Set Up SAML Configurations with Your Identity Provider for SSO

Audience: Organizations

The short answer: Domain-based single sign-on (SSO) enables your users to log in to multiple applications using a single username and password. This article covers the SAML data and attributes your identity provider (IDP) needs to connect to Proof.

This is step 3 of the domain-based SSO setup. Select a step below to navigate, or read the domain-based SSO overview for the full picture.

  1. Verify your domain
  2. Set up single sign-on in your Proof account
  3. Set up SAML configurations with your identity provider for SSO → You are here

Proof SAML data

The identity provider (IDP) needs the following Proof SAML data configured:

  • Entity (or issuer) ID: https://api.proof.com/saml/consume
  • Assertion Consumer Service (ACS) URL: https://api.proof.com/saml/consume
  • SP metadata URL: https://api.proof.com/saml/metadata
  • SAML attributes — These attributes sent from the IDP to SP help Proof provision accounts, assign specific roles (organization admin, organization notary), and create users in the desired child organizations.

Attributes

Attribute Name Attribute Description
nameid required A unique immutable identifier for the user
first_name required User's first name

middle_name optional

⚠️ Strongly recommended — middle names help users pass KBA when signing documents.

User's middle name
last_name required User's last name
name optional User's full name (e.g., "John Patrick Smith Jr.")
email required User's email
roles optional but recommended

Assign specific roles to a user in your organization's Proof account. Read more about roles here. Possible values:

  • Admin
  • Notary — assigns the in-house notary role
  • Employee — assigns the team member role
  • User_manager
  • Tech_support
  • Sender

If omitted for new users, the role defaults to employee. If omitted for existing users, the role does not change.

Multiple roles can be assigned: [employee, notary], [notary, admin], etc.

organization_id optional

A Proof organization external ID (e.g., or_ojw8gkq). Useful for companies with a root organization with multiple parent/child organizations:

  • If specified, the user is added to that organization.
  • If not specified, the user is added to the organization that configured the SSO.
notary_state optional — required if role includes notary

The abbreviation of the notary's commissioned state.

e.g., notary_state: AZ

notary_languages optional — required if role includes notary

An array of languages spoken by the notary. Supported values:

  • en = English
  • es = Spanish

More than one language can be selected. e.g., [en], [en, es]


Create custom attributes

If your IDP does not support sending the default attribute names (e.g., your IDP sends given_name instead of first_name), you must configure custom attribute mapping in Proof.

New to Command Center? Here's how to access it.

  1. Select Security from the left navigation panel.
  2. Select Identity providers from the Access page menu on the left.
  3. Select Configuration details for the identity provider you'd like to edit.

    Identity providers list in Command Center Access settings with Configuration details button
  4. Select Actions in the upper right corner.
  5. Select Configure attribute mapping.

    Actions menu showing Configure attribute mapping option for SSO in Command Center
  6. Select + Add custom mapping.
  7. Select the desired attribute from the dropdown menu.
  8. Type the value for your IDP's attribute.
  9. Select Save changes.

    Add custom attribute mapping form in Command Center showing attribute dropdown and value field
  10. Repeat for each custom attribute as needed. You do not need to add the default mappings — only add attributes that differ from the defaults.
⚠️
These changes take effect immediately. If your SAML configuration is in active use with verified domains, the new attributes will have an immediate impact.

Summary Checklist

  • Configure the Entity ID, ACS URL, and SP metadata URL in your IDP.
  • Include middle_name if possible — it helps users pass KBA when signing documents.
  • Include notary_state and notary_languages if any users have the notary role.
  • If your IDP uses non-default attribute names, configure custom attribute mapping in Command Center → Security → Identity providers.
  • Shared mailboxes: SSO users cannot access transactions via shared inbox invitation links — they must log in through their organization's SSO flow directly.
i
Still unsure? Contact Proof Support for help.

Updated

Was this article helpful?

0 out of 0 found this helpful