Availability: Enterprise plan
PandaDoc now supports Single Sign-On (SSO). You can set up SSO to give employees access to PandaDoc through an identity provider (IdPs such as Okta, OneLogin, Microsoft AD FS, etc.) eliminating passwords from the login process for safe and fast access.
Single Sign-On in PandaDoc is based on Security Assertion Markup Language 2.0 (SAML 2.0). The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML 2.0 is a leading industry standard for exchanging the authentication and authorization data that PandaDoc supports as a service provider (SP).
No actual passwords are transferred to or from PandaDoc during the authorization event. Instead, PandaDoc receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.
Note:Please reach out to our Support team if you need to update the SSO certificate.
How does SSO for PandaDoc help you?
- Facilitate easy and secure access for users to their PandaDoc accounts
- Help IT and security departments authenticate users and control application access centrally
- Reduce password maintenance and security overheads
- Enforce additional password security measures such as password complexity requirements, password expiration and two-factor authentication (number of features available defined by your identity provider)
Please, contact us if you want to set up SSO for your organization.
Before enabling SSO it’s important to confirm that:
The email address associated with each user's PandaDoc account matches their email in the company directory.
Confirm that your identity or SSO provider supports federated authentication using SAML 2.0. The list of compatible SSO solutions includes, but is not limited to Okta, OneLogin, Microsoft AD FS.
IDP Side Setup
Every IDP will be a little different depending on their setup flow and default values.
The custom setup is needed for the IDPs mentioned below:
Just-in-time (JIT) provisioning
Activating a PandaDoc account without an invitation is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become PandaDoc users automatically the first time they try to log into PandaDoc. An admin does not have to add them as a new PandaDoc user.
SSO Login scenario:
- Users log in with their corporate email to a PandaDoc SSO login page: https://app.pandadoc.com/sso-login/
- If not already authenticated, users are redirected to the corporate server or third-party identity provider login page, depending on the enterprise SSO option.
- Users enter their sign-in credentials.
- If valid, users are redirected back to PandaDoc app.
When you remove an employee from your company directory in your IdP, they are no longer able to access PandaDoc via SSO; however, their PandaDoc user profile is not automatically deleted. To remove an employee from your PandaDoc account, go to Settings > Team and delete the user. See more here.