Getting Started
The following sections contain information that is relevant to getting started with SAML on OneSpan Sign:
- Configuring One or More Accounts for Senders
- Optional Account Settings for Senders
- Configuring SSO for Recipients
Configuring One or More Accounts for Senders
This section is relevant only if you want to configure SSO for "senders" (members of a OneSpan Sign account).
One of the following topics applies to your situation:
Configuring a Single Account
OneSpan Sign has a setting for single accounts, called Sender Auto Provisioning. Auto-provisioning is enabled for an account when the parameter allowSenderCreation in the file saml.config has a defined value of true. This feature is enabled by default.
If this feature is enabled, the first time a sender tries to log in via SSO, OneSpan Sign will create an account for them, and will give them access to OneSpan Sign's User Interface for senders.
If this feature is disabled, an organization must manually add a sender to a OneSpan Sign account before they can log in via SSO.
SSO and Roles and Permissions
If Sender Auto Provisioning has been disabled a sender will automatically be activated upon logging in for the first time (assuming that their activation status is Pending, and not Locked). If Roles and Permissions have been enabled, then this feature works in the following scenarios:
- Pending user with no role
- Pending user with role
- Active user with no role
- Active user with role
Configuring Multiple Accounts
Optionally, multiple OneSpan Sign accounts can be configured to use the same Identity Provider for SSO.
Optional Account Settings for Senders
This section is relevant only if you want to configure SSO for "senders" (members of a OneSpan Sign account).
The following optional SSO-related settings can be configured at the account level:
Force SSO Login
To force the senders on an account to log in to OneSpan Sign via SSO, you must enable SSO login at the account level. To arrange this, please contact our Support Team.
This setting will block users from accessing OneSpan Sign via its Login page.
Custom Redirection URLs
In response to certain events, OneSpan Sign by default redirects users back to OneSpan Sign's main Login page.
This may be undesirable when using SSO, since a typical user will not have a username or password for that page (instead they use an SSO login URL).
The best practice is to override these redirection URLs. Thus you should provide URLs of your choice for the following:
URL | Definition |
---|---|
Handover URL | For more information, see Handover URLs. |
Session timeout for sender | Senders will be redirected to this URL when their session times out. |
Sender logout | Senders will be redirected to this URL when they log out of the OneSpan Sign application. |
Session timeout for signer | Signers will be redirected to this URL when their session times out. |
Sender Email Templates
OneSpan Sign's SAML feature has email templates that can be used to send email notifications to senders under the following conditions:.
- Forgot your password
-
Opt out
-
Decline
-
Account invitation
-
Expire
-
Bounced
-
Complaint
-
Out of the office
-
Reassign sender
-
Ready to complete
-
Lock signer
-
Login lockout
-
KBA failure
The above email templates contain the variable $LINK_URL;
, which redirects senders to OneSpan Sign's Login page. Instead, you will want to redirect senders to the SSO URL. To arrange this, please contact our Support Team. Note: Switching to the SSO URL prevents senders from using the Forgot Password link on OneSpan Sign's main page.
The Account invitation email will not be sent to senders if they are auto-provisioned upon SSO login (see Configuring a Single Account), or if they are provisioned via the REST API or SDK.
Configuring SSO for Recipients
This section is relevant only if you want to configure SSO for "recipients" (not members of a OneSpan Sign account).
For a given transaction, SSO authentication can be assigned to one or more "recipients" in either of the following ways: