Enabling SAML SSO on HelloSign
Enabling SAML with HelloSign requires an Enterprise Subscription and administrator access.
If you have both of these set up, you can enable SAML SSO by logging into HelloSign with an admin account then clicking on your email on the upper-right hand corner of the menu. Select "settings" and then click on the "Team" section of your settings. Scroll down to the middle and you will see the SAML SSO section.
IMPORTANT: When setting up SAML for the first time, please keep the "Allow standard logins for admins" option checked so you will be able to login with a username and password in case the setup is unsuccessful. Failure to do this could potentially lead to being locked out of your account.
In order to complete setup, you will need the following pieces of information that your IDP should provide you:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
Take these pieces of information and paste them in the appropriate fields in the SAML SSO settings area, then click "Save" at the bottom of the screen.
Note: An explanation of the SAML SSO optional settings is as follows:
- Allow standard logins for admins (recommended while testing)
- Even after SAML SSO is setup and enabled, admins can continue to login to HelloSign with their username and password. This is recommended during testing and then once the SAML SSO connection is verified to be functioning properly it’s recommended to disable this for optimal security.
- Allow just-in-time (JIT) provisioning
- If this option is enabled and a user SSO’s into HelloSign from an IDP and that user account does *not* currently exist in our database, the account will be automatically created and added to the team. Note: If the account exists but is a free account or on another team, then an invitation will be sent to that user to join the team.
- Allow provisioning (JIT, SCIM) to increase my max seats (will incur charge)
- If this option is selected then JIT can always add new seats even beyond the original enterprise agreement license capacity.
IDP Side Setup
Every IDP will be a little different depending on their setup flow and default values. We are attaching screenshots of a fairly common IDP called Okta, but the information should be transferable. Please use information below as an example.
- Create a new SAML 2.0 Web Application and name it “HelloSign”
- Your IDP will require the following pieces of information EXACTLY as typed below (capitalization matters):
- Signon URL (ACS URL): https://app.hellosign.com/account/ssoLogIn
- Audience URI (SP Entity ID): https://app.hellosign.com
- Name ID Format: EmailAddress
- Application username: Email
- Attributes Statements:
- FirstName --> user.firstName
- LastName --> user.LastName
- (Optional) Encrypt the SAML assertion and upload the PEM certificate file. You can leave the standard defaults as displayed in the screenshot.
If OneLogin is your organization's SAML SSO provider, please note the following:
- ACS Consumer URL and Recipient fields
- The ACS (Consumer) URL Validator field
Microsoft Azure AD
- HelloSign Settings
Identity Provider Single Sign-On URL:
Referred to as "Login URL" in AzureAD
Identity Provider Issuer:
Referred to as "Azure AD Identifier" in AzureAD
- X.509 Certificate:
- Use "Certificate (Base64)"
- WITHOUT "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as single line string (no line breaks)
- Azure AD Settings
Identifier (Entity ID):
Reply URL (Assertion Consumer Service URL):
Sign on URL: [empty]
Relay State: [empty]
- User Attributes & Claims:
Once both setups are complete, navigate to your IDP and assign the newly created HelloSign application to the hellosign administrator who initially setup SAML. Open the HelloSign app in a new tab and ensure you are logged out. Then go back to the IDP and click on the SSO link for HelloSign. You should be automatically logged into HelloSign as that admin account.
You can repeat the process for other test “member” accounts and even test JIT if you wish. Once your testing has concluded and you are ready to completely switch over, uncheck the “Allow standard logins for admins” option and save your settings.