Setting up SAML Authentication

This feature is a paid option. Please contact our sales team or Sansan Support Center if you would like to use it.

Sansan can work with various IdPs (identity providers) by using external authentication via the SAML 2.0 protocol. This enables login to Sansan with IDs and passwords managed by the IdP.

 

Contents

 

Key Points

  • You cannot use the Web App for normal login and the Mobile App for SAML authentication. Certificates issued by IdP must be renewed before they expire. Be sure to actively manage them.
  • SAML authentication integrates authentication information on the IdP with Sansan for login. There is no function to automatically reflect user additions, changes, and deletions on the IdP in Sansan.
  • When SAML authentication is enabled, two-factor authentication (2FA) cannot be used.
  • Users with SAML authentication enabled will be forcibly logged out of the Mobile App. Consider informing your users of the change in authentication method, and making the change at a suitable time. Note that the Web App does not force a logout because of SAML authentication activation.
  • IdP-issued certificates must be renewed before they expire. Please be sure to keep track of them.
  • After completing the operational test in the procedures, the IdP setting can be selected as available for authentication.
  • The operational test in the procedures is for the Web App only. For testing the Mobile App, try logging in with SAML authentication enabled only for the user who will perform the verification as in "Settings (user-specific)".

 

Adding a new IdP setting

 

Preparation

  • A SAML Name ID must be set for each user. See here for how to change user information.
  • System administrator privileges are required to enable SAML authentication.

 

Add a new setting from "Admin settings" > "Security settings" > "SAML Authentication" > "Add new IdP setting".

 

 

1.For the IdP

Set a name for your IdP.

 

Choose the IdP from the "Select IdP" pulldown. If it's not visible, choose "Other". Read about selectable IdPs.

 

When choosing "Other", select "Single" or "Multiple" Entity ID based on the specifications of the IdP to be used. If you have any questions, please contact the IdP provider.

*If you don't choose "Other", the entity ID suitable for the selected IdP will be automatically selected.

 

Choose to show "IdP settings information", make a note of the displayed content, and enter it for the IdP.

 

  • For single Entity IDs

*Example

 

 

  • For multiple entity IDs

*Example

 

 

2.For Sansan

To use MDM, check "Use".

*If you use Microsoft Intune, etc. device management or access control, place a check here.

 

Default browser for iOS devices

If you choose to use MDM, you’ll see an option for the default browser on the iOS device.

The default browser will be used to exchange certificates from MDM to IdP. To use another browser, you need to change to ① use a browser other than Safari before you can log in.

If you’re not using Safari, click the ② Back to Sansan button shown after authentication, and return to the app.

 

Enter the IdP settings.

Check with your IdP provider if you are unsure what to enter. Be sure to enter the settings exactly and without adding extra spaces.

 

Upload the SAML signing certificate.

The extension will be .cer.

Enter the following settings for IdP side for the signature on the SAML response.

  • Digest algorithm: either sha-256 or sha-512
  • Signature algorithm: either rsa-sha-256 or rsa-sha-512

 

3.Verifying settings

"Start" the test.

 

Clicking "Start" will automatically redirect to the IdP login screen. Enter your IdP ID and password to authenticate.

*Example

 

If there are no problems with the test, you're good to go.

Please note that saving does not activate the settings.

 

An IdP setting will be added.

 

Status shown in the list

The status depends on the IdP configuration when it is saved. Details are as follows.

Status Description
Setup not completed Setup not completed
Available The IdP configuration has been completed up to the operational test and is ready for use.

 

Testing errors

If the test results in an error, the actual SAML response will be displayed on the screen along with an error message instructing you how to modify the Sansan or IdP settings accordingly.

Error Issues that may arise
IdP identification name is incorrect. If the IdP name set on the Sansan screen does not match that of the actual SAML response, be sure to correct one of them so they match.
SAML certificate is incorrect. If there is a problem with the certificate, reissue it and try again.
SAML Name ID is not registered correctly. The SAML Name ID set in Sansan's user management screen does not match the Name ID in the actual SAML response. Correct one of them so they match.
Cached information may also remain. This can be resolved by deleting the cache or using incognito mode in your browser.
No value has been entered for Audience. For the IdP Audience value set the identifier as the entity ID.
An unsupported signature algorithm has been specified. Please specify RSA-SHA-256 or RSA-SHA-512.
403 or 404 errors are shown (error messages, SAML responses are not shown) In the Sansan SAML authentication settings screen, make sure the information set for the IdP is correct. Also, check that the settings and certificates on the IdP that are set in Sansan are correct. The response URL differs between the Sansan web and app versions. If multiple response URLs can’t be set for an IdP, please contact the respective IdP for the registration method.

