How to Enable and Configure Single Sign On (SSO)

Have more questions? Submit a request

Enabling SSO authentication for your account allows you to leverage your existing Identity Provider to manage your GoCanvas users. 

Please Note

Accounts cannot use both SSO and LDAP simultaneously.

Single Sign On

SSO is especially valuable if you are managing a large number of users and need more control over who has access to their GoCanvas account. 

  1. Navigate to the Account Settings page by expanding the Account drop down in the left navigation. If Departments are enabled, remember to switch to the All department.
  2. Scroll to Advanced Settings and select the Settings buttons associated with Single Sign On. If Single Sign On is not included in your plan, you will receive a pop-up requiring you to upgrade your plan.


Account_Settings_Advanced_SSO Tool Tip.png

Configuring SSO

The Single Sign On Settings page, shown below with field explanations, also has Setup Instructions accessible at the top of the page.


Issuer URI

This is the Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IDP EntityDescriptor.

Sign In URL
The URL to which the authentication request should be sent. This would be on the identity provider.
X509 Signing Certificate
This is the certificate of the Identity Provider used to verify SAML message and assertion signatures.
Sign Out URL
This is the URL location where the single logout response will be sent.
User Id Attribute
This is the attribute in the SAML token that will be mapped to the user_id property.
Metadata URL
This is the Identity Provider metadata URL. An Identity Provider metadata contains keys, services, and URLs that define its SAML endpoints.
Sign Request

Specifies whether to sign SAML AuthnRequest messages that are sent from GoCanvas to Identity Provider. When enabled, the SAML authentication request will be signed. Download the certification (open up the View setup instruction for IDP provider section) and give it to the Identity Provider that will receive the signed assertion so it can validate the signature.

Sign Request Algorithm
Specifies the signature algorithm used to sign SAML AuthnRequest messages sent to the Identity Provider.
Sign Request Digest Algorithm
Determines the digest algorithm used to digitally sign the SAML assertion and response.
Enable for All Users
Checking this will enable SSO authentication for all users on the account. If you would like to manually enable SSO authentication for users, leave this unchecked. To enable SSO for individuals, visit their Profile page by clicking on their name on the Users page under the Account section.
View setup instruction for IDP provider
This is the help block to provide instruction for IDP provider setup. Click on this to view different configuration values those are required to setup your Identity Provider. You can also download the certificate and give it to the Identity Provider that will receive the signed assertion so it can validate the signature.

Adding Users

You can add your SSO users to GoCanvas by navigating to the Users page under the Account drop down in the left navigation. Add users by selecting the Fill Seat button for any empty seat. Contact your Account Representative if you need additional seats.

If you have SSO configured within your account, the form will check the Use SSO Authentication checkbox by default. If you wish to set up any particular user without SSO for authentication, unchecking this box will present you with options for setting the user's password directly within GoCanvas.

Disabling Users

Disabling a user within your authentication server will not disable their GoCanvas account, but it will prevent them from logging in. Note that already authenticated users will remain authenticated on the web, but will be unable to log in or sync via the GoCanvas mobile application. If it's important that their access to GoCanvas be revoked immediately, disable the user on the website by navigating to the Users page under the Account drop down in the left navigation and select the Disable icon for that user.

Editing a User's Settings

At any time, you can turn off SSO authentication for their GoCanvas account by navigating to the Users page under the Account drop down and selecting the user's name, then Edit SSO Settings.

Forgotten Passwords

When a user is configured to authenticate to an Identity Provider, GoCanvas is unable to use the typical forgotten password process. Instead, when a user visits the Forgot Password form and enters their email address, GoCanvas detects that they are an SSO user and prompts them to seek help from their company IT department or help desk.

How it Works

GoCanvas uses a SP-Initiated SSO method of authenticating your users to your Identity Provider. When a user attempts to authenticate, GoCanvas looks up the identity provider settings you configured, and figures out the user's SSO settings. The request is redirected to the Identity Provider to handle authentication. If the user is not already logged on to the Identity Provider site or if re-authentication is required, the Identity Provider asks for credentials, i.e. username and password.

The Identity Provider's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the GoCanvas. If the authentication assertion for the user succeeds, GoCanvas considers the user to be authenticated and allows him/her access. If authentication assertion fails, the user is denied access.

Articles in this section

Was this article helpful?
1 out of 4 found this helpful



Please sign in to leave a comment.