Skip to main content
All CollectionsAdmin HubSSO
SSO implementation
SSO implementation
M
Written by Marya Maksimchuk
Updated over a week ago

Availability: Enterprise plan

PandaDoc now supports Single Sign-On (SSO). You can set up SSO to give employees access to PandaDoc through an identity provider (IdPs such as Okta, OneLogin, Microsoft AD FS, etc.) eliminating passwords from the login process for safe and fast access.

Single Sign-On in PandaDoc is based on Security Assertion Markup Language 2.0 (SAML 2.0). The purpose of SAML is to enable Single Sign-On for web applications across various domains. SAML 2.0 is a leading industry standard for exchanging the authentication and authorization data that PandaDoc supports as a service provider (SP).

No actual passwords are transferred to or from PandaDoc during the authorization event. Instead, PandaDoc receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.

Note:

Please reach out to our Support team if you need to update the SSO certificate.

How does SSO for PandaDoc help you?

  1. Facilitate easy and secure access for users to their PandaDoc accounts

  2. Help IT and security departments authenticate users and control application access centrally

  3. Reduce password maintenance and security overheads

  4. Enforce additional password security measures such as password complexity requirements, password expiration and two-factor authentication (number of features available defined by your identity provider)

Please, contact us if you want to set up SSO for your organization.

Enabling SSO

  1. Before enabling SSO it’s important to confirm that:

    The email address associated with each user's PandaDoc account matches their email in the company directory.

  2. Confirm compatibility

    Confirm that your identity or SSO provider supports federated authentication using SAML 2.0. The list of compatible SSO solutions includes, but is not limited to Okta, OneLogin, Microsoft AD FS.

IDP Side Setup

Every IDP will be a little different depending on their setup flow and default values.

  1. Active Directory Federation Services

  2. Azure Active Directory

  3. OneLogin

  4. Okta

  5. Salesforce

The custom setup is needed for the IDPs mentioned below, refer to the articles for each different provider:

Relying party SAML 2.0 SSO URL

https://app.pandadoc.com/sso-acs/

Entity ID

https://pandadoc.com

Email Attribute

Email

First Name Attribute

FirstName

Last Name Attribute

LastName

  1. Google Workspaces

  2. Auth0

Just-in-time (JIT) provisioning

Activating a PandaDoc account without an invitation is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become PandaDoc users automatically the first time they try to log into PandaDoc. An admin does not have to add them as a new PandaDoc user.

SSO Login scenario:

  1. Users log in with their corporate email to a PandaDoc SSO login page: https://app.pandadoc.com/sso-login/

  2. If not already authenticated, users are redirected to the corporate server or third-party identity provider login page, depending on the enterprise SSO option.

  3. Users enter their sign-in credentials.

  4. If valid, users are redirected back to PandaDoc app.

Removing Users

When you remove an employee from your company directory in your IdP, they are no longer able to access PandaDoc via SSO; however, their PandaDoc user profile is not automatically deleted. To remove an employee from your PandaDoc account, go to Settings > Team and delete the user. See more here.

Did this answer your question?