Sertifi Support Site

Sertifi SSO

Note

Sertifi supports SSO using the SAML 2.0 protocol. This is supported by most identity providers, including Okta, Azure, Active Directory Federation Services, and OneLogin.

You can enable Single Sign-On (SSO) for your Sertifi Portals. By enabling SSO, all admins must log into their portal using your enterprise authentication system.

SSO Considerations for Existing Sertifi Customers

There are two key considerations if you want to enable SSO for your Sertifi portals:

  • If your users have existing Sertifi profiles, they can log in with SSO, and Sertifi will pair existing Sertifi profile to email address they use to log in. However, this assumes that your users' log in email address is the same email address they use to log into your system.

  • If SSO is configured and enabled, your users' log in process will resultantly change. Rather than using their originally created username and password, they will have to click Log in with Enterprise ID when logging into the portal.

User Provisioning

You have two ways to provision users for SSO. You can employ Just-in-time (JIT) provisioning or Ahead-of-time (AOT) provisioning.

AOT Provisioning

AOT provisioning is the option to give users, without an existing Sertifi profile, full Admin or higher access from their initial log in. Sertifi can create profiles for these users that are tied to the user's IDs in your system. To do this, you must provide Sertifi with:

  • The users' email addresses

  • The users' system IDs

  • The users' assigned roles (User, Admin, etc)

Alternatively, the Super Admin can also create the profiles via the Create Admin page in the portal, so when the users log in with SSO for the first time, they're already associated with the correct profile. If you have multiple users that you want to add to the Sertifi portal via AOT provisioning, you can use a Bulk Send to transmit the above information for each user to Sertifi.

JIT Provisioning

Sertifi currently offers limited JIT provisioning functionality. When a new user logs in with SSO, our system will create a Sertifi profile using the provided email address, first name, and last name. This profile is then tied to the user's ID for future logins.

However, this profile only receives User-level access initially, which means that the user cannot send documents. The Super Admin for the portal will need to update the user to have Admin access using the Create Admin page in the portal.

Users with multiple portal access

In some cases, a user might have Admin or higher access to multiple Sertifi portals. When the user logs in with SSO, the user can access each portal they have Admin or higher access to via a dropdown in the top right side of the portal, next to their username.

However, if the user doesn't have Admin or higher access to multiple portals, you have the option for those users to default directly to the portals they can access. Provide the account you want to serve as the landing page for these users to your Client Success Manager.