Single Sign-On (SSO)

Papertrail supports single sign-on via SAML 2.0 integration. SAML (Security Assertion Markup Language) is an industry standard used to provide single sign-on (SSO) by authenticating against a particular identity provider (IdP). Users can log into their Active Directory domain or intranet and have immediate access to Papertrail.

When SSO is enabled, users must authenticate against IdP, except the owner, which can also log in with a service account.

Configure SAML

This feature is only available to the account owner. It can be configured via the Security section under the Account page. To start configuring SAML, click the Enable SAML button.

enable-saml

It will open the SAML configuration page below.

sso-settings

To create a SAML configuration:

  1. Enter the three URLs displayed in the SSO Service URLs section into your Identity Provider (IdP).
  2. Enter the following information from the Identity Provider into this screen:
    • Issuer (Entity ID)
    • SAML URL
    • Single Logout URL (optional)
    • Identity Provider Certificate
  3. Save the configuration.
  4. Once the configuration has been saved, it can be enabled using the “switch” in the upper right corner, which will log out all users, except the owner.
  5. Users can now login (and authenticate) either via the IdP or the dedicated login screen (see The SSO Login screen below).

From this page, the owner can then:

  • Edit or remove SAML configuration
  • Disable and re-enable SAML integration using the “switch” in the upper right corner

The owner can invite new users known to the IdP into the SAML enabled organization. Note that existing members cannot be invited.

This feature does not support the following:

  • Integrating an organization with SAML IdP where one or more member is a member of another organization
  • Inviting a new user that is already a member of another organization
  • Enabling SAML integration for additional organizations authenticated against one IdP

The SSO login screen

The SSO login screen for Papertrail can be accessed from the standard login screen.

sso-login

To log in, only the organization member’s email address is required.

Differences between Identity Providers

Please note that SSO configuration can vary between Identity Providers. The following list provides links to the appropriate IdP documentation: