Set up Single Sign-On with Active Directory

Avatar
Eugenia Brown
  • Updated

Skip to:

PandaDoc supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.

Note:

To learn more about SSO in PandaDoc, click here.

Requirements

To use ADFS to log in to your PandaDoc instance, you need the following components:

  • An Active Directory instance where all users have an email address attribute
  • A PandaDoc instance on the Professional or Enterprise plans
  • A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible in other versions
  • A SSL certificate to sign your ADFS login page and the fingerprint for that certificate
  • If you're using host mapping in your PandaDoc instance, an installed certificate for hosted SSL

After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.

When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.

Windows server configuration for PandaDoc SSO

The connection between ADFS and PandaDoc is defined using a Relying Party Trust (RPT). Select the Relying Party Trusts folder from AD FS Management and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.

  • Welcome

On the welcome screen, press Start.

1.png

  • Select Data Source

Select "Enter data about the relying party manually" .

2.png

  • Specify Display Name

Enter Name, e.g. “PandaDoc” .

3.png

  • Configure Certificate

Skip the token encryption certificate step, it’s not supported by the PandaDoc SSO.

4.png

  • Configure URL

Copy and paste it in the AD FS wizard as “Relying party SAML 2.0 SSO service URL” https://app.pandadoc.com/sso-acs/

5.png

  • Configure Identifiers

Enter your PandaDoc URL as “Relying party trust identifier”, e.g. “https://pandadoc.com”.

6.png

  • Choose Issuance Authorization Rules

Select Initial behavior for the authorization rules.

Select “Permit everyone” if you want to allow all Active Directory users to login to PandaDoc or “Deny all...” if you want to allow specific users later.

To change the behavior further, select the relying party trust and click Edit Claim Rules in the Actions pane.

Advanced rules can be configured later: Create a Rule to Permit or Deny Users Based on an Incoming Claim.

7.png

With the “Permit everyone” rule selected and the “Enable JIT provisioning” PandaDoc SSO setting enabled, your users might quickly consume all available PandaDoc licenses. Therefore we don’t recommend having both options enabled at the same time.

  • Ready to Add Trust

Don’t change anything in the next step.

8.png

  • Finish

Select “Configure claims...

9.png

  • Click ‘Add’ in the Claim rules wizard and keep “Send LDAP Attributes as Claims” in first step

10.png

  • Name your rule and, using Active Directory as an attribute store, map as follows:

LDAP Attribute

Outgoing Claim Type

E-mail-Addresses

E-mail-Address

Given-Name

FirstName

Surname

LastName

11.png

  • Create a new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as a template

12.png

You will end up with two rules (note the order, "Email - E-Mail Address" rule must be first!)

Finally, click OK to create the claim rule, and then OK again to finish creating rules. With this, the configuration of ADFS has been completed! 

PandaDoc SSO configuration

  • Sign-On URL. To find out your Sign-On URL download and open a metadata file from your AD FS server via https://server.mydomain/FederationMetadata/2007-06/FederationMetadata.xml and check for SingleSignOn Location

13.png

  • Certificate. Next, you will find out your signing certificate used on the AD FS server. Open AD FS > Certificates. Right-click on Token-signing certificate, open Details tab and click Copy to File

14.png

  • In the wizard, select “Base-64 encoded X.509” option
  • After exporting the certificate to file, open the file with Notepad or another text editor, copy the text snippet and paste to the “Certificate” field in the PandaDoc SSO form

15.png

Testing SSO in PandaDoc

PandaDoc initiated login:

  1. Log out of PandaDoc (click the avatar picture and choose “Log out”)
  2. Open the PandaDoc URL in the browser - https://app.pandadoc.com/sso-login/
  3. Log in with your PandaDoc account domain email.

Identity Provider initiated login:

Log into your Active Directory SSO page and then click an icon to log into and open the PandaDoc application.

Try Just-in-time provisioning

Users can log in with the domain email that is not associated with a PandaDoc account through Just-in-Time provisioning. In this case, the user will be added to your PandaDoc workspace under the domain email.

Additional information

The Federation Server is usually not directly accessible from the Internet, so you need to set up a proxy. Here’s additional information about proxy setup.

AD FS 2.0 installer for Windows Server 2008 R2:

http://www.microsoft.com/en-us/download/details.aspx?id=10909

Related articles