The short answer: Domain-based single sign-on (SSO) enables your users to log in to multiple applications using a single username and password. This article covers the SAML data and attributes your identity provider (IDP) needs to connect to Proof.
This is step 3 of the domain-based SSO setup. Select a step below to navigate, or read the domain-based SSO overview for the full picture.
- Verify your domain
- Set up single sign-on in your Proof account
- Set up SAML configurations with your identity provider for SSO → You are here
Proof SAML data
The identity provider (IDP) needs the following Proof SAML data configured:
-
Entity (or issuer) ID:
https://api.proof.com/saml/consume -
Assertion Consumer Service (ACS) URL:
https://api.proof.com/saml/consume -
SP metadata URL:
https://api.proof.com/saml/metadata - SAML attributes — These attributes sent from the IDP to SP help Proof provision accounts, assign specific roles (organization admin, organization notary), and create users in the desired child organizations.
Attributes
| Attribute Name | Attribute Description |
| nameid required | A unique immutable identifier for the user |
| first_name required | User's first name |
|
middle_name optional ⚠️ Strongly recommended — middle names help users pass KBA when signing documents. |
User's middle name |
| last_name required | User's last name |
| name optional | User's full name (e.g., "John Patrick Smith Jr.") |
| email required | User's email |
| roles optional but recommended |
Assign specific roles to a user in your organization's Proof account. Read more about roles here. Possible values:
If omitted for new users, the role defaults to employee. If omitted for existing users, the role does not change. Multiple roles can be assigned: |
| organization_id optional |
A Proof organization external ID (e.g.,
|
| notary_state optional — required if role includes notary |
The abbreviation of the notary's commissioned state. e.g., |
| notary_languages optional — required if role includes notary |
An array of languages spoken by the notary. Supported values:
More than one language can be selected. e.g., |
Create custom attributes
If your IDP does not support sending the default attribute names (e.g., your IDP sends given_name instead of first_name), you must configure custom attribute mapping in Proof.
New to Command Center? Here's how to access it.
- Select Security from the left navigation panel.
- Select Identity providers from the Access page menu on the left.
-
Select Configuration details for the identity provider you'd like to edit.
- Select Actions in the upper right corner.
-
Select Configure attribute mapping.
- Select + Add custom mapping.
- Select the desired attribute from the dropdown menu.
- Type the value for your IDP's attribute.
-
Select Save changes.
- Repeat for each custom attribute as needed. You do not need to add the default mappings — only add attributes that differ from the defaults.
Summary Checklist
- Configure the Entity ID, ACS URL, and SP metadata URL in your IDP.
- Include middle_name if possible — it helps users pass KBA when signing documents.
- Include notary_state and notary_languages if any users have the notary role.
- If your IDP uses non-default attribute names, configure custom attribute mapping in Command Center → Security → Identity providers.
- Shared mailboxes: SSO users cannot access transactions via shared inbox invitation links — they must log in through their organization's SSO flow directly.
Updated