Sertifi SSO

Sertifi supports SSO using the SAML 2.0 protocol. This is supported by most identity providers, including Okta, Azure, Active Directory Federation Services, and OneLogin.

You can enable Single Sign-On (SSO) for your Sertifi Portals. By enabling SSO, all admins must log into their portal using your enterprise authentication system.

This article contains the following sections:

See these related articles:

SSO Considerations for existing Sertifi customers

There are a few things to take into consideration if you want to enable SSO for your Sertifi portals.

  • If your users have existing Sertifi profiles, they can log in with SSO, and Sertifi matches them to their existing profile based on the email address they use to log in. However, this assumes that your users' log in email address is the SAME email address they use to log into your system. The profile is then tied to the users' ID in your system for future logins.
  • Your users' log in process also changes for the portal. Rather than using their originally created username and password, they MUST click log in with enterprise id when logging into the portal.

If your users try to log in with their Sertifi credentials, they'll receive an error. They must click Log In with Enterprise ID.

User Provisioning

You have two ways to provision users for SSO. You can employ Just-in-time (JIT) provisioning or Ahead-of-time (AOT) provisioning.

AOT provisioning

AOT provisioning is the option to give users, without an existing Sertifi profile, full Admin or higher access from their initial log in. Sertifi can create profiles for these users that are tied to the user's IDs in your system. To do this, you must provide Sertifi with:

  • The users' email addresses
  • The users' system IDs
  • The users' assigned role

Alternatively, the Super Admin can also create the profiles via the Create Admin page in the portal, so when the users log in with SSO for the first time, they're already associated with the correct profile.

If you have a lot of users that you want to add to the Sertifi portal via AOT provisioning, you can use a Bulk Send to send the above information for each user to Sertifi.

JIT provisioning

Sertifi currently offers limited JIT provisioning functionality. When a new user logs in with SSO, our system will create a Sertifi profile using the provided email address, first name, and last name. This profile is then tied to the user's ID for future logins.

However, this profile only receives User-level access initially, which means that the user cannot send documents. The Super Admin for the portal will need to update the user to have Admin access using the Create Admin page in the portal.

Users with multiple portal access

In some cases, a user might have Admin or higher access to multiple Sertifi portals. When the user logs in with SSO, the user can access each portal they have Admin or higher access to via a dropdown in the top right side of the portal, next to their username.

However, if the user doesn't have Admin or higher access to multiple portals, you have the option for those users to default directly to the portal they have access to. Provide the account you want to serve as the landing page for these users to your Client Success Manager.