Integrations SSO Estimated reading: 5 minutes 161 views Cellosign has a built-in authentication and authorization system, you can also hook-up Cellosign to your SSO/Idp (Identity provider) application to provide user authentication.For that purpose, Cellosign is already equipped with SAML2/Idp integration. This integration works with any SAML applications, such as Okta or AzureAD.Why do I need this?If your organization is already coupled with Idp application then you are already managing users access to resources, in that perspective Cellosign is a service provider (SP) that can be mapped to group of users with set of permissions.The alternative is to self-manage users within Cellosign and make sure that new employee have an account with Cellosign or account is blocked on leave. In terms of Information security you can control Access, Authentication requirements with your Idp seamlessly.How it works?The goal for integration is retain users credentials in a single place, with the Identity provider (IdP), and use it in Cellosign, as a Service Provider(SP) for authentication.The way it works is that user request a resource from Cellosign application that requires authentication, such as access to template editor or initating a business process. Let’s assume this is first-time user. The process works as follow:User access Cellosign resource (through browser).Cellosign identify that the resource is coupled with your IdpCellosign redirects the request to your Idp for authenticationOn a successful authentication, Cellosign will record user details such as name and email and mark user’s record as managed with IdpOnce user has been automatically registered he will be redirected to the required resourceNotes:Cellosign keeps some data of the user since the application requires some level of engagement such as emails, alerts and other notifications.Cellosign does not keep users passwordFor a returning user the process is pretty much similar, instead of creating user, we are validating and updating user details.Integration strategyClients structure with Cellosign works as follow:Organization is a top level entityWithin organization we have “project”(s). Some of the resources are shared on organization level, others are project specific.Users are mostly coupled with projects, for example users from HR department requires exclusive rights to HR Business processes, Digital department requires exclusive rights as wellFor some users, you would like to have access rights to more then one department or even access to the entire organization resources, for example support or implementation.Integration with your Idp can work both on organization, project and users layer. See details in setup section.Setting up Idp integrationTo integrate Cellosign with your Idp we need to couple if both ways. Before you start, you will need to get:Cellosign domainYour project(s) in CellosignChoose role assignment strategy. For quick starter you may choose to assign minor permissions automatically in CellosignStep 1: Integrating Idp to CellosignIn your Idp edit the Entity ID which is global unique ID of service provider. with Cellosign the components are: https://domain/project/saml2_auth/acs/ For example assuming this is an integration with shared cloud production and your project is “digital” then your entity id would be:https://app.cellosign.com/digital/saml2_auth/acs/ Same value also goes to ACS, that is url for callback. The image on the right is taken from Azure AD for setting up Entity ID and ACS[Reply URL]. Make sure to get metadata data URL (aka federated data url) or download metadata XML file, you will need it for next step Step 2: Integrating Cellosign to IdpFollow the steps below to set up Cellosign Integration:At the dashboard click integrationslocate SSO integration paneclick “Add” and continue with the table below for an explanation on setupSAML2 INTEGRATION PANEFieldWhat it’s for?AliasEnter an alias for your integrationmetadataInsert url to federated data or upload XML metadata fileUse on company levelCheck if you require to use this integration in the organization levelForce authenticationCheck if you require to force this integration for authentication and disable any other typeClaimsMap user details from IdP. Claim definitions must be identical in Idp and Cellosign (Mind case sensitive). For a user friendly operation map all fields. See example on the image on the right.Role assignmentsSee details belowRole assignmentsThe steps above are bout Authentication. This step is about Authorization. There are couple of options here:This is the most common implementation. When a new user is introduced, he will be assigned with the lowest permissions or no permissions at all. The permissions level, if need to be upgraded or setup, will be controlled in Cellosign application by your admin userAnother option is that the authorization will be controlled by a claim or list of groups. list of groups is useful when our users are diverse, for example user may have lower permissions on Project A and higher permissions on Project B. (Keep in mind that this permissions can be made both manually or automatically with the proper setup)For option one, select “Do not assign user role” for having no permissions at all, or “Assign default role” and then select the appropriate role. Select “Agent” for minimal permissions.For option two, you are able to:Select role from a claimSelect role from list of groupsFor selecting role from a claim, insert the claim name. The value of the claim should be one of:“agent”: For lower permissions“manager”: for project admin“company_manager”: for organization administrationFor getting role from list of groups.Insert claimInsert the ID for project admins group. This id represents a list of projects in cellosign that the user will be associated with for agent permissions. for example: [“hr”,”it]Insert the ID for agents group. This id represents a list of projects in cellosign that the user will be associated with for agent permissionsNote: Project names should be identical to those in Cellosign. Integrations - Previous STORAGE Next - Integrations Payment integration