PandaDoc supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
Note:To learn more about SSO in PandaDoc, click here.
To use ADFS to log in to your PandaDoc instance, you need the following components:
- An Active Directory instance where all users have an email address attribute
- A PandaDoc instance on the Professional or Enterprise plans
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible in other versions
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate
- If you're using host mapping in your PandaDoc instance, an installed certificate for hosted SSL
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Windows server configuration for PandaDoc SSO
The connection between ADFS and PandaDoc is defined using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS Management and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
On the welcome screen, press Start.
- Select Data Source
Select "Enter data about the relying party manually".
- Specify Display Name
Enter Name, e.g. “PandaDoc”.
- Configure Certificate
Skip the token encryption certificate step, it’s not supported by the PandaDoc SSO.
- Configure URL
Copy and paste it in the AD FS wizard as “Relying party SAML 2.0 SSO service URL” https://app.pandadoc.com/sso-acs/
- Configure Identifiers
Enter your PandaDoc URL as “Relying party trust identifier”, e.g. “https://pandadoc.com”.
- Choose Issuance Authorization Rules
Select Initial behavior for the authorization rules.
Select “Permit everyone” if you want to allow all Active Directory users to login to PandaDoc or “Deny all...” if you want to allow specific users later.
To change the behavior further, select the relying party trust and click Edit Claim Rules in the Actions pane.
Advanced rules can be configured later: Create a Rule to Permit or Deny Users Based on an Incoming Claim.
With the “Permit everyone” rule selected and the “Enable JIT provisioning” PandaDoc SSO setting enabled, your users might quickly consume all available PandaDoc licenses. Therefore we don’t recommend having both options enabled at the same time.
- Ready to Add Trust
Don’t change anything in the next step.
Select “Configure claims...”
- Click ‘Add’ in the Claim rules wizard and keep “Send LDAP Attributes as Claims” in first step
- Name your rule and, using Active Directory as an attribute store, map as follows:
Outgoing Claim Type
- Create a new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as a template
You will end up with two rules (note the order, "Email - E-Mail Address" rule must be first!)
Finally, click OK to create the claim rule, and then OK again to finish creating rules. With this, the configuration of ADFS has been completed!
PandaDoc SSO configuration
- Sign-On URL. To find out your Sign-On URL download and open a metadata file from your AD FS server via https://server.mydomain/FederationMetadata/2007-06/FederationMetadata.xml and check for SingleSignOn Location
- Certificate. Next, you will find out your signing certificate used on the AD FS server. Open AD FS > Certificates. Right-click on Token-signing certificate, open Details tab and click Copy to File
- In the wizard, select “Base-64 encoded X.509” option
- After exporting the certificate to file, open the file with Notepad or another text editor, copy the text snippet and paste to the “Certificate” field in the PandaDoc SSO form
- Feel in the form https://forms.gle/V1CBvm27ZpTmjL6V8 and contact email@example.com as soon as you send the form
Testing SSO in PandaDoc
PandaDoc initiated login:
- Log out of PandaDoc (click the avatar picture and choose “Log out”)
- Open the PandaDoc URL in the browser - https://app.pandadoc.com/sso-login/
- Log in with your PandaDoc account domain email.
Identity Provider initiated login:
Log into your Active Directory SSO page and then click an icon to log into and open the PandaDoc application.
Try Just-in-time provisioning
Users can log in with the domain email that is not associated with a PandaDoc account through Just-in-Time provisioning. In this case, the user will be added to your PandaDoc workspace under the domain email.
The Federation Server is usually not directly accessible from the Internet, so you need to set up a proxy. Here’s additional information about proxy setup.
AD FS 2.0 installer for Windows Server 2008 R2: