SignRequest offers several options to login:
- Email address and password
- Your own credentials by using SAML
With the same email address you can use multiple ways of logging in.
You can however force one of the preferred methods for team accounts.
Please submit a ticket if you want to force a preferred method for your users.
How to enable SAML?
SignRequest supports Saml2 identity providers. SignRequest needs to configure this manually if you want to proceed with that.
We would need (see https://www.testshib.org/metadata/testshib-providers.xml):
- Name: e.g. shibboleth
- Entity id: e.g.: https://idp.testshib.org/idp/shibboleth
- SSO url: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
- X509cert: e.g.: MIIEDjCCAvagAwIBAgIBADA ... 8Bbnl+ev0peYzxFyF5sQA==
- Allowed email domains: Comma separated email domains that are allowed to login with this Identity Provider.
Optionally the attribute names for email address, first and last name can be modified.
- Attr email: The attribute where we get the email / permanent ID from. By default we look for "name_id", "email" and "urn:oid:0.9.2342.19200300.100.1.3" when this field is not set.
- Attr first name: The attribute where we get the first name from. By default we look for "urn:oid:18.104.22.168" when this field is not set.
- Attr last name: The attribute where we get the last name from. By default we look for "urn:oid:22.214.171.124" when this field is not set.
Validation of DNS records
For security reasons SignRequest will need to validate that the customer has the right to enable SAML for SignRequest. The necessary steps are:
1. Supply SignRequest with the above information to firstname.lastname@example.org. Please let us know if you also want to disable password login.
2. SignRequest will send instructions to add a TXT record to your DNS.
3. After inform SignRequest a check will be done and the integration will be activated.