*NEW* Configuring Single Sign-On for ContractSafe Accounts

Use your company authentication to log in to ContractSafe

Using SAML 2, ContractSafe allows users to log in with their identity provider, such as Okta or Azure Active Directory. This article provides a step-by-step guide on configuring Single Sign-On (SSO) and covers common troubleshooting issues.


Caution: Before making changes to the SSO settings please make your account SSO Excluded, admin level access is required. Article on how to right Here. 

Tip: If you're upgrading to our new SP-initiated SSO, don't remove the configuration for the existing IdP-initiated SSO until you've confirmed that the new settings are working. We encourage you to create a new app in your identity provider so that you can fully test SSO settings without affecting your users' existing workflow.

When you enter the SSO settings dialog as a customer with an existing SSO integration, you will see two tabs: IdP-initiated (the legacy SSO integration) and SP-initiated (the new SSO integration). The screenshots below only reflect the new SP-initiated settings tab.

Note: SSO is not enabled for Trial Accounts and accounts with subscriptions below the Finalize Plan. 

Need more details? Please contact us at support@contractsafe.com; we will gladly assist you!

Enabling SSO generic Guideline

This is a general guide and should help you configure Single Sign-On for all providers. If you encounter any difficulties please reach out to our support

Now, let's start!

Creating the SSO Provider:

  1. From the Settings page, select the Security & Integrations button.
  2. Click on the Single Sign-On Settings button.
  3. Look for the ContractSafe Metadata URL & Entity ID, and copy the pre-generated URL link.

It is not necessary to enable SSO login at this point. Keep the SSO toggle disabled until you are sure that all the settings below are properly set up, otherwise other users might get locked out from ContractSafe. 

Checking the Email Domain:

  1. In the Single Sign-On Settings dialog, confirm that the Email Domain matches the domain of your users' email addresses.
  2. If incorrect or empty, contact ContractSafe support@contractsafe.com with the desired email domain so that it can be added. 

Only ContractSafe Support is able to add email domains on the account. You will not be able to edit the listed domains or add anything if it is blank.

You may continue configuring and testing single sign-on with your identity provider while support is setting your email domains.

Setting Up Your Identity Provider:

  1. Use the details provided in the Single Sign-On Settings dialog to configure your identity provider.
  2. Add an attribute or claim to the payload you send us with a name of email. This is how your identity provider tells us which user it is.
  3. For some identity providers, the metadata URL may be the best to use, while others may require the ACS URL.
  4. Obtain a metadata URL from your identity provider to provide to ContractSafe to complete the setup.
  5. Paste the metadata URL into the Single Sign-On Settings dialog.

Test the Configuration

  1. Copy the Login URL from the Single Sign-On Settings dialog.
  2. Log out of ContractSafe or open a private browsing window.
  3. Paste the URL into your browser; it should redirect to your identity provider.
  4. After logging in, you should be redirected back to ContractSafe.
  5. If successful, a message confirming SSO is not enabled will appear.

Enabling Single Sign-On:

  1. If the test is successful, go to Settings, then click on Security & Integrations.
  2. Activate the toggle labeled Single Sign-On to enable it for your organization.



Signing and digest algorithms

We do not support the deprecated SHA-1 algorithm. We recommend at least SHA-256.

I need to change my email domain

Email domains must currently be configured by ContractSafe support. To change your email domains, please reach out to support with the email domains that your users should be able to use single sign-on with.

It says an "internal error" has occurred

This is most often caused by the "email" parameter not being configured correctly. Ensure that the email is being passed along in the SAML 2 response in a parameter called "email".

It says "Sign Up Closed"

This page is admittedly confusing; it means that the email address we see in the SSO launch has not been invited to your organization. Ensure that you are sending the correct email address for the user, and ensure that you have invited the user to your organization.

It says "SSO domain does not match"

This happens when your SSO email domain doesn't match the email for the user you're trying to log in with. Confirm that your Identity Provider is sending the correct email address to us, and check your Single Sign-On Settings to make sure that the Email Domain matches. If the email domain is incorrect, please reach out to support to change your email domain.

It says to add my email domain

Awesome, you're well on your way to having single sign-on configured! Now, reach out to support and let them know what email domain you want to use.

My identity provider doesn't give me a metadata URL

Some identity providers, such as Google Workspace, do not give a public metadata URL. If your identity provider doesn't give you a metadata URL for you to set in our configuration, they will usually allow you to download a metadata XML file. Upload this XML to a web server you control, then set that URL as the Metadata URL.

It gives an error when I try to use the Login with SSO Provider button

The Login with SSO Provider button on the login page only works with our service provider-initiated (SP-initiated) single sign-on configuration. If you have only our legacy identity provider-initiated (IdP-initiated) SSO configured, you will get an error that informs you that
"Your organization uses our legacy SSO setup. Please log in via your SSO provider portal or contact your admin to set up SP-initiated SSO for your organization."

If you see this message and would like to use the Login with SSO Provider button on the login page, follow the instructions on this page to set up service provider-initiated single sign-on.

I want to change my legacy IdP-Initiated SSO settings

If you need to change your SSO settings for our legacy identity provider-initiated single sign-on, look for the IdP-initiated tab in the Single Sign-On Settings dialog. Only organizations that previously had SSO set up for their organization will see this tab. If you have a special need to use our legacy IdP-initiated SSO and this tab is not available for you, please contact support.


Additional Support:

For further assistance or questions, please reach out to support@contractsafe.com.