# SSO using SAML

### Introduction

Unifize supports single sign-on (SSO) using the SAML, allowing organizations to integrate their existing identity providers (IdPs) such as Microsoft Entra ID (Azure Active Directory), Google Workspace, Okta, or other SAML-compliant systems.

SSO centralizes and secures user authentication, enabling IT teams to enforce identity policies while improving user experience and aligning with enterprise security and compliance standards.

***

### Why SSO matters for security and compliance

#### Centralized authentication

SSO ensures all authentication flows are governed by your organization’s IdP. This gives IT teams control over:

* Credential lifecycle and user provisioning
* Password policy enforcement
* Multi-factor authentication (MFA) requirements
* Device and location-based access policies

#### Regulatory alignment

SSO contributes to organizational compliance with standards such as:

* SOC 2
* ISO 27001
* HIPAA (where applicable)

It supports access control policies, traceable login activity, and identity governance—key components of secure process management.

#### Reduced risk exposure

Since SSO-managed users do not create or store passwords in Unifize, the risk of password-related attacks is eliminated. Authentication happens entirely through the trusted IdP, lowering the application’s security footprint.

***

### Key capabilities

| Capability                     | Description                                                           |
| ------------------------------ | --------------------------------------------------------------------- |
| SAML 2.0 support               | Integrates with any SAML-compliant IdP                                |
| Domain-based routing           | Users are redirected to their IdP based on email domain configuration |
| MFA support                    | Multi-factor authentication is handled by the identity provider       |
| OTP-based signature validation | SSO users approve digital signatures with one-time passcodes          |
| Centralized session management | Sessions follow IdP-configured timeout and reauthentication policies  |
| Authentication event logging   | Login and OTP activities are logged and auditable in Unifize          |

***

### Authentication flow

1. User navigates to the Unifize login page or opens the mobile app
2. They enter their work email address
3. If their domain is SSO-enabled, Unifize redirects them to the identity provider
4. The IdP authenticates the user (including MFA if configured)
5. After successful login, the user is redirected back to Unifize

For approval workflows, users are prompted to confirm their identity by entering a one-time passcode (OTP) sent to their email. This substitutes the need for a Unifize-managed password.

***

### SSO configuration overview

SSO is configured by Unifize administrators from **Org Settings → SSO**. Required fields include:

* Domain (e.g. [yourcompany.com](http://yourcompany.com))
* Entity ID (from the IdP)
* SSO URL (IdP login endpoint)
* X.509 certificate

Unifize provides the following for your IdP setup:

* Service provider Entity ID
* Authorization callback URL
* Org SSO URL

For Azure AD (Microsoft Entra ID), Okta, and Google Workspace, setup requires mapping these values within the enterprise application’s SAML configuration.

***

### Compliance considerations

| Security domain               | SSO alignment                                                       |
| ----------------------------- | ------------------------------------------------------------------- |
| Access control                | Identity provider controls access centrally                         |
| Password policy management    | Handled by IdP; Unifize does not store SSO passwords                |
| Deprovisioning and revocation | Disable user access in the IdP to remove Unifize access immediately |
| Audit trail                   | Unifize logs all login and OTP-based approval actions               |
| Signature compliance          | OTP-based authentication ensures signature traceability             |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.unifize.com/user-guide/profile/org-settings/sso/sso-using-saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.