This feature is a paid option. Please contact our sales team or Sansan Support Center if you would like to use it.
Sansan can work with various IdPs (identity providers) by using external authentication via the SAML 2.0 protocol. This enables login to Sansan with IDs and passwords managed by the IdP.
Key Points
- You cannot use the Web App for normal login and the Mobile App for SAML authentication. Certificates issued by IdP must be renewed before they expire. Be sure to actively manage them.
- SAML authentication integrates authentication information on the IdP with Sansan for login. There is no function to automatically reflect user additions, changes, and deletions on the IdP in Sansan.
- When SAML authentication is enabled, two-factor authentication (2FA) cannot be used.
- When SAML authentication is enabled, the invitation function is automatically deactivated and cannot be used.
- Users with SAML authentication enabled will be forcibly logged out of the Mobile App. Consider informing your users of the change in authentication method, and making the change at a suitable time. Note that the Web App does not force a logout because of SAML authentication activation.
- The operational test in the procedures is for the Web App only. For testing the Mobile App, try logging in with SAML authentication enabled only for the user who will perform the verification as in "Settings (user-specific)".
Contents
Adding a new IdP setting
Preparation
- A SAML Name ID must be set for each user. See here for how to change user information.
- System administrator privileges are required to enable SAML authentication.
Add a new setting from "Admin settings" > "Security settings" > "SAML Authentication" > "Add new IdP setting".
1.For the IdP
Set a name for your IdP.
Choose the IdP from the "Select IdP" pulldown. If it's not visible, choose "Other". Read about selectable IdPs.
When choosing "Other", select "Single" or "Multiple" Entity ID based on the specifications of the IdP to be used. If you have any questions, please contact the IdP provider.
*If you don't choose "Other", the entity ID suitable for the selected IdP will be automatically selected.
Choose to show "IdP settings information", make a note of the displayed content, and enter it for the IdP.
- For single Entity IDs
*Example
- For multiple entity IDs
*Example
2.For Sansan
To use MDM, check "Use".
*If you use Microsoft Intune, etc. device management or access control, place a check here.
Default browser for iOS devices
If you choose to use MDM, you’ll see an option for the default browser on the iOS device.
The default browser will be used to exchange certificates from MDM to IdP. To use another browser, you need to change to ① use a browser other than Safari before you can log in.
If you’re not using Safari, click the ② Back to Sansan button shown after authentication, and return to the app.
Enter the IdP settings.
Check with your IdP provider if you are unsure what to enter. Be sure to enter the settings exactly and without adding extra spaces.
Upload the SAML signing certificate.
The extension will be .cer.
Enter the following settings for IdP side for the signature on the SAML response.
- Digest algorithm: either sha-256 or sha-512
- Signature algorithm: either rsa-sha-256 or rsa-sha-512
3.Verifying settings
"Start" the test.
Saving is only possible when the test is finished.
Clicking "Start" will automatically redirect to the IdP login screen. Enter your IdP ID and password to authenticate.
*Example
If there are no problems with the test, you're good to go.
Please note that saving does not activate the settings.
An IdP setting will be added.
Testing errors
If the test results in an error, the actual SAML response will be displayed on the screen along with an error message instructing you how to modify the Sansan or IdP settings accordingly.
| Error | Issues that may arise |
|---|---|
| IdP identification name is incorrect. | If the IdP name set on the Sansan screen does not match that of the actual SAML response, be sure to correct one of them so they match. |
| SAML certificate is incorrect. | If there is a problem with the certificate, reissue it and try again. |
| AD integration's ID is not registered correctly. | If the SAML Name ID in Sansan's user management screen doesn't match that of the actual SAML response, correct one of them so they match. Cached information may also remain. This can be resolved by deleting the cache or using incognito mode in your browser. |
| No value has been entered for Audience. | For the IdP Audience value set the identifier as the entity ID. |
| An unsupported signature algorithm has been specified. | Please specify RSA-SHA-256 or RSA-SHA-512. |
|
Please specify SHA-256 or SHA-512. |
Selectable IdPs
IdPs for which SAML authentication has been confirmed to work are as follows.
| IdP | Entity ID |
|---|---|
| Active Directory Federation Services | Single |
| Auth0 | Single |
| Azure Active Directory | Single |
| CloudGate UNO | Single |
| Google Workspace (Formerly G Suite) | Multiple |
| HENNGE One | Multiple |
| Okta | Single |
| OneLogin | Single |
Set company-wide settings
Use ID and password authentication
This will be set as default.
Use SAML authentication
If you want to use SAML authentication, you need to set up an IdP in advance. Click here to find out more.
Also, you need to set a SAML Name ID for each user. Click here to find out more.
Please choose an IdP setting here.
Please note that users who have not been assigned a SAML Name ID will not be able to log in.
Once you're done, save.
Set contract-specific settings
If enabled, it will be prioritized over company-wide settings. Affected users are all users displayed in "Admin settings" > "Manage users".
Use ID and password authentication
Please note that settings set for the entire company will be inherited by default.
Use SAML authentication
If you want to use SAML authentication, you need to set up an IdP in advance. Click here to find out more. Also, you need to set a SAML Name ID for each user. Click here to find out more.
Please note that settings set for the entire company will be inherited by default.
Please choose an IdP setting here.
Please note that users who have not been assigned a SAML Name ID will not be able to log in.
Once you're done, save.
Login after enabling SAML authentication
The login method changes when SAML authentication is enabled. Be sure to inform all users before activating it.
Logging in
From the normal login screen, log in using your email address registered with Sansan.
At the IdP authentication screen, log in with the user ID and password managed by the IdP.
Wep App
→ 
Mobile App
→ 
*Example
If you are unable to login with SAML authentication
When a user cannot log in from the IdP (such as when SAML authentication is mistakenly set), the system admin can log in without transitioning to the IdP and recover their account.
Steps
- Log in with this URL. If you've forgotten your password, you can reset it from here.
- Reset SAML authentication settings or re-upload the certificate.