We are upgrading your ProofHQ Support Experience. To Submit a new request navigate to Workfront Help System and sign in with your ProofHQ credentials then click Open a Ticket

Single Sign-On

Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based protocol that allows you to authorize data and exchange authentication between an identity provider and a web service.

We use this protocol to provide the Single Sign-On (SSO) capability that allows you to use your existing organisation's username and password to access your ProofHQ account.

It means that you will not authenticate against ProofHQ's log in page, but you will actually authenticate against your own log in system.

Please note that you must have a custom sub-domain or domain set up on your ProofHQ account to enable SAML: Please note: Single Sign-On is only available on our Select and Premium plans.
The Single Sing-On functionality can be enabled in the Single sign-on tab of your Account settings and it will apply to all the users on your ProofHQ account.

Entity ID

As a Service Provider we've published our Entity ID here - https://yoursubdomain.proofhq.com/saml/module.php/saml/sp/metadata.php/phq (replace "yoursubdomain" with your account's sub domain)

ProofHQ requires the user's email address as their unique identifier, which can be passed as one of the following attributes:
  • urn:mace:dir:attribute-def:emailAddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/claims/EmailAddress
  • urn:oid:0.9.2342.19200300.100.1.3
  • http://axschema.org/contact/email
  • openid.sreg.email
  • mail
  • email
  • emailAddress

To configure SSO:
  • Go to the Single Sign-On tab (1)
  • Enter the SSO URL (2)
  • Enter the Login URL (3)
  • Enter the Logout URL (4)
  • Enter the Certificate fingerptint (5)
  • Switch SSO to Enabled (6)
  • Enable Automatically provision users option, if needed (7)


SSO URL (aka SAML Issuer / ID URL etc.) 

This is the link to your SSO server (e.g. https://sso.mycompany.com/opensso)

Login URL


The URL that will be invoked to redirect the users to your Identity Provider

Please note: This is not an actual URL you can enter in the browser but rather an endpoint which will process the information we send it in order to present the Login screen

Logout URL*


This is the URL you will be returned to after you log out, e.g.

https://www.yourcompany.com/services/logout.asp

Certificate fingerprint


The SHA1 fingerprint of the SAML certificate provided by your SAML Identity Provider.

Please note: Please ensure to include the Key Info by setting this on your Identity Provider

SSO


Once SSO is enabled, you and other users on your account will log in using your own authentication mechanism. What this means is that when the users accesses your ProofHQ account login screen (ex.yourcompany.proofhq.com/login) they will be prompted with the transfer window to your own authentication login page.

Automatically provision users


Once this option is enabled the user accounts will be automatically created for people who don't have their own ProofHQ profiles, but will access your ProofHQ account using their Single Sign-On credentials. This will be actioned only when the user limit is not yet reached on your account.

Please note: New provisioned users will have the Manager profile permissions assigned by default.
When you have satellite accounts connected to your hub account, you can administer them from the hub account level.

Single Sign-On is a Select and Premium feature so Single Sign-On can only be enabled on satellites that are on Select and Premium plans. To do this:
  • Go to your Account settings (1)
  • Choose the satellite account from the drop down menu (2)
  • Go to the Single Sign-On tab (3)
  • Start editing the SSO configuration (4)




Here you will have two methods (5) of configuration:
  • A. Inherited - SSO with the configuration taken from your hub account *
  • B. Manual (default) - SSO with a different configuration (e.g. pointing to another Identity Provider)
* If the satellite account is inheriting the SSO configuration from the hub account, the login screen will be that of the hub account. When the satellite account user enters their SSO login details on this page, they will be re-directed back to the satellite account.





After choosing your preferred configuration click Save button (6).

SSO settings inherited from the hub account


When you choose to inherit the settings from your hub account you'll notice that all the fields are now populated with the data from your hub account (7) and Single Sign-On is automatically Enabled/Disabled(8) as on your main account. There are also no edit links in the fields anymore, as the whole SSO configuration for the Satellite Account is now set and managed from your hub account.





In your hub account (9) the SSO Usage field will show that this configuration is in use by satellite accounts (10).





SSO configured manually

If Manual SSO configuration has been chosen for a satellite account (1) you will need to manually enter the data for the Single Sign-On. To do this, click Edit, populate the field and then click save (2).

After entering all the data switch the SSO field to Enabled by clicking the link (3).




Make sure that you have your ProofHQ domain/sub-domain (1) set up in the Settings tab of your Account settings and that your users access your ProofHQ account through this customized domain/sub-domain*.





With your Single Sign-On enabled your sub-domain login URL (e.g. yourcompany.proofhq.com/login) will display a transfer screen (2) that will take you directly to your SSO login page.





* If a user accesses ProofHQ through the default log in page (https://www.proofhq.com/login) there will be two levels of authorization - first a user will be asked to log in using ProofHQ access data (email and password) and after that - will be transferred through an SSO window (2) to the SSO login page.

Therefore, with SSO service enabled, we recommend to log in through your own ProofHQ sub-domain/domain.

Please note: At this time, when Single Sign-On is enabled on your ProofHQ account, you won't be able to log in to the iPhone app with those credentials.

Adding a new user


When the Single Sing-On functionality is enabled on your ProofHQ account, new users will not receive any confirmation emails as their accounts will be automatically activated and ready to use.

From your ProofHQ log in page, after clicking the Login button they will be taken to your SSO login page and asked to enter your Single Sing-On login credentials.

Please note: Users are identified through an email address during the authentication process which means that the email account used for your SSO login MUST be the email address of the user registered within your account.
AD FS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries - more information can be found on the Microsoft pages.

The ProofHQ system supports SAML 2.0 and is only compatible with AD FS version 2.0 or greater.

Please see Single Sign-on: AD FS configuration for the detailed instructions.
Have more questions? Submit a request
Powered by Zendesk