, so it may take some time before PandaDoc can verify the record.

Fill in the general configuration:

Company domain

If you have multiple domains, add each using the +Add domain button.

Password access

By default, the All users may log in using password option is selected. If you want to enable password login for specific users, uncheck the All users may log in using password option and add emails of the users who should be allowed to login via password using the +Add member button. Typically password login is enabled for the account owner.

Identity provider

Paste the endpoint and the certificate URL.

Format example:

MIIC8DCCAdigAwIBAgIQHl9uGXsExL9HYFFYN4T21TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjExMDcxNTI5 MzVaFw0yNTExMDcxNTI5MzRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxUhMilHLAg1I u3JoI8JE981KLjdTPUpc9SVd/E0mF9g+wzTvkaeChzqGiOJ5+s90x8bGMLO5RNrbVcfbu8ki460u aEoaymEX5rkXcSl/D17X2PXz30wdiEiwizJWCYRMqAaILxE59w+wjZNQfAaRwaCaP5O4PXAM+5Q+ IcspIQ9aM7v2hV8Mpu7QkDNBTPIIpS27E0Uc8y9phuFHh7U8LMZjqUc+ahUHh+0Lufaiq7d+rY+9 ua16K9P9Dd4/FT/oO55zcnPEc4Pw5sBcul/PYY2apjOPmBZkfmQ8BGaMZ78zMTf71TkZJtsG5nyl p/VYTKDX64BWLqXrdBm8LyIVvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBlP+0xQzzGvUKpgir5 1FUNVsXKvv0RJwmYAdPom1pEst0uFYXPspfgdh1IZvApPmsp9p91p/M2gZesLVPHYqYN4KZIXQ0M gNy4YB5ksVjuTI+zBKqzuxAedIty8z/Fbsdk+BtAd/wL/ddKyHDt83lO7TqL2rxyQ5sYXU9oCPVc N8eT3mnsEfyRRQ1kNGOM7QRmttLlzdeq30tj2REZxEWksfy/ValTTRME2kHJ/kgJANEPwe598fHz vDfALNM5lrLpB37FNli58VCE2DPVTgot9fkNE7Ql4LKZ/CPdqBB2F68rvgSs9q5jAkiODRWe3FE7O aYjoR1zQZdVQJ7Nf0t+

Create account

  • Upon signup
    We'll add user data to PandaDoc based on the email address registered with the user's SSO provider.

  • Automatically using SCIM
    We'll add user data via SCIM (System for Cross-domain Identity Management) — no signup required.

Set up team details (conditional)

  • If your configuration involves automatically adding users from your identity provider to PandaDoc, you can choose the default workspace, along with the assigned role and license.

  • If you select dynamic provisioning, which allows assigning new users based on their identity provider key, you will have the option to configure different default workspaces, roles, and licenses for each identity provider group.


If you want to configure SSO for several identity providers, you can add different configurations here:

To delete a configuration, click the three ellipses button for your configuration, then select Delete.

For further assistance with setting up SSO or managing your PandaDoc account, please contact our Support team.

IDP Side Setup

Every IDP will be a little different depending on their setup flow and default values.

The custom setup is needed for the IDPs mentioned below, refer to the articles for each different provider:

Relying party SAML 2.0 SSO URL

Entity ID

Email Attribute

Email

First Name Attribute

FirstName

Last Name Attribute

LastName

Just-in-time (JIT) provisioning

Activating a PandaDoc account without an invitation is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become PandaDoc users automatically the first time they try to log into PandaDoc. An admin does not have to add them as a new PandaDoc user.

SSO Login scenario:

  1. Users log in with their corporate email to a PandaDoc SSO login page: https://app.pandadoc.com/sso-login/

  2. If not already authenticated, users are redirected to the corporate server or third-party identity provider login page, depending on the enterprise SSO option.

  3. Users enter their sign-in credentials.

  4. If valid, users are redirected back to PandaDoc app.

Removing Users

When you remove an employee from your company directory in your IdP, they are no longer able to access PandaDoc via SSO; however, their PandaDoc user profile is not automatically deleted. If to configure the automated user deletion from your Padnadoc organization, configure the attribute mapping in your idP to disable a user in one the two ways:

  • Update > active status: "False"

    Disable a user

  • Delete user

    Delete a user

Alternatively, you can manually remove an employee from your PandaDoc account by going to Settings > Team and deleting the user. See more here.

Did this answer your question?