Cellosign has a built-in authentication and authorization system, you can also hook-up Cellosign to your SSO/Idp (Identity provider) application to provide user authentication.

For that purpose, Cellosign is already equipped with SAML2/Idp integration. This integration works with any SAML applications, such as Okta or AzureAD.

Why do I need this?

If your organization is already coupled with Idp application then you are already managing users access to resources, in that perspective Cellosign is a service provider (SP) that can be mapped to group of users with set of permissions.

The alternative is to self-manage users within Cellosign and make sure that new employee have an account with Cellosign or account is blocked on leave. In terms of Information security you can control Access, Authentication requirements with your Idp seamlessly.

How it works?

The goal for integration is retain users credentials in a single place, with the Identity provider (IdP), and use it in Cellosign, as a Service Provider(SP) for authentication.

The way it works is that user request a resource from Cellosign application that requires authentication, such as access to template editor or initating a business process. Let’s assume this is first-time user. The process works as follow:

1. User access Cellosign resource (through browser).
2. Cellosign identify that the resource is coupled with your Idp
3. Cellosign redirects the request to your Idp for authentication
4. On a successful authentication, Cellosign will record user details such as name and email and mark user’s record as managed with Idp
5. Once user has been automatically registered he will be redirected to the required resource

Notes:

1. Cellosign keeps some data of the user since the application requires some level of engagement such as emails, alerts and other notifications.
2. Cellosign does not keep users password

For a returning user the process is pretty much similar, instead of creating user, we are validating and updating user details.

Integration strategy

Clients structure with Cellosign works as follow:

1. Organization is a top level entity
2. Within organization we have “project”(s). Some of the resources are shared on organization level, others are project specific.
3. Users are mostly coupled with projects, for example users from HR department requires exclusive rights to HR Business processes, Digital department requires exclusive rights as well
4. For some users, you would like to have access rights to more then one department or even access to the entire organization resources, for example support or implementation.

Integration with your Idp can work both on organization, project and users layer. See details in setup section.

Setting up Idp integration

To integrate Cellosign with your Idp we need to couple if both ways. Before you start, you will need to get:

1. Cellosign domain
2. Your project(s) in Cellosign
3. Choose role assignment strategy. For quick starter you may choose to assign minor permissions automatically in Cellosign

Step 1: Integrating Idp to Cellosign

In your Idp edit the Entity ID which is global unique ID of service provider.

with Cellosign the components are: https://domain/project/saml2_auth/acs/

For example assuming this is an integration with shared cloud production and your project is “digital” then your entity id would be:
https://app.cellosign.com/digital/saml2_auth/acs/

Same value also goes to ACS, that is url for callback.

The image on the right is taken from Azure AD for setting up Entity ID and ACS[Reply URL].

Make sure to get metadata data URL (aka federated data url) or download metadata XML file, you will need it for next step

Step 2: Integrating Cellosign to Idp

Follow the steps below to set up Cellosign Integration:

1. At the dashboard click integrations
2. locate SSO integration pane
3. click “Add” and continue with the table below for an explanation on setup

Role assignments

The steps above are bout Authentication. This step is about Authorization. There are couple of options here:

1. This is the most common implementation. When a new user is introduced, he will be assigned with the lowest permissions or no permissions at all. The permissions level,  if need to be upgraded or setup, will be controlled in Cellosign application by your admin user
2. Another option is that the authorization will be controlled by a claim or list of groups. list of groups is useful when our users are diverse, for example user may have lower permissions on Project A and higher permissions on Project B. (Keep in mind that this permissions can be made both manually or automatically with the proper setup)

For option one, select “Do not assign user role” for having no permissions at all, or “Assign default role” and then select the appropriate role. Select “Agent” for minimal permissions.

For option two, you are able to:

1. Select role from a claim
2. Select role from list of groups

For selecting role from a claim, insert the claim name. The value of the claim should be one of:

1. “agent”: For lower permissions
2. “manager”: for project admin
3. “company_manager”: for organization administration

For getting role from list of groups.

1. Insert claim
2. Insert the ID for project admins group. This id represents a list of projects in cellosign that the user will be associated with for agent permissions. for example: [“hr”,”it]
3. Insert the ID for agents group. This id represents a list of projects in cellosign that the user will be associated with for agent permissions

Note: Project names should be identical to those in Cellosign.

Azure AD, EntraID Specifics

Setup Azure/Entra like so:

Matadata is a url starting with https://login.microsoftonline.com/

Use the claims notation as demonstrated: name, givenName, surname,emailAddress

In case you require to use assignment policy per claim, set it up like so”