Skip to main content
All CollectionsAdmin HubSSO
Set up Single Sign-On with Salesforce
Set up Single Sign-On with Salesforce
M
Written by Marya Maksimchuk
Updated over a week ago

Skip to:

Single Sign-On (SSO) in Salesforce allows users to access multiple applications with a single set of login credentials. Salesforce supports various SSO standards, including SAML 2.0 (Security Assertion Markup Language), which is widely used for web-based SSO. Here's a general guide on how SSO can be used within Salesforce using SAML 2.0 with PandaDoc as the Service Provider (SP):

Requirements

  • A PandaDoc account with Enterprise plan

  • Administrative access to your Salesforce instance to configure SSO settings and create connected apps.

  • User profiles contain email addresses, first and last names attributes. We require all 3 user properties.

  • Provide access to the connected app to profiles and / or permission groups

Note:

To learn more about SSO in PandaDoc, click here.

Enable Salesforce as a SAML Identity Provider

  1. Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. See Certificates and Keys.

    • By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you want to use the default certificate, proceed to step 2.

    • To create a new self-signed certificate, follow the instructions in Generate a Self-Signed Certificate, then proceed to step 2.

    • To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed by a Certificate Authority, then proceed to step 2.

  2. From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.

  3. Click Enable Identity Provider.

  4. Select a certificate from the dropdown menu.

  5. Save your changes.

Integrate PandaDoc as a connected app

  1. From Setup, enter Apps in the Quick Find box, and select App Manager.

  2. Click New Connected App.

  3. Enter the connected app’s name (E.g. PandaDoc SSO)

  4. Leave the API Name as default to a version of the name without spaces. Only letters, numbers, and underscores are allowed, so if the original app name contains any other characters, edit the default name.

  5. Enter the contact email for Salesforce to use in case we want to contact you or your support team. This address isn’t given to Salesforce admins who install the app.

  6. Enter the contact phone for Salesforce to use in case we want to contact you or your support team. This number isn’t given to Salesforce admins who install the app. (Optional)

  7. To display the PandaDoc logo with the connected app on the App Launcher tile, enter a logo image URL as follows (Optional): Certificates and Keys

  8. In the Web App Settings section, select Enable SAML, and enter this information:

  1. Entity Id—The globally unique ID of PandaDoc : https://pandadoc.com

  2. ACS URL—(Assertion Consumer Service) PandaDoc’s endpoint that receives SAML assertions. https://app.pandadoc.com/sso-acs/

  3. Name ID Format—PandaDoc only supports SAML 2.0, please choose “um:oasis:names:tc:SAML:2.0:nameid-format:persistent” from the dropdown

  4. Click Save

Salesforce User Authorization

  1. From Setup, enter Connected Apps in the Quick Find box, and select Manage Connected Apps.

  2. Click on the Master Label name for newly created PandaDoc SSO application

  3. In the "Profiles" and “Permission Sets” related list, add the profiles of the users who should have access to the PandaDoc application.

User Attributes

PandaDoc SSO requires the FirstName and LastName attributes when provisioning users.

1. After setting up permissions list, scroll down and locate custom attributes > Click New.

2. For the user's first name, we will need to create an attribute key called "First Name" > Insert Field > "$User" > First Name > Insert

3. Perform the same steps for the attribute key "Last Name". Should look like the image below:

PandaDoc SSO Configuration

Please follow instructions for both subcategories to ensure that users can be provisioned and login from both PandaDoc or via Salesforce:

Salesforce Initiated Setup

  • IdP-Initiated Login URL. To find out your idP URL, within your Connected App locate SAML Login Information > IdP-Initiated Login URL. This URL will be needed to initiate a user session from Salesforce to PandaDoc.

1. Copy the IdP initiated Login URL > Click on Edit Policies at the top of the connected app > Paste into the Start URL field.

2. In your Setup Quick Find > Search for "App Manager" > Locate your PandaDoc SSO application > Edit > If the Start URL is blank, Paste also in the this field.

PandaDoc Initiated Setup

  • Sign-On URL. To find out your Sign-On URL, within your Connected App locate SAML Login Information > SP-Initiated Redirect Endpoint

  • Certificate. Next, you will find out your signing certificate by clicking on Default idP Certificate > Download Certificate

After exporting the certificate to file, open the file with Notepad or another text editor, copy the text snippet and paste to the “Certificate” field along with the SP-Initiated Redirect Endpoint in the PandaDoc SSO form

***Contact [email protected] to notify our Support team the form has been filled out***

Testing SSO in PandaDoc

PandaDoc Initiated

  1. Log out of PandaDoc (click on avatar picture and choose “Log out”)

  2. Open your PandaDoc URL in the browser - https://app.pandadoc.com/sso-login/

  3. Log in with your PandaDoc account domain email.

Salesforce Initiated

  1. Open the App Launcher

  2. Search for the PandaDoc SSO Application

  3. User will be redirected to PandaDoc

Did this answer your question?