 

Selectable IdPs

IdPs for which SAML authentication has been confirmed to work are as follows.

IdP Entity ID
Active Directory Federation Services Single
Auth0 Single
Microsoft Entra ID(Formerly Azure Active Directory) Single
CloudGate UNO Single
Google Workspace Multiple
HENNGE One Multiple
Okta Single
OneLogin Single

 

If you are unable to login with SAML authentication

When a user cannot log in from the IdP (such as when SAML authentication is mistakenly set), the system admin can log in without transitioning to the IdP and recover their account.

 

Steps

  1. Log in with this URL. If you've forgotten your password, you can reset it from here.
  2. Reset SAML authentication settings or re-upload the certificate.

 

FAQ

Q: What can I do if I want to use Microsoft Intune and log in using device certificates, etc.?

A: In Sansan’s IdP settings check the box to use MDM. Device certificate authentication will be enabled, and Safari for iPhone and Google Chrome for Android will be launched. Check the relevant box if you want to use a default browser other than Safari.

 

Q: What can I do if I get the following message? “Login failed. The information does not match what's registered in Sansan or service may be restricted. SSO may also not be configured. Please contact your system admin with any questions.”

A: Please check for the following likely causes.

1) The email address is incorrect.
Go to “Admin Settings” “Manage users” and check the user’s email address.

2) SSO (single sign-on) settings are not entered or are incomplete. See this page for more details.
If you can’t log in despite setting up a SAML Name ID, it's possible that the SAML Name ID* registered in your Sansan user information and the user information registered in your IdP do not match. Be sure they match exactly, including upper-case/lower-case letters.
*The SAML Name ID can be checked from “Admin Settings” “Manage users”.

3) The user is not registered.
Go to “Admin Settings” “Manage users” and check the user’s email address. If there is no user registered for that email address, add a user (details here).

4) The admin suspended the account.
Go to “Admin Settings” “Manage users”, and check the account status of the relevant user. If the account is “Inactive”, change it to “Active”.

 

Q: Can I log in from the IdP screen (IdP-Initiated)?

A: Sansan only supports SP-Initiated* SAML authentication.
*After accessing Sansan, access your IdP, and connect to Sansan after authenticating with the IdP.
Some IdPs have reported operation with IdP-Initiated, but we do not guarantee this operation. Please use the service at your own risk.

 

Q: Do you provide metadata about configuration information in an XML file?

A: No, we do not. Please refer to the IdP settings information on the Sansan IdP settings page for information to be set for the IdP.

 

Q: Is it OK to change the extension of the SAML signature certificate downloaded by the IdP to .cer?

A: Yes, the extension of the SAML signature certificate you set up with Sansan must be .cer.

 

Q: Can SAML authentication and two-factor authentication be used together?

A: No, they cannot. When SAML authentication is set up, authentication takes place with the IdP. if the IdP has two-factor authentication set up, please use that.

 

Q: Can SAML authentication and device restrictions be used together?

A: Yes, they can.

 

Q: Can SAML authentication and IP address restriction be used together?

A: Yes, they can. If access is made from an unauthorized IP address, an error will occur after authentication.

 

IdP setup manuals

These are configuration manuals for each IdP (external links). Please contact each IdP for more information on the contents.

Microsoft Entra ID(Formerly Azure Active Directory)
https://docs.microsoft.com/ja-jp/azure/active-directory/saas-apps/sansan-tutorial

Cloud Gate UNO
https://cg-support.isr.co.jp/hc/ja/articles/900001151446

HENNGE One
https://teachme.jp/35563/manuals/25516985

GMOトラスト・ログイン
https://support.trustlogin.com/hc/ja/articles/900004762866

 

 

Was this article helpful?
17 out of 27 found this helpful