Login
    Contents x
    Introducing SAML
    • 14 Jan 2025
    • 3 Minutes to read
    • Dark
      Light
    • PDF
    Contents

    Introducing SAML

    • Updated on 14 Jan 2025
    • 3 Minutes to read
    • Dark
      Light
    • PDF
    Article summary

    The product called OneSpan Sign provides a complete e-signature platform for the Web, including preparing, distributing, reviewing, signing, and downloading documents.

    SAML (Security Assertion Markup Language) is a format for exchanging authentication and authorization data between an Identity Provider and a Service Provider.

    To facilitate integration with third-party applications that provide Web SSO (Single Sign-On), OneSpan Sign supports the SAML 2.0 protocol. By performing the procedures listed below, you can:

    • Enable "senders" (members of a OneSpan Sign account) to log in to OneSpan Sign using SSO via SAML 2.0 tokens.

    • Enable "recipients" (not members of a OneSpan Sign account) to access the Signer Experience using SSO via SAML 2.0 tokens.

    SAML logins to OneSpan Sign enable:

    • A better User Experience, since users are logged in to OneSpan Sign transparently

    • No need for the user to remember a password to log in

    • Less time spent re-entering a password

    • The option of automatically creating a new sender for the OneSpan Sign account upon a user's very first login to OneSpan Sign. Note that: (1) senders can be created even when multiple accounts have the same Identity Provider; (2) a new sender can be specified as either a Manager or a Member.

    • Reduced IT costs (via centrally-managed accounts and credentials)

    • "Recipients" to access the Signer Experience in a more secure manner

    Regardless of how their account is configured for Single Sign-On Authentication, group signers must always log in to the sender part of the New User Experience before they sign.

    Enabling a SAML login to OneSpan Sign generally entails successively performing the following procedures:

    1. Getting Started

    2. Configuring Your Identity Provider

    3. Configuring SAML on your OneSpan Sign Account

    4. Testing Your SSO Functionality

    The protocol binding for SAML 2.0 is HTTP-Redirect and HTTP-POST.


    The following sections contain information that is relevant to getting started with SAML on OneSpan Sign:

    Configuring One or More Accounts for Senders

    This section is relevant only if you want to configure SSO for "senders" (members of a OneSpan Sign account).

    One of the following topics applies to your situation:

    Configuring a Single Account

    OneSpan Sign has a setting for single accounts, called Sender Auto Provisioning. Auto-provisioning is enabled for an account when the parameter allowSenderCreation in the file saml.config has a defined value of true. This feature is enabled by default.

    If this feature is enabled, the first time a sender tries to log in via SSO, OneSpan Sign will create an account for them, and will give them access to OneSpan Sign's User Interface for senders.

    If this feature is disabled, an organization must manually add a sender to a OneSpan Sign account before they can log in via SSO.

    SSO and Roles and Permissions

    If Sender Auto Provisioning has been disabled a sender will automatically be activated upon logging in for the first time (assuming that their activation status is Pending, and not Locked). If Roles and Permissions have been enabled, then this feature works in the following scenarios:

    • Pending user with no role

    • Pending user with role

    • Active user with no role

    • Active user with role

    Configuring Multiple Accounts

    Optionally, multiple OneSpan Sign accounts can be configured to use the same Identity Provider for SSO.

    Optional Account Settings for Senders

    This section is relevant only if you want to configure SSO for "senders" (members of a OneSpan Sign account).

    The following optional SSO-related settings can be configured at the account level:

    Force SSO Login

    To force the senders on an account to log in to OneSpan Sign via SSO, you must enable SSO login at the account level. To arrange this, please contact our Support Team.

    This setting will block users from accessing OneSpan Sign via its Login page.

    Custom Redirection URLs

    In response to certain events, OneSpan Sign by default redirects users back to OneSpan Sign's main Login page.

    This may be undesirable when using SSO, since a typical user will not have a username or password for that page (instead they use an SSO login URL).

    The best practice is to override these redirection URLs. Thus you should provide URLs of your choice for the following:

    URL

    Definition

    Handover URL

    For more information, see Handover URLs.

    Session timeout for sender

    Senders will be redirected to this URL when their session times out.

    Sender logout

    Senders will be redirected to this URL when they log out of the OneSpan Sign application.

    Session timeout for signer

    Signers will be redirected to this URL when their session times out.

    Sender Email Templates

    OneSpan Sign's SAML feature has email templates that can be used to send email notifications to senders under the following conditions:.

    • Forgot your password

    • Opt out

    • Decline

    • Account invitation

    • Expire

    • Bounced

    • Complaint

    • Out of the office

    • Reassign sender

    • Ready to complete

    • Lock signer

    • Login lockout

    • KBA failure

    This feature is not supported in FedRAMP environments.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant