Ⓘ Available to HQ, Essentials, Teams & Corporate accounts
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. SSO can be used by enterprises, organizations, and individuals to mitigate the management of various usernames and passwords, which is why it is only available to accounts with distributed teams.
Currently, we offer an IdP initiated SSO through SAML (security assertion markup language). Essentially, this means that the SSO will create a virtual handshake between us and SAML that will allow the user access to multiple sign-on ports.
You can set this up for yourself in your account with the help of your SSO provider. To do so, you will need the following information about your IdP (identity provider). However, only account Owners and Managers who have access to all current and future subaccounts will have access to the SSO portion of your account.
Additionally, it should be noted that once SSO is enabled on your account, when any new users are added they will not receive the usual welcome email that asks them to set up a username and password since those elements would already be embedded in the SSO functionality.
IdP info to get from your SSO provider:
- Entity ID (must be a valid URN)
- Single sign-on URL
- Single logout URL (optional)
- Public X.509 certificate (text version will work)
Our metadata can be accessed at https://app.e2ma.net/app2/sso/metadata/ Assertion URL can be accessed at https://app.e2ma.net/app2/sso/metadata/
How to add SSO to your account
1. Log in and select the Account page from the dropdown menu next to your name.
2. Click on the SSO tab and select to Add SSO provider.
Frequently Asked Questions about SSO
Does the SSO support SAML 2.0?
Yes
What attributes are required to utilize SSO?
- Entity ID
- SSO URL
- x509 Certificate
- SLO URL (optional)
How do you use the PII (personally identifiable information) related to the attributes you receive?
The only PII attribute we receive is the SAML NameID passed in the assertion that corresponds to the username (email address) of the user. More information on how we protect this email address can be found in our Privacy Policy.
How is metadata shared to set up trust between your service provider (SP) and our identity provider (IdP)?
- Our metadata is available here: https://app.e2ma.net/app2/sso/metadata/
- You are responsible for configuring your IDP with that metadata then you can set up a new SSO provider in in the app following the instructions found above in this article.
Are the links to your system IdP initiated or SP initiated?
IdP Initiated
After I add SSO to my account, will new users still receive a welcome invitation email when they are added?
No. If SSO is enabled on your account, the usual email invitation will be suppressed and will not be delivered to the user.
What is the SP (service provider) URL to use to login / access the system?
https://app.e2ma.net/app2/sso/assert_identity/
Do you require test accounts?
No
Do you have a stage environment for testing?
No
Do you support SHA256 hashing for the signed SSO request?
Yes
Do you require a separate SSO solution for admin logins?
No
Please note: If you or any of your users were set up before SSO was enabled, the user(s) will still be able to login directly to their account with their original username and password after SSO is in place.
Due to the intrinsic nature of SSO, we do not offer troubleshooting assistance beyond what is available in this article and the Account settings of the app; instead we suggest that you contact your SSO provider for assistance.