Set up Single Sign-On with OneLogin
Skip to:
This is a step-by-step guide on how to set up the Single sign-on integration with OneLogin. Integrating with OneLogin takes the following four steps:
- Add PandaDoc as an application in OneLogin
- Configure OneLogin data in PandaDoc
Note:
To learn more about SSO in PandaDoc, click here.Adding PandaDoc as an application in OneLogin
Sign into your OneLogin domain at <yourorganization>.onelogin.com, select 'Apps' and then choose ‘Add apps’ in the dropdown menu. Select "SAML Test Connector (Advanced)" application. Set application name, e.g. “PandaDoc” and click “Save” to proceed to profile settings
Configuring OneLogin in PandaDoc
- Click Administration.
- Click Apps and select Company apps.
- Find and select PandaDoc.
- Switch to the Configuration tab.
- Fill out the following fields:
ACS (Consumer) URL Validator: .*
ACS (Consumer) URL: https://app.pandadoc.com/sso-acs/
- Click Enable
- Go to the Parameters tab and add parameters. By default, the first parameter is NameID. We will set its value to Email by clicking on the parameter and selecting it from the dropdown
- Click on the Add parameter link, add a parameter named first_name, and select the Include in SAML assertion checkbox and click on Save.
- Next, we will assign a value for the created field. Click on the Value dropdown, select First Name, and click on Save
- Similarly, we’ll add two more attributes. Add last_name and select Last Name as the value, and add email and select Email as the value. Finally, your attribute list will look as follows:
- Click Save.
Using Rules to Provision Users to Roles and Groups
We recommend that you set the Role value to Member and use provisioning Rules to assign specific sets of OneLogin users to the Administrator or Manager roles.
You can define rules to provision subsets of your OneLogin users into PandaDoc roles and groups. For example, you can define a subset of users by filtering on a specific OneLogin user attribute value and then define an action that provisions the subset of users to a specific PandaDoc role or workspace.
- Go to the Rules tab
- Click New rule to open the New Mapping dialog, where you can set the conditions and actions that determine which users will be provisioned from OneLogin to specific PandaDoc role or workspace
- Give your rule a name
- In the Conditions area, click + to add a condition. Use the fields to define a condition that defines a subset of users to be acted upon by the rule. Conditions are based on OneLogin user attribute values
- In the Actions area, click + to add an action. Use the fields to define the action that will be performed on users by the rule. Available actions include:
- Provision users to an existing PandaDoc workspace
- Provision users to an existing PandaDoc role
- Click Save
- To add another provisioning rule, click New rule
- The order in which rules are applied matters and can impact provisioning results. Drag and drop the rule rows to put them in the order that produces correct results
- Click Show Affected Users to see which users will be affected by the provisioning rule as configured. Review the list to ensure that only intended users are listed
- Click Save
- Go to the More Actions menu and click Reapply Provisioning Mappings to apply the new rule.
Warning:
You must reapply mappings any time you create or update rules!
Testing Provisioning
Test your provisioning setup to confirm that provisioning from OneLogin to Egnyte is working.
- Go to Apps > Company Apps. Search for and select your PandaDoc app.
- Go to the Provisioning tab
Ensure that the following options are selected: Enable provisioning for Egnyte, Create user, Delete user, Update user - Click Save
- Go to Users > Roles
- Create a test role and add your Egnyte app to it
- Click Save
- Access the test role that you just created
- Go to the Users tab
- Under Add Users to Role Manually, add your test user(s)
- Click Save. This will trigger the provisioning of the test user to your Egnyte app
- Go to Users > Provisioning to approve the provisioning action
Use search and filters to locate your provisioning task. It should be in Pending status, as shown on the screenshot below - Click the row and click Ignore or Approve, depending on your test case
- If the provisioning row shows up as Failed on the Provisioning page, click the row to view a reason for the failure. Click Retry to try again.
- When the user has been successfully provisioned according to OneLogin, go to Egnyte and confirm that the new user has been added.
- Continue to test for user updates and user deletions.
Assigning PandaDoc Application to Users in OneLogin
After completing the configurations for PandaDoc, you need to ensure that users are assigned to the PandaDoc application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under Users > All Users > [click on user name] > Applications tab. Click the '+' sign to assign your testing user to the PandaDoc application. Additional information about assigning users to applications in OneLogin can be found in Assigning Apps to Users
Testing SSO in PandaDoc
- Log out of PandaDoc (click on avatar picture and choose “Log out”)
- Open your PandaDoc URL in the browser - https://app.pandadoc.com/sso-login/
- Log in with your PandaDoc account domain email.
Try out Just-in-time provisioning
Users can log in with the domain email that is not associated with a PandaDoc account through Just-in-Time provisioning. In this case, the user will be added to your PandaDoc workspace under the domain email.