Sansan can work with various IdPs (identity providers) by using external authentication via the SAML 2.0 protocol. This enables login to Sansan with IDs and passwords managed by the IdP.
- This is an optional function. Please contact your Sansan representative if you would like to use it.
- If you have multiple contracts with one company or group companies, SAML authentication will be common across all contracts.
- Integration cannot be done with multiple IdPs; there is one SAML authentication per company.
- It not possible to have some users use normal login and some use SAML authentication.
- It is not possible to split use of SAML authentication between the Web App and Mobile App.
- For SAML authentication, only ID and password can be integrated. There is no function to automatically add, change, or delete users on an IdP to Sansan.
- Please be aware that renewal is required before the IdP-issued certificate expires.
- Enabling SAML authentication will automatically disable the invitation function.
- Function testing can only be done on the Web App. To test on the Mobile App or Smartphone Web, please sign up for a separate free trial and use it for testing purposes.
- A SAML Name ID must be set for each user. See here for how to change user information.
- System administrator privileges are required to enable SAML authentication.
Enabling SAML Authentication
1.For the IdP
Go to Admin settings > Security settings > SAML Authentication.
Choose the IdP from the "Select IdP" pulldown. If it's not visible, choose "Other". Read about selectable IdPs.
When choosing "Other", select "Single" or "Multiple" Entity ID based on the specifications of the IdP to be used. If you have any questions, please contact the IdP provider.
*If you don't choose "Other", the entity ID suitable for the selected IdP will be automatically selected.
Choose to show "IdP settings information", make a note of the displayed content, and enter it for the IdP.
- For a single entity ID
- For multiple entity IDs
Choose "Disable" or "Enable".
When choosing "Disable", the test and settings will be saved without enabling. You can then enable later.
When choosing "Enable", SAML authentication will enabled when you save after completing the test. The login method of all users will then change, so we recommend you notify all users before doing this.
To use MDM, check "Use".
*If you use Microsoft Intune, etc. device management or access control, place a check here.
Enter the IdP settings.
Check with your IdP provider if you are unsure what to enter. Be sure to enter the settings exactly and without adding extra spaces.
Upload the SAML signing certificate.
The extension will be .cer.
Enter the following settings for IdP side for the signature on the SAML response.
- Digest algorithm: either sha-256 or sha-512
- Signature algorithm: either rsa-sha-256 or rsa-sha-512
"Start" the test.
Saving is only possible when the test is finished.
Clicking "Start" will automatically redirect to the IdP login screen. Enter your IdP ID and password to authenticate.
If there are no problems with the test, you're good to go.
"Save" the settings. If "Enable" was selected in step 1, SAML authentication is enabled when "Save" is clicked. Users will not be able to log in with their existing login ID and password.
If "Disable" was selected in step 1, only the settings will be saved. SAML authentication will not start. After preparing for internal notification, change to "Enable" again and save.
If the test results in an error, the actual SAML response will be displayed on the screen along with an error message instructing you how to modify the Sansan or IdP settings accordingly.
|Error||Issues that may arise|
|IdP identification name is incorrect.||If the IdP name set on the Sansan screen does not match that of the actual SAML response, be sure to correct one of them so they match.|
|SAML certificate is incorrect.||If there is a problem with the certificate, reissue it and try again.|
|AD integration's ID is not registered correctly.||If the SAML Name ID in Sansan's user management screen doesn't match that of the actual SAML response, correct one of them so they match.
Cached information may also remain. This can be resolved by deleting the cache or using incognito mode in your browser.
|No value has been entered for Audience.||For the IdP Audience value set the identifier as the entity ID.|
|An unsupported signature algorithm has been specified.||Please specify RSA-SHA-256 or RSA-SHA-512.|
|An unsupported digest algorithm has been specified.||Please specify SHA-256 or SHA-512.|
IdPs for which SAML authentication has been confirmed to work are as follows.
|Active Directory Federation Services||Single|
|Azure Active Directory||Single|
Login after enabling SAML authentication
The login method changes when SAML authentication is enabled. Be sure to inform all users before activating it.
From the normal login screen, log in using your email address registered with Sansan.
At the IdP authentication screen, log in with the user ID and password managed by the IdP.