Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Current »

To securely use SAML Metadata, partners share metadata that contains:

  • Entity ID

  • Cryptographic Keys

  • Protocol Endpoints (bindings and locations)

Tips:

  • Every SAML System Entity contains an entity ID, the globally unique identifier (used in software configurations), relying-party databases, and client-side cookies. On the wire, every SAML Protocol message contains the issuer's entity ID.

  • SAML Metadata can be identified by the initial tag: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...>

Connect Metadata Location

Docupace will provide you with your Connect Metadata URL will be provided to you by Docupace. This URL is site-specific and is different in different environments. The metadata URL is formatted like this: https://{hostname}/{site}_ui/sso/samlMeta/{connectionName}. This URL contains the SAML 2.0 Metadata you need to provide to your IDP.

Note: Possible hostnames include:

  • dev.docupaceinc.com

  • preprod.docupaceinc.com

  • www1.paperout.com, www2.paperout.com

The Assertion Consumer URL is different and is provided in the metadata XML file. The metadata XML can either be imported into your IDP or configured manually. If you need to configure it manually, the table below lists common mapping. Your IDP likely has instructions on how to manually configure SAML connections in their system. If you use OKTA, click here.

Name in Metadata

Configuration Name in IDP

entityId

Audience or Audience Restriction

AssertionConsumerService

Url to post SAML response

Destination

Recipient

Once you configure SAML in Connect, connect the metadata location via the following link: https://www.preprod.docupaceinc.com/financialdemo_ui/sso/samlMeta/default

IDP Setup

Docupace provides SAML 2.0 Metadata. Your Identity Provider (IDP) administrator can use this metadata to register Docupace as an authorized Service Provider.

Tips:

  • To import metadata into your Identity Provider (IDP), refer to your IDP documentation.

  • To finalize the setup, provide Docupace with Identity Provider (IDP) and IDP's metadata.

Note: If the Customer requires assistance in configuring their Identity Provider (IDP), engage professional services into the IDP configuration.

Assertion Requirements

The are the following assertion requirements for configuring SAML:

  • SAML assertion should contain <saml:Subject><saml:NameID>userNameInDocupace<saml:NameId/></saml:Subject>

  • userNameInDocupace must match exactly the configured user in Docupace.

Note: userNameInDocupace is case sensitive.

Important: Docupace ignores any additional attributes within the assertion.

User Configuration

Standard Docupace configuration for the integration of SAML and SSO is based on users that are configured to only support login via SAML.

Important: Configuration of users must be handled via the standard file-upload process based on Docupace Access-control list (ACL).

Tip: Engage professional services if the Customer requires a hybrid approach when:

  • User can log in via both SAML SSO and direct login.

  • The subset of users can log in directly instead of SSO.

Service Provider Initiated by SSO

Docupace supports a Service Provider (SP) that is initiated by SSO. This Service Provider (SP) initiated by SSO includes the following link types:

Link Type

Purpose

Link

Base

For configuring Service Provider (SP) initiated by SSO

https://{{host}}/{{site}}_ui/sso/saml/{{clientname}}

Deep

For launching the Monitor function

Non-SSO URL - https://{{host}}/{{site}}_ui#/monitor

SSO URL - https://{{host}}/{{site}}_ui/sso/saml/{{clientname}}/bookmark/monitor

Troubleshooting

You can solve two kinds of errors. If you see any other errors, you will need to contact Support.

Action Not Found

The Action Not Found error means that you entered the incorrect Assertion Consumer Service URL to the URL that contains the Metadata. You can find the correct URL in the metadata XML file.

image-20240620-083039.png

No valid subject assertion found in response

If you see No valid subject assertion found in response, it means that the certificate configured in Docupace does not match the certificate configured in your IDP. This means you need to update the Docupace metadata configuration. This can occur if there is a mixup between environments or if the IDP configuration has changed since Docupace received the metadata.

image-20240620-083231.png

  • No labels