SSO Setup

Camillia S
Camillia S
  • Updated

SSO is here!

Proposify now offers the ability to use Salesforce, Okta and Azure as Identity Providers by utilizing a managed Connected App. 

This feature is available on our business plan: if you are on this plan already, reach out to your Success Manager to have this turned on for your account.

 

This article will cover:

 

Head's Up: SSO is only supported on accounts using a custom domain; {my.company}.proposify.com - not the app.proposify.com domain. See the article Branded URL to set up your domain.

 

 

Setup Guide

Salesforce

To start, navigate to your Settings page, and select SSO:

Account settings image panel

 

To configure the SSO settings, select Salesforce from the dropdown menu next to Provider:

SSO main page

 

After the settings have been saved, when a user visits a page that requires authentication on your Proposify subdomain, they will be redirected to the Salesforce login page (if they don't already have an established session):

Salesforce login pop-up

 

The first time a user logs in through Single Sign-On (SSO), they will be prompted to authorize the SSO connected app:

Allow access in Proposify for Salesforce

 

Note: There is a two-minute timeout for authorizing and logging in. If the user takes longer than two minutes, they will be redirected back to the standard Proposify login page. Simply access the desired page again to authenticate.

 

  • After authorization, the user will be redirected to the Proposify app.
  • By default, a user will be redirected to login.salesforce.com when logging in. However, if an account is already connected to Salesforce, they can skip the login form entirely and be redirected to the instance URL specified by the integration.

Optional Configuration

There are optional configurations available in Salesforce for managing OAuth usage:

Optional configuration menu in Salesforce for app auth.jpg

 

Block the Connected App

This will render the SSO login to Proposify unusable.

Installing and Managing the SSO Connected App

Once you've installed the Connected App, you can manage the policies for the app itself, including:

  • enabling 2FA with "High Assurance Session",
  • tweaking session timeouts,
  • setting start URLs and mobile start URLs to https://{my-company}.proposify.com/,
  • set the app visible to show the Proposify Login app in the App Launcher,
  • user provisioning: coming soon!

Salesforce SSO configurations

 

Once the connected app is installed, you can grant access to it through User Profiles:

Salesforce User Profile

 

That's it! By following these steps, you can easily set up and use the Salesforce SSO integration with Proposify.

Back to top

 

Okta

To set up Okta SSO, we will start in Okta.

As an Okta Administrator, create a new application for Proposify SSO:

(note the selections on "OIDC - OpenID Connect for Sign-in method, and  Web Application in Application Type)

 

Next, you'll add a few more selections to the General Settings of the New Web App Integration:

 

Make sure to use the authorization code flow in Grant type.

Once you are done creating your application, you will get an OAuth2 Client ID and Client Secret generated (keep those handy!).

You can also assign users or groups to the application if you did not already.

 

Next, we will go into Proposify, and click on the SSO icon:

SSOAccountSettings.jpg

 

Add an OpenID connect provider:

 

Locate your Okta domain OpenID Connect Configuration, located at: https://{myoktasubdomain}.okta.com/.well-known/openid-configuration

and add that into the Auto Discovery URL Field:

 

  • Once you add the URL to the field, you can select Auto Fill. If you don’t, you'll need to fill in some fields manually in the Advanced Configuration section.
  • Enter an easy-to-recognize name for the Identity Provider identifier, but note it should be unique in your account.
  • Copy the Client ID from the created Okta application, paste it into the applicable field, and do the same with your Client Secret. Once those are in, select submit.

 

You'll see the new provider in the list:

 

Now, scroll up to the top of the page to select your new provider from the list in the dropdown menu, and then click Save Settings:

 

You've now successfully set up your Okta SSO!

Back to top

 

Azure

Here we will cover the setup of SSO with Azure Active Directory, and to begin we will start inside of Azure AD.

 

When inside Azure AD, complete the following steps, taking special note of step 5:

  1. As an Azure Active Directory Administrator, create a new App Registration for Proposify SSO,
  2. Make sure to put in a Web type Redirect URI to https://app.proposify.com/sso/callback
  3. Take note of the Directory (tenant) ID,
  4. Take note of the Application (client) ID,
  5. Generate client credentials by clicking Add a certificate or secret. Once it is created, take note of the secret value, it will not be visible after you leave the page.

Note: You can assign your app registration to users or groups to limit who can use SSO!

Once those steps are complete, time to head into Proposify!

 

In Proposify Settings, click the SSO Icon:

SSOAccountSettings.jpg

 

Next, add an OpenID Connect Provider:

 

Locate your Okta domain OpenID Connect Configuration, which is located at https://login.microsoftonline.com/{your tenant id here}/v2.0/.well-known/openid-configuration

You will then paste that URL into the Auto Discovery URL field:

  • Once you add the URL to the field, you can select Auto Fill. If you don’t, you'll need to fill in some fields manually in the Advanced Configuration section.
  • Enter an easy-to-recognize name for the Identity Provider identifier, but note it should be unique in your account.
  • Make sure to select Azure/AD instead of Generic in the Identity Provider Style dropdown.
  • Copy the Client ID from the created Azure Application (client) ID.
  • Copy the Client Secret from the created client credentials Secret Value.
  • Select Sumbit.

You'll now see your new provider in the list:

 

Now, scroll up to the top of the page to select your new provider from the list in the dropdown menu, and then click Save Settings: 

 

You've now successfully set up your Azure SSO!

Back to top

 

Troubleshooting

Some users will not utilize this SSO login, what will they do?

If there are users who will not utilize the SSO login, they can login normally using app.proposify.com which will bypass the SSO login.

 

My third party identity provider login page does not show when running in an iframe in Salesforce.

Add your third party web address to the trusted sites in Salesforce.

 

Getting a forbidden 403 - This user either does not exist or has been deleted.

Make sure emails match on both sides (inside Proposify, and Salesforce).4

 

Getting a forbidden 403 - No access.

Make sure the account id for the email address you are using to login matches the account id for the SSO provider configuration.

Back to top