Skip to main content

Set up single sign-on in your Proof account

  • Updated

Single Sign-On (SSO) enables users to log in to multiple applications using a single username and password. With SSO, account and credential management is not handled by Proof but instead by your identity provider (IDP).

The process below is part of a multistep process to set up domain-based single sign-on. Click a link below to review that step of the process, or read the domain-based single sign-on overview here, which includes what to expect after this process is complete.

  1. Verify your domain
  2. Set up single sign-on in your Proof account → You are here
  3. Set up SAML configurations with your identity provider for SSO

Who this is for

Only Command Center owners and admins can perform the actions below.

Read Command Center Overview for more information about Command Center.

Once SSO is set up by an owner or admin, all users in your organization are affected by the changes.

What you need

Configuring SSO is bidirectional: The SP metadata must be configured in the IDP, and the IDP metadata must be configured in the SP.

You need both of the following to set up SSO:

  1. A Proof-verified domain (see Verify your domain for instructions)
  2. A metadata file (.xml) from your identity provider

Metadata file

For the metadata file, you have two options:

Option A: Most commonly, you can use a metadata file (.xml) from your Identity Provider (IDP). Some common guides:

Option B: If you don’t have the option to download a metadata file from your IDP, you will need the following details:

  • Entity ID
  • X509 public certificate
  • Single sign-on (SSO) URL
  • SSO request binding
  • [optional] single log-out (SLO) URL and request binding

Set up SSO

Log in to your Proof account to complete the steps below.

  1. Click the dot grid in the upper left corner of your account
  2. Select Command Center.
    navigate to command center.png
  3. Click Access from the menu on the left.
  4. Select Identity providers.
  5. Click Configure new identity provider from the upper right corner.
  6. Type an internal name for your configuration.
    • This can be whatever you’d like, preferably something easy for you and other admins to use. Many align it with the name of their IDP.
  7. Select a method for providing your metadata.
    • If you select an XML file, drag and drop or click to upload the metadata file (.xml) from your IDP.
    • If you select manual entry, provide all of the required fields from your identity provider, including:
      • Entity ID
      • X509 public certificate
      • SSO URL
      • SSO request binding
      • Single log out is optional
  8. Click Process.
  9. Your SAML configuration details are displayed. The configuration is not active yet; no users are impacted at this stage. Please review in detail:
    • You should have at least one (1) certificate visible that is in the “Active” state. Your metadata provided this.
    • If your metadata includes a Single Log–Out (SLO) URL, SLO will be on for your domain users. This means that when a user logs out of their SP, we log them out of Proof.
    • You can delete and replace your metadata file if any of the information needs to be changed.
  10. After reviewing, click to save. Your SAML configuration is not active yet; no users will be impacted at this stage.
  11. Review in detail:
    • You have at least one (1) certificate visible that is in the “Active” state.
    • If you or your metadata provided a Single Log–Out (SLO) URL, SLO will be on for your domain users. This means that when a user logs out of their identity provider, we log them out of Proof.
    • You can delete and replace your metadata file or edit your configuration details if any of the information needs to be changed.
  12. After reviewing, click to save. Your SAML configuration is not active yet; no users will be impacted at this stage.
  13. Proceed to the next part to activate.

Activate your SAML configuration

To activate this SAML configuration, you need to connect it to a verified domain.

  1. Select Details and Policies for the domain you'd like to update.
    details and policies domain command center.jpg
  2. Click Edit.
  3. Select the configuration you created from the dropdown.
    • Note the details of the configuration, including JIT provisioning, routing logic for new users, and which users will also have access to a password.
  4. Click Save.

Once this is saved, the SSO configuration will be live and applied to all users on the Proof platform with your domain.saml idp configuration domain based single sign on sso.png

Related articles