Configure Single Sign-On (SSO)
View our Pricing & Plans for a detailed list and comparison of features available in each plan.
Docubee supports Single Sign-On (SSO) configuration. SSO is an effective way to reduce threats from hackers because users can only log in using one set of credentials per day. Reducing logins to one set of credentials improves enterprise security.
Note: Service-Provider-initiated SSO is the only SSO implementation supported by Docubee. Identity-Provider-initiated SSO is not offered at this time.
Let’s dive into how you can set this up for your organization in Docubee.
In this article:
- What is SSO?
- Docubee supported SSO features
- SSO configuration in Docubee
- SSO set up steps
- User provisioning
Before you Begin
SSO setup and configuration is a complex subject. It requires knowledge of SSO fundamentals and in-depth knowledge of your Identity Provider (IDP), such as Microsoft Azure AD, Okta, or Google Workspace for this implementation. This a technical article meant for individuals in a technical IT role.
What is Single Sign-On?
Single Sign-On (SSO) is a technology that allows users to authenticate themselves once, and gain access to multiple applications and systems without having to log in to each individual application. In other words, SSO enables users to use a single set of credentials (such as a username and password) to access multiple applications and systems.
The advantages of SSO for an organization are numerous. First, SSO improves productivity and user experience by eliminating the need for users to maintain multiple login credentials. Second, SSO enhances security by reducing the risk of weak passwords and password reuse, which are common security vulnerabilities. Additionally, SSO also allows for centralized control of user access, making it easier to manage user permissions and revoke access when necessary.
Docubee Supported SSO Features
Docubee SSO supports the following features:
- Use of Microsoft Azure AD, Okta, or Google Workspace as the Identity Provider
- An SSO Identity Provider (IdP) is a system that provides authentication and authorization services for users accessing multiple applications and systems within an organization.
- Service-Provider-initiated SSO
- An SSO Service Provider (SP) is a system that provides access to applications and services for users who have been authenticated by an SSO IdP.
- Docubee acts as an SSO SP.
- SP-initiated SSO is a type of SSO where the user initiates the authentication process by accessing a service or application provided by the SP.
- Service-Provider-initiated SSO is the only SSO implementation supported by Docubee.
- Identity-Provider-initiated SSO is not offered at this time.
- Just-In-Time User Provisioning
- Just-In-Time (JIT) User Provisioning is a process that automatically creates user accounts and provisions (provides) access to applications and systems when a user attempts to log in for the first time.
SSO Configuration in Docubee
Configuration basics provides a high level outline of the configuration process and the SSO set up steps will walk you through it.
Configuration Basics
- SSO is configured for a Docubee organization.
- You must contact us to begin the SSO configuration process for your organization.
- You must configure one or more email domains for your SSO-enabled organization.
- During login, the email domain portion of a user’s email address is used to determine if the user is a member of an SSO-enabled organization.
Important: A specific email domain can be associated with only one SSO-enabled organization.
- During login, the email domain portion of a user’s email address is used to determine if the user is a member of an SSO-enabled organization.
- Configuration involves setting up both the IdP app (Microsoft Azure AD, Okta, or Google Workspace) and Docubee.
SSO Set Up Steps
Set up SSO using the following steps:
- Provide Initial Setup Information to Docubee
- Connect Docubee with your IdP
- Test Configuration
- Enable Configuration
Step 1: Provide Initial Setup Information to Docubee
To begin the setup process, please contact us.
You will need to provide us the following information:
- the name of the Docubee organization for which you would like to set up SSO.
- one or more email domains to be registered with your organization.
- for example: mycompany.com
We will perform the initial setup of the SSO configuration for your organization and will inform you when you can proceed with the following steps.
Step 2: Connect Docubee with your IdP
This includes configuring the IdP and configuring your Docubee organization. See the following for more information:
Step 3: Test Configuration
Have you completed all of the above configuration steps? Now test your configuration:
- Navigate back to your Docubee Settings and click TEST SSO CONFIGURATION.
- This will exercise the steps used during login to ensure that both sides are configured correctly.
- Any errors found will be reported in the popup window. Note the errors and follow the instructions provided to resolve any issues.
Step 4: Enable Configuration
After successfully testing your settings and adding all of your users to the Docubee Enterprise Application, you are ready to enable SSO.
- Enable one or more of your configured email domains by toggling the associated switch and clicking UPDATE SSO CONFIGURATION.
Important: Proceed with caution.
- Once a domain is enabled, users will only be able to access the organization by using SSO.
- Only users with an email address containing one of the enabled domains will be able to access the organization.
User Provisioning
There are two ways new users can be added to your SSO organization:
- Just-In-Time (JIT) Provisioning
- Organization Invitation
Remember that before users can access a Docubee SSO organization, they must have accounts in your IdP, and they must be added to the Docubee Enterprise Application in your IdP.
JIT Provisioning
The easiest way to add new users to an SSO organization is with JIT provisioning.
Using JIT provisioning, when a new user attempts to login with an email address containing one of your organization’s configured email domains:
- the user will be authenticated,
- a Docubee user account will be automatically created (if it does not already exist), and
- the user will be added to the SSO organization.
No further action is required to set up the user account. If Azure AD, Okta, or Google Workspace has been configured with the user’s first and last name, this information will be used to populate the user’s account profile.
To initiate JIT provisioning, have your users access https://docubee.app/login and enter their email address.
Organization Invitation
If you want to explicitly invite users to join your SSO organization, you can send them an invitation. See Add, Update, and Remove Organization Members for more information.
When a user accepts the invitation, the user will be authenticated and then added to the organization.
Related Information
Configure Azure AD with Docubee
Configure Okta with Docubee
Configure Google Workspace with Docubee
Additional Resources
Need more help getting set up? Contact us for assistance from our customer support team or register for Office Hours.