Does Paperform support SSO?

Single Sign-On (SSO) is supported in Paperform on specific pricing plans. By adding and configuring an SSO domain, users who exist on your provider can be authenticated with Paperform for SSO (also known as SAML).

Enable SSO

First, you will need to ensure that SSO is enabled. Head to your Account Settings, then look for a page labeled "Single Sign-On (SSO)" in the left-side navigation bar.

Screenshot of Account Settings, with "Single Sign-On (SSO)" appearing as an option in the left-side navigation bar.

If you do not see this option, and you are the account owner (or an account admin), then it is not currently enabled for your account. Depending on your plan, it may be available as an add-on. In this case, you will need to enable it first under Account Settings → Billing. In the "Manage Addons" section, toggle on "Papersign SSO" to add the feature to your plan.

Screenshot of the Billing Page, with the "Paperform SSO" toggle highlighted under "Manage Add-Ons"

Once enabled, you will see "Single Sign-On (SSO)" appear in the left-side navigation bar.

I don't see either option

If you don't have an SSO settings page, it's not listed as an available add-on, and you are the account owner or admin, then it is not supported on your current plan. Review the pricing page for details, and feel free to contact support if you have any questions. You can reach us at support@paperform.co or via the chat icon in the lower-right corner of this page.

Add and verify your SSO domain

Follow these steps to add an SSO domain to your account.

  1. Go to Account Settings → Single Sign-On (SSO), then click the “Add a new domain" button.

    Screenshot of the heading "Manage SSO Domains," followed by a button labeled "Add a new domain"
  2. Enter the domain (without http:// or https://), then click "Add domain."

    Screenshot of the "Create a new SSO domain" window, with the "Domain" set to "example.com"
  3. Next, you will be required to verify your domain. Click “Reveal” to display the verification key, or “Copy” to copy it to the clipboard.

    Screenshot of the "Verify your domain" section, with the "Domain" and "Verification Key" sections, and the buttons "Verify Later," "Verify Now," and "Cancel"

    The next few steps need to be completed outside of Paperform. We recommend leaving this "Verify your domain" window open for now, and completing the next few steps in a new tab or window.

  4. In order for Paperform to verify that the domain belongs to you, will need to create a TXT record on your website domain. This setup can vary a bit depending on your domain registrar, so you may need to consult their help articles or support team during the following few steps. To get started, log in to the account for your domain registrar (this is typically the company that you purchased your domain from).

  5. On your registrar's site, select the relevant domain, and look for a way to manage the DNS settings. If you don't see anything mentioning "DNS" directly, this page may also have a name like "advanced settings," "name server management," or "control panel."

  6. Create a new TXT record.

  7. The record should include a field called "Name," "Hostname," "Host," or "Alias." Depending on your registrar, you may need to enter the "@" symbol here, your domain name, or a subdomain. Contact support for your domain registrar if it is unclear.

  8. There should also be a field called "Value," "Data," "Answer," or "Destination." Paste the verification code from Paperform here.

  9. Save the TXT record.

  10. If you still have the “Verify your domain” window open, return to it and click the “Verify Now" button. If you chose to “Verify Later," head back to the Single Sign-On page. Find your domain, then click the “Verify” button.

    Screenshot of the row labeled "example.com" with options to "Verify" or "Connect"

    Please note that it may take some time for your TXT record to be published across all of the required servers. If verification fails, please wait an hour before trying again.

  11. If verification is successful, you will be taken to the "Verification successful" page.

    Screenshot of a page titled "Verification successful," with the domain shown and the options to "Enable Later," "Enable Now," or "Cancel"

    You may choose to enable SSO at this point, or you can wait and enable it later. Users will not be able to sign in with their email address at your domain until it is both verified and enabled.

Enable or disable auto-provisioning

Auto-provisioning allows an account on Paperform to be automatically created when a user who is authenticated with your domain logs in for the first time. Please keep in mind that the creation of new sub-user accounts will affect the total price of your Paperform plan.

After enabling SSO, you have the option to enable or disable auto-provisioning. You can also choose to set it up later.

Screenshot of the "Setup auto provisioning" page

If you disable auto-provisioning, then you will need to add accounts manually. You can do this via the Manage Users page.

Turning on auto-provisioning requires default roles to be set for any new user account created on Paperform. For more information on how each of these roles works, as well as an overview of teams and users, please see our guide to managing users and teams.

Connect and Test

In order for your users to successfully authenticate with your identify provider, Paperform needs to be connected. This is done with SAML (Security Assertion Markup Language).

Please note: you will only be able to connect your domain once it has been verified.

There are two options for providing the required information so that Paperform can connect to your identify provider:

  • IDP Metadata URL
  • Metadata XML

IDP Metadata URL is a URL that is supplied by your identify provider that supplies the information necessary. If you have this URL, enter it here.

Metadata XML is the raw metadata that may come from a downloaded file. It will look similar to the following (this is an example only):

<md:EntityDescriptor entityID="https://my.example.com/entityid" validUntil="2033-10-23T04:15:46.628Z">
	<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
			<ds:X509Data>
			<ds:X509Certificate>
			MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
			</ds:X509Certificate>
			</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:NameIDFormat>
			urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
		</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/api/saml/sso"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/api/saml/sso"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

Enter a source for the metadata, then click “Connect now."

Failed connection

If the connection fails, it could be for one of the following reasons:

  • The URL you have supplied is invalid.
  • The metadata is invalid.
  • A domain already exists that uses the same SAML entity ID from the supplied metadata. This needs to be unique for each domain.
  • You don’t have authorization to connect your supplied domain.

Successful connection

When your domain is successfully connected, you will be given the option to test your connection with a valid email address at your SSO domain.

Screenshot of the example page, "example.com is connected," with the options to test the connection, replace the connection for this domain, or continue to the next page

Once you click the "Test" button, you will be prompted for authorization in a new window (if you are not already logged in). If authorization is successful, a success message will be displayed.

Screenshot of the same "example.com is connected" page, with the text "Success!" appearing next to the "Test" button

If you need to replace your connection for this SSO domain, click on the “Replace connection for this domain” button. The connection will not actually be replaced until you enter a new source for your metadata and click on the “Connect now” button. However, please note that if the connection fails while you are replacing it, your domain will no longer be connected and users will be unable to log in with that domain.

Click “Next” to complete the setup.

Screenshot of the "Setup complete" page, with some text and a button labeled "Done"

Logging In

Once your domain is set up, enabled, and connected, users can log in by clicking on the “Continue with SSO” button on the main login page.

Screenshot of the standard login page for Paperform; the option "Continue with SSO" is visible under the "Continue with Google" button

You can also log in with SSO directly via the SSO login page.

Screenshot of a simpler login page ("Continue to Paperform with SSO") with a space for email address and a "Continue" button