HelloSign SAML SSO configuration

Enabling SAML SSO on HelloSign

Admins on a Premium plan can enable SAML SSO in their account settings or the admin console.

In order to complete setup, you’ll need the following information from your IDP:

• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate

How to enable SAML SSO 

In your account settings:

1. Sign in to your account.
2. Hover over your email address in the upper-right corner.
3. Select My Settings from the dropdown menu. 
4. Click Team in the left sidebar and scroll to SAML SSO.
5. Enter the information from your IDP and click Save. 

In the admin console:

1. Sign in to your admin account.
2. Hover over your email address in the upper-right corner.
3. Select Admin Console from the dropdown menu.
4. Click Security in the left sidebar and locate SSO.
5. Enter the information from your IDP and click Save. 

Notes: 

• When setting up SAML for the first time, leave the Allow standard logins for admins option checked, so you can log in with a username and password if the setup is unsuccessful. If you don’t, you could be locked out of your account.
• HelloSign does not currently support SCIM.

Optional settings

Allow standard logins for admins (recommended while testing).

Even after SAML SSO is enabled, admins can continue to log in to HelloSign with their username and password. This is recommended during testing. Once the SAML SSO connection is verified to function properly, you can disable this for optimal security.

IDP Side Setup

IDP setup flows and default values vary. See below for an example using Okta.

1. Create a new SAML 2.0 web application and name it “HelloSign”.

2. Your IDP will require the following pieces of information exactly as typed below (capitalization matters.)

• Signon URL (ACS URL): https://app.hellosign.com/account/ssoLogIn
• Audience URI (SP Entity ID): https://app.hellosign.com
• Name ID Format: EmailAddress
• Application username: Email
• Attributes Statements:
• - FirstName --> user.firstName
• - LastName --> user.LastName

3. (Optional) Encrypt the SAML assertion and upload the PEM certificate file. You can leave the standard defaults as displayed in the screenshot.

OneLogin

If OneLogin is your organization's SAML SSO provider, please note the following:

1. ACS Consumer URL and Recipient fields
• https://app.hellosign.com/account/ssoLogIn
2. The ACS(Consumer) URL Validator field
• ^https:\/\/app\.hellosign\.com\/account\/ssoLogIn$

Microsoft Azure AD

HelloSign Settings

1. Identity Provider Single Sign-On URL: 
2. https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/saml2 
   
   1. Referred to as "Login URL" in AzureAD
3. Identity Provider Issuer: 
4. https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxx/ 
   
   1. Referred to as "Azure AD Identifier" in AzureAD
5. X.509 Certificate:
   
   1. Use "Certificate (Base64)"
   2. WITHOUT "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as single line string (no line breaks)

Azure AD Settings

1. Identifier (Entity ID): 
2. https://app.hellosign.com 
3. Reply URL (Assertion Consumer Service URL): 
4. https://app.hellosign.com/account/ssoLogIn
5. Sign on URL: [empty]
6. Relay State: [empty]
7. User Attributes & Claims:

Testing

Once both setups are complete, navigate to your IDP and assign the newly created HelloSign application to the HelloSign admin who initially setup SAML. Open the HelloSign app in a new tab and ensure you are logged out. Then go back to the IDP and click on the SSO link for HelloSign. You should be automatically logged into HelloSign as that admin account.

You can repeat the process for other test "member" accounts. Once your testing has concluded and you are ready to switch over, you can uncheck the Allow standard logins for admins option and save your SSO settings.