Using SAML Metadata
- Nataliia Plakhtii (Deactivated)
- Mercedes Rothwell
- Gints Vaskums
To securely use SAML Metadata, partners share metadata that contains:
Entity ID
Cryptographic Keys
Protocol Endpoints (bindings and locations)
Tips:
Every SAML System Entity contains an entity ID, the globally unique identifier (used in software configurations), relying-party databases, and client-side cookies. On the wire, every SAML Protocol message contains the issuer's entity ID.
SAML Metadata can be identified by the initial tag: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...>
Connect Metadata Location
Docupace will provide you with your Connect Metadata URL will be provided to you by Docupace. This URL is site-specific and is different in different environments. The metadata URL is formatted like this: https://{{hostname}}/{{site}}_ui/sso/samlMeta/{{connectionName}}. This URL contains the SAML 2.0 Metadata you need to provide to your IDP.
Note: Possible hostnames include:
dev.docupaceinc.com
preprod.docupaceinc.com
www1.paperout.com, www2.paperout.com
Example:
https://www1.paperout.com/InvestmentCo_ui/sso/samlMeta/InvestmentCo
The Assertion Consumer URL is different and is provided in the metadata XML file. The metadata XML can either be imported into your IDP or configured manually. If you need to configure it manually, the table below lists common mapping. Your IDP likely has instructions on how to manually configure SAML connections in their system. If you use OKTA, click here.
Name in Metadata | Configuration Name in IDP |
|---|---|
entityId | Audience or Audience Restriction |
AssertionConsumerService | Url to post SAML response Destination Recipient |
Once you configure SAML in Connect, connect the metadata location via the following link: https://{{hostname}}/{{site}}_ui/sso/samlMeta/{{connectionName}}
IDP Setup
Docupace provides SAML 2.0 Metadata. Your Identity Provider (IDP) administrator can use this metadata to register Docupace as an authorized Service Provider.
Tips:
To import metadata into your Identity Provider (IDP), refer to your IDP documentation.
To finalize the setup, provide Docupace with Identity Provider (IDP) and IDP's metadata.
Note: If the Customer requires assistance in configuring their Identity Provider (IDP), engage professional services into the IDP configuration.
Assertion Requirements
The are the following assertion requirements for configuring SAML:
SAML assertion should contain <saml:Subject><saml:NameID>userNameInDocupace<saml:NameId/></saml:Subject>
userNameInDocupace must match exactly the configured user in Docupace.
Note: userNameInDocupace is case sensitive.
Important: Docupace ignores any additional attributes within the assertion.
User Configuration
Standard Docupace configuration for the integration of SAML and SSO is based on users that are configured to only support login via SAML.
Important: Configuration of users must be handled via the standard file-upload process based on Docupace Access-control list (ACL).
Tip: Engage professional services if the Customer requires a hybrid approach when:
User can log in via both SAML SSO and direct login.
The subset of users can log in directly instead of SSO.
Service Provider Initiated by SSO
Docupace supports a Service Provider (SP) that is initiated by SSO. This Service Provider (SP) initiated by SSO includes the following link types:
Link Type | Purpose | Link |
|---|---|---|
Base Link | For configuring Service Provider (SP) initiated by SSO | https:// |
Deep Link | For launching the Monitor function | Non-SSO URL - https:// |
SSO URL - https:// |
Troubleshooting
You can solve two kinds of errors. If you see any other errors, you will need to contact Support.
Action Not Found
The Action Not Found error means that you entered the incorrect Assertion Consumer Service URL to the URL that contains the Metadata. You can find the correct URL in the metadata XML file.
No valid subject assertion found in response
If you see No valid subject assertion found in response, it means that the certificate configured in Docupace does not match the certificate configured in your IDP. This means you need to update the Docupace metadata configuration. This can occur if there is a mixup between environments or if the IDP configuration has changed since Docupace received the metadata.
