Skip to main content

SSO is available on Enterprise plans.

Enterprise admins can configure SAML SSO for Okta or Microsoft Entra directly from the Docfiy dashboard. For other providers like Google Workspace or Okta OIDC, contact us to set up SSO.

Configure SSO

Okta

1

Configure Okta SSO in your Docfiy dashboard

  1. In your Docfiy dashboard, navigate to the Single Sign-On page.
  2. Click Configure.
  3. Select Okta SAML.
  4. Copy the Single sign on URL and Audience URI.
2

Create a SAML app in Okta

  1. In Okta, under Applications, create a new app integration using SAML 2.0.

  2. Enter the following from Docfiy:

    • Single sign on URL: the URL you copied from your Docfiy dashboard
    • Audience URI: the URI you copied from your Docfiy dashboard
    • Name ID Format: EmailAddress

  3. Add these attribute statements:

    NameName formatValue
    firstNameBasicuser.firstName
    lastNameBasicuser.lastName
3

Copy the Okta metadata URL

In Okta, go to the Sign On tab of your application and copy the metadata URL.

4

Save in Docfiy

Back in the Docfiy dashboard, paste the metadata URL and click Save changes.

Microsoft Entra

1

Configure Microsoft Entra SSO in your Docfiy dashboard

  1. In your Docfiy dashboard, navigate to the Single Sign-On page.
  2. Click Configure.
  3. Select Microsoft Entra ID SAML.
  4. Copy the Single sign on URL and Audience URI.
2

Create an enterprise application in Microsoft Entra

  1. In Microsoft Entra, navigate to Enterprise applications.
  2. Click New application.
  3. Click Create your own application.
  4. Select "Integrate any other application you don't find in the gallery (Non-gallery)."
3

Configure SAML in Microsoft Entra

  1. In Microsoft Entra, navigate to Single Sign-On.
  2. Click SAML.
  3. Under Basic SAML Configuration, enter the following:
    • Identifier (Entity ID): the Audience URI from Docfiy
    • Reply URL (Assertion Consumer Service URL): the Single sign on URL from Docfiy

Leave the other values blank and click Save.

4

Configure Attributes & Claims in Microsoft Entra

  1. In Microsoft Entra, navigate to Attributes & Claims.
  2. Select Unique User Identifier (Name ID) under "Required Claim."
  3. Change the Source attribute to user.primaryauthoritativeemail.
  4. Under Additional claims, create the following:
    NameValue
    firstNameuser.givenname
    lastNameuser.surname
5

Copy the Microsoft Entra metadata URL

Under SAML Certificates, copy the App Federation Metadata URL.

6

Save in Docfiy

Back in the Docfiy dashboard, paste the metadata URL and click Save changes.

7

Assign users

In Microsoft Entra, navigate to Users and groups. Assign the users who should have access to your Docfiy dashboard.

JIT provisioning

When you enable JIT (just-in-time) provisioning, users who sign in through your identity provider are automatically added to your Docfiy organization.

JIT provisioning only works for IdP-initiated login. Users must sign in from your identity provider (Okta dashboard or Microsoft Entra portal) rather than starting from the Docfiy login page.

To enable JIT provisioning, you must have SSO enabled. Navigate to the Single Sign-On page in your dashboard, set up SSO, and then enable JIT provisioning.

Map RBAC roles with SAML groups

Assign roles to users based on their identity provider group membership. When a user signs in through SSO, Docfiy reads the groups attribute from the SAML assertion and maps those groups to dashboard roles.

Configure group attribute statements

Add a groups attribute statement to your SAML identity provider configuration. The attribute must use the unspecified name format.

The resulting SAML assertion should include an AttributeStatement.

Example SAML assertion
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string">Everyone</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string">Engineering</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string">Admins</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

Key requirements:

  • The attribute name must be groups (case-sensitive)
  • The name format must be urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
  • Each group the user belongs to should be a separate AttributeValue element

In your Okta SAML app configuration, add a group attribute statement:

NameName formatFilterValue
groupsUnspecifiedMatches regex.*

Adjust the filter to match the specific groups you want to send to Docfiy.

Once configured, Docfiy maps the group names from the SAML assertion to roles in your organization. To set up or modify group-to-role mappings, reach out to your Docfiy account representative.

Change or remove SSO provider

  1. Navigate to the Single Sign-On page in your dashboard.
  2. Click Configure.
  3. Select your preferred SSO provider or no SSO.

If you remove SSO, users must authenticate with a password, magic link, or Google OAuth instead.

Other providers

For providers other than Microsoft Entra or Okta SAML, contact us to configure SSO.

Google Workspace with SAML

1

Create an application

  1. In Google Workspace, navigate to Web and mobile apps.
  2. Click Add custom SAML app in the Add app dropdown.

Screenshot of the Google Workspace SAML application creation page with the "Add custom SAML app" menu item highlighted

2

Send us your IdP information

Copy the provided SSO URL, Entity ID, and x509 certificate and send it to the Docfiy team.

Screenshot of the Google Workspace SAML application page with the SSO URL, Entity ID, and x509 certificate highlighted. The specific values for each of these are blurred out.

3

Configure integration

On the Service provider details page, enter the following:

  • ACS URL (provided by Docfiy)
  • Entity ID (provided by Docfiy)
  • Name ID format: EMAIL
  • Name ID: Basic Information > Primary email

Screenshot of the Service provider details page with the ACS URL and Entity ID input fields highlighted.

On the next page, enter the following attribute statements:

Google Directory AttributeApp Attribute
First namefirstName
Last namelastName

Once this step is complete and users are assigned to the application, let our team know and we'll enable SSO for your account.

Okta (OIDC)

1

Create an application

In Okta, under Applications, create a new app integration using OIDC. Choose the Web Application application type.

2

Configure integration

Select the authorization code grant type and enter the Redirect URI provided by Docfiy.

3

Send us your IdP information

Navigate to the General tab and locate the client ID and client secret. Securely provide these to us along with your Okta instance URL (for example, <your-tenant-name>.okta.com). You can send these via a service like 1Password or SendSafely.