This feature is a paid option. Please contact our sales team or Sansan Support Center if you would like to use it.
Sansan can work with various IdPs (identity providers) by using external authentication via the SAML 2.0 protocol. This enables login to Sansan with IDs and passwords managed by the IdP.
Key Points
- You can choose between company-wide settings that affect the entire company and contract-specific settings that can be set for each contract.
- Contract-specific settings will be prioritized over company-wide settings.
- It not possible to have some users use normal login and some use SAML authentication.
- It is not possible to split use of SAML authentication between the Web App and Mobile App.
- For SAML authentication, only ID and password can be integrated. There is no function to automatically add, change, or delete users on an IdP to Sansan.
- Please be aware that renewal is required before the IdP-issued certificate expires.
- Enabling SAML authentication will automatically disable the invitation function.
- Function testing can only be done on the Web App. To test on the Mobile App, please sign up for a separate free trial and use it for testing purposes.
Contents
Adding a new IdP setting
Preparation
- A SAML Name ID must be set for each user. See here for how to change user information.
- System administrator privileges are required to enable SAML authentication.
Add a new setting from "Admin settings" > "Security settings" > "SAML Authentication" > "Add new IdP setting".
1.For the IdP
Set a name for your IdP.
Choose the IdP from the "Select IdP" pulldown. If it's not visible, choose "Other". Read about selectable IdPs.
When choosing "Other", select "Single" or "Multiple" Entity ID based on the specifications of the IdP to be used. If you have any questions, please contact the IdP provider.
*If you don't choose "Other", the entity ID suitable for the selected IdP will be automatically selected.
Choose to show "IdP settings information", make a note of the displayed content, and enter it for the IdP.
- For single Entity IDs
*Example
- For multiple entity IDs
*Example
2.For Sansan
To use MDM, check "Use".
*If you use Microsoft Intune, etc. device management or access control, place a check here.
Enter the IdP settings.
Check with your IdP provider if you are unsure what to enter. Be sure to enter the settings exactly and without adding extra spaces.
Upload the SAML signing certificate.
The extension will be .cer.
Enter the following settings for IdP side for the signature on the SAML response.
- Digest algorithm: either sha-256 or sha-512
- Signature algorithm: either rsa-sha-256 or rsa-sha-512
3.Verifying settings
"Start" the test.
Saving is only possible when the test is finished.
Clicking "Start" will automatically redirect to the IdP login screen. Enter your IdP ID and password to authenticate.
*Example
If there are no problems with the test, you're good to go.
Please note that saving does not activate the settings.
An IdP setting will be added.
Testing errors
If the test results in an error, the actual SAML response will be displayed on the screen along with an error message instructing you how to modify the Sansan or IdP settings accordingly.
| Error | Issues that may arise |
|---|---|
| IdP identification name is incorrect. | If the IdP name set on the Sansan screen does not match that of the actual SAML response, be sure to correct one of them so they match. |
| SAML certificate is incorrect. | If there is a problem with the certificate, reissue it and try again. |
| AD integration's ID is not registered correctly. | If the SAML Name ID in Sansan's user management screen doesn't match that of the actual SAML response, correct one of them so they match. Cached information may also remain. This can be resolved by deleting the cache or using incognito mode in your browser. |
| No value has been entered for Audience. | For the IdP Audience value set the identifier as the entity ID. |
| An unsupported signature algorithm has been specified. | Please specify RSA-SHA-256 or RSA-SHA-512. |
| An unsupported digest algorithm has been specified. | Please specify SHA-256 or SHA-512. |
Selectable IdPs
IdPs for which SAML authentication has been confirmed to work are as follows.
| IdP | Entity ID |
|---|---|
| Active Directory Federation Services | Single |
| Auth0 | Single |
| Azure Active Directory | Single |
| CloudGate UNO | Single |
| Google Workspace (Formerly G Suite) | Multiple |
| HENNGE One | Multiple |
| Okta | Single |
| OneLogin | Single |
Set company-wide settings
Use ID and password authentication
This will be set as default.
Use SAML authentication
If you want to use SAML authentication, you need to set up an IdP in advance. Click here to find out more.
Also, you need to set a SAML Name ID for each user. Click here to find out more.
Please choose an IdP setting here.
Please note that users who have not been assigned a SAML Name ID will not be able to log in.
Once you're done, save.
Set contract-specific settings
If enabled, it will be prioritized over company-wide settings. Affected users are all users displayed in "Admin settings" > "Manage users".
Use ID and password authentication
Please note that settings set for the entire company will be inherited by default.
Use SAML authentication
If you want to use SAML authentication, you need to set up an IdP in advance. Click here to find out more. Also, you need to set a SAML Name ID for each user. Click here to find out more.
Please note that settings set for the entire company will be inherited by default.
Please choose an IdP setting here.
Please note that users who have not been assigned a SAML Name ID will not be able to log in.
Once you're done, save.
Login after enabling SAML authentication
The login method changes when SAML authentication is enabled. Be sure to inform all users before activating it.
Logging in
From the normal login screen, log in using your email address registered with Sansan.
At the IdP authentication screen, log in with the user ID and password managed by the IdP.
Wep App
→ 
Mobile App
→ 
*Example
If you are unable to login with SAML authentication
When a user cannot log in from the IdP (such as when SAML authentication is mistakenly set), the system admin can log in without transitioning to the IdP and recover their account.
Steps
- Log in with this URL. If you've forgotten your password, you can reset it from here.
- Reset SAML authentication settings or re-upload the certificate